diff --git a/ChangeLog.md b/ChangeLog.md index e26575b..cae20ec 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,6 +2,14 @@ ## Release 2.0.1 +December 2024 Update +- Fixed title for 18.9.27.1 +- Issue Addressed: + - [#106](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/105) - Thanks @animatco + - [#104](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/104) - Thanks @devallan + - [#103](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/103) - Thanks @Crombell95 + - [#101](https://github.com/ansible-lockdown/Windows-2019-CIS/issues/101) - Thanks @dennisharder-alight + June 2024 Update - Issue Addressed: - [#101] (https://github.com/ansible-lockdown/Windows-2019-CIS/issues/101) - Thank you @dennisharder-alight diff --git a/tasks/section01.yml b/tasks/section01.yml index e793fd1..45a79d8 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -109,6 +109,19 @@ - patch - password +- name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled." + community.windows.win_security_policy: + section: System Access + key: RelaxMinimumPasswordLengthLimits + value: 1 + when: + - win19cis_rule_1_1_6 + tags: + - level1-memberserver + - rule_1.1.6 + - patch + - password + - name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters" block: - name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters | Warning Check For Variable Standards." @@ -154,19 +167,6 @@ - patch - password -- name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled." - community.windows.win_security_policy: - section: System Access - key: RelaxMinimumPasswordLengthLimits - value: 1 - when: - - win19cis_rule_1_1_6 - tags: - - level1-memberserver - - rule_1.1.6 - - patch - - password - # We have found the order of tasks varies between cloud-based instances and VM-based instances. # The task below loads the control group in the correct order for cloud-based systems - name: diff --git a/tasks/section02.yml b/tasks/section02.yml index 6b4063d..2508421 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -862,7 +862,7 @@ - win19cis_rule_2_3_1_5 tags: - level1-domaincontroller - - level1-memberservers + - level1-memberserver - rule_2.3.1.5 - patch - securitypolicy @@ -1618,11 +1618,49 @@ - patch - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths" - ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc', 'System\CurrentControlSet\Services\SysmonLog'] - type: multistring + block: + - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Set Fact" + ansible.builtin.set_fact: + rule_2_3_10_9_remote_registry_paths: [ + 'System\CurrentControlSet\Control\Print\Printers', + 'System\CurrentControlSet\Services\Eventlog', + 'Software\Microsoft\OLAP Server', + 'Software\Microsoft\Windows NT\CurrentVersion\Print', + 'Software\Microsoft\Windows NT\CurrentVersion\Windows', + 'System\CurrentControlSet\Control\ContentIndex', + 'System\CurrentControlSet\Control\Terminal Server', + 'System\CurrentControlSet\Control\Terminal Server\UserConfig', + 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', + 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', + 'System\CurrentControlSet\Services\SysmonLog' + ] + + - name: "2.3.10.9 | AUDIT | Configure Network access Remotely accessible registry paths and sub-paths | Check if AD Certificate Services feature is installed." + community.windows.win_feature_info: + name: AD-Certificate + register: rule_2_3_10_9_adcs_feature + + - name: 2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Add CertSvc to paths." + ansible.builtin.set_fact: + rule_2_3_10_9_remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\CertSvc'] }}" + when: rule_2_3_10_9_adcs_feature.features[0].installed + + - name: 2.3.10.9 | AUDIT | Configure Network access Remotely accessible registry paths and sub-paths | Check if WINS feature is installed." + community.windows.win_feature_info: + name: WINS + register: rule_2_3_10_9_wins_feature + + - name: 2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Add WINS to paths." + ansible.builtin.set_fact: + rule_2_3_10_9_remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\WINS'] }}" + when: rule_2_3_10_9_wins_feature.features[0].installed + + - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths | Apply " + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths + name: "Machine" + data: '{{ rule_2_3_10_9_remote_registry_paths }}' + type: multistring when: - win19cis_rule_2_3_10_9 tags: diff --git a/tasks/section18.yml b/tasks/section18.yml index d643a6f..a9b0387 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1605,7 +1605,7 @@ - rule_18.9.26.1 - patch -- name: "18.9.17.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled" +- name: "18.9.27.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockUserFromShowingAccountDetailsOnSignin