From 798236851a265d4850ff35981484fe88bcaf2c9a Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Mon, 25 Mar 2024 16:56:00 -0400 Subject: [PATCH 1/4] Update control 1.1.6 Signed-off-by: Mathieu Fortin Signed-off-by: fortinm --- tasks/section01.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index 1d9aa7b..97be351 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -155,10 +155,11 @@ - password - name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled." - community.windows.win_security_policy: - section: System Access - key: RelaxMinimumPasswordLengthLimits - value: 1 + ansible.windows.win_regedit: + path: HKLM:\System\CurrentControlSet\Control\SAM + name: RelaxMinimumPasswordLengthLimits + data: 1 + type: dword when: - win22cis_rule_1_1_6 tags: From 46b2fb7ab3cce8dcd2f198bba6ef7ff148ff84de Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Tue, 26 Mar 2024 14:20:08 -0400 Subject: [PATCH 2/4] Fixing controls stated in issue 38 Signed-off-by: fortinm --- tasks/section18.yml | 61 +++++++++++++++++++++++++++------------------ 1 file changed, 37 insertions(+), 24 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 619f84b..1b3f9c5 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -301,9 +301,9 @@ ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon state: present - value: AutoAdminLogon + name: AutoAdminLogon data: 0 - datatype: string + type: string when: - win22cis_rule_18_5_1 tags: @@ -598,19 +598,18 @@ - patch - netbios -- name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only | Member Server" +- name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast - data: 0 + data: 1 type: dword when: - win22cis_rule_18_6_4_3 - - win2022cis_is_domain_member tags: - - level1-domaincontroller - - level1-memberserver + - level1-corporate-enterprise-environment - rule_18.6.4.3 + - automated - patch - dns @@ -3385,20 +3384,6 @@ - patch - wik -- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: EnableUserControl - data: 0 - type: dword - when: - - win22cis_rule_18_10_81_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.10.81.1 - - patch - - name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" block: - name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warning Check For Variable Standards." @@ -3435,6 +3420,34 @@ - automated - patch +- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: EnableUserControl + data: 0 + type: dword + when: + - win22cis_rule_18_10_81_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.81.1 + - patch + +- name: "18.10.81.2 | PATCH | Ensure 'Always install with elevated privileges' is set to 'Disabled'" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + when: + - win22cis_rule_18_10_81_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.81.2 + - patch + - name: "18.10.81.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer @@ -3454,7 +3467,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableMPR - data: 1 + data: 0 type: dword when: - win22cis_rule_18_10_82_1 @@ -3698,7 +3711,7 @@ - patch - winupdate -- name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds" +- name: "18.10.93.4.1 | PATCH | Ensure 'Manage preview builds' is set to 'Disabled'" block: - name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" ansible.windows.win_regedit: @@ -3711,7 +3724,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue - data: 0 + data: 1 type: dword when: - win22cis_rule_18_10_93_4_1 From 6739706fbecc8b977809646f7afb43ee625de059 Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Tue, 26 Mar 2024 14:21:02 -0400 Subject: [PATCH 3/4] revert Signed-off-by: fortinm --- tasks/section01.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index 97be351..1d9aa7b 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -155,11 +155,10 @@ - password - name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled." - ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Control\SAM - name: RelaxMinimumPasswordLengthLimits - data: 1 - type: dword + community.windows.win_security_policy: + section: System Access + key: RelaxMinimumPasswordLengthLimits + value: 1 when: - win22cis_rule_1_1_6 tags: From 4f7d4ba1917216f3b915eb5224802f03f64b3cb4 Mon Sep 17 00:00:00 2001 From: Math Fortin Date: Tue, 26 Mar 2024 16:46:41 -0400 Subject: [PATCH 4/4] Update section18.yml Signed-off-by: Math Fortin Signed-off-by: fortinm --- tasks/section18.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 1b3f9c5..2837ad6 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -602,7 +602,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast - data: 1 + data: 0 type: dword when: - win22cis_rule_18_6_4_3