diff --git a/ChangeLog.md b/ChangeLog.md index 074c1e8..aa3fcfc 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -1,6 +1,27 @@ # ChangeLog -## Release 1.0.0 +## Release 2.0.1 + +April 2024 Update +Thank you @RomainPisters + - Fix from Issue #32 + +March 2024 Update +Thank you @MrSteve81 for the enhancements to this release! + - Improved 19.x section logic for Windows local user SIDs and HKU support. + - Reboot handler and logic Improvement with skip_reboot var feature. + - win_skip_for_test var update with additional description and supported controls of 2.2.20, 2.2.25, and 2.2.26. + - Mislabeled control fix for win22cis_rule_18_9_7_2 + - Improved logic for win22cis_cloud_based_system 1.2.x controls. + +February 2024 Update +- Issues Addressed: + - [#27](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/27) - Thank you @SwaffelSmurf + - [#28](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/28) - Thank you @natilik-mikeguy + - [PR26](https://github.com/ansible-lockdown/Windows-2022-CIS/pull/26) - Thank you @ai13f + - Typo and bug fixes + +## Release 2.0.0 September 2023 - This Release is based on CIS Benchmark v2.0.0 diff --git a/LICENSE b/LICENSE index b023af9..744af4e 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 MindPoint Group / Lockdown Enterprise +Copyright (c) 2024 MindPoint Group / Lockdown Enterprise Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/defaults/main.yml b/defaults/main.yml index 938b7c5..435440b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -37,20 +37,11 @@ min_ansible_version: "2.10" # may fail in some cases. complexity_high: true -# Show "changed" for complex items not remediated per complexity-high setting -# to make them stand out. "changed" items on a second run of the role would -# indicate items requiring manual review. -audit_complex: true - # We've defined disruption-high to indicate items that are likely to cause # disruption in a normal workflow. These items can be remediated automatically # but are disabled by default to avoid disruption. disruption_high: false -# Show "changed" for disruptive items not remediated per disruption-high -# setting to make them stand out. -audit_disruptive: false - # Tweak role to run in a non-privileged container system_is_container: false @@ -60,16 +51,23 @@ long_running: false # win_skip_for_test is used in the playbook to skip over WINRM-based controls that # may cause WINRM Basic Connection Type to be disabled. # Setting win_skip_for_test to 'false' will enable Secure Connection types only. -# win22cis_rule_2_3_1_4 -# win22cis_rule_9_3_5 -# win22cis_rule_18_10_89_1_1 -# win22cis_rule_18_10_89_1_2 -# win22cis_rule_18_10_89_2_1 -# win22cis_rule_18_10_89_2_2 -# win22cis_rule_18_10_89_2_3 -# win22cis_rule_18_10_90_1 +# win22cis_rule_2_2_25 - Breaks Local Admin Connection +# win22cis_rule_2_2_26 - Breaks Local Admin Connection +# win22cis_rule_2_3_1_4 - Rename default administrator account +# win22cis_rule_9_3_5 - Enables Firewall Public Rules *Breaks Reboot* +# win22cis_rule_18_10_89_1_1 - Disables WinRM Allow Client Basic Auth +# win22cis_rule_18_10_89_1_2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control. +# win22cis_rule_18_10_89_2_1 - Disables WinRM Allow Service Basic Auth +# win22cis_rule_18_10_89_2_2 - Disables Remote Server Management through WinRM +# win22cis_rule_18_10_89_2_3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control. +# win22cis_rule_18_10_90_1 - Disables Remote Shell Access win_skip_for_test: true +# Changes will be made that will require a system reboot. +# The following option will allow whether or not to skip the reboot. +# Default: true +skip_reboot: true + # These variables correspond with the CIS Rule IDs defined in the CIS and allow you to enable/disable specific rules. # PLEASE NOTE: These work in coordination with the level1 and level2 group variables. You must enable an entire group # in order for the variables below to take effect. @@ -118,6 +116,8 @@ win22cis_rule_2_2_21: true win22cis_rule_2_2_22: true win22cis_rule_2_2_23: true win22cis_rule_2_2_24: true +# Setting win22cis_rule_2_2_25 and win22cis_rule_2_2_26 Control To True Will Break Ansible Connection +# Setting win_skip_for_test: true -- will skip the controls here even if they are set to true. win22cis_rule_2_2_25: true win22cis_rule_2_2_26: true win22cis_rule_2_2_27: true @@ -355,7 +355,7 @@ win22cis_rule_18_9_5_4: true win22cis_rule_18_9_5_5: true win22cis_rule_18_9_5_6: true win22cis_rule_18_9_5_7: true -win22cis_rule_18_8_7_2: true +win22cis_rule_18_9_7_2: true win22cis_rule_18_9_13_1: true win22cis_rule_18_9_19_2: true win22cis_rule_18_9_19_3: true @@ -709,6 +709,18 @@ win22cis_public_firewall_log_size: 16384 # Section 18 Variables +# 18.3.5 +# win22cis_laps_password_length is the LAPS tool password length. +# The recommended state for this setting is: Enabled: 15 or more. +# Default: 15 +win22cis_laps_password_length: 15 + +# 18.3.6 +# win22cis_laps_password_age_days is the LAPS tool password age in days. +# The recommended state for this setting is: Enabled: 30 or fewer. +# Default: 30 +win22cis_laps_password_age_days: 30 + # 18.4.6 # win22cis_netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType # Options are a B-node value of 1, P-node value of 2, M-node value of 4, and H-node value of 8. P-node is the recommended setting from CIS diff --git a/handlers/main.yml b/handlers/main.yml index 0cb78d6..80d01dc 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,7 @@ --- -- name: reboot_windows - ansible.windows.win_reboot: - reboot_timeout: 3600 +- name: change_requires_reboot + ansible.builtin.set_fact: + reboot_host: true + tags: + - always diff --git a/meta/main.yml b/meta/main.yml index ddc4dae..4dfa6b1 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: - author: "George Nalen, Mark Bolwell, Stephen Williams, Frederick Witty Jr." + author: "Stephen Williams, Frederick Witty Jr." description: "Ansible role to apply Windows Server 2022 CIS Benchmark" company: "MindPoint Group" license: MIT diff --git a/tasks/main.yml b/tasks/main.yml index 07dfcb6..6c017d2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -95,7 +95,7 @@ ansible.builtin.import_tasks: file: section18.yml when: - - win22cis_section17 + - win22cis_section18 tags: - section18 diff --git a/tasks/post.yml b/tasks/post.yml new file mode 100644 index 0000000..4aa3351 --- /dev/null +++ b/tasks/post.yml @@ -0,0 +1,36 @@ +--- + +- name: "POST | Flush Handlers" + ansible.builtin.meta: flush_handlers + tags: + - always + +- name: "POST | Reboot System Options" + block: + - name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False" + ansible.windows.win_reboot: + reboot_timeout: 3600 + when: + - reboot_host + - not skip_reboot + + - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set" + ansible.builtin.debug: + msg: + - "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually." + - "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results." + changed_when: true + when: + - reboot_host + - skip_reboot + + - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + when: + - reboot_host + - skip_reboot + vars: + warn_control_id: Reboot_Required + tags: + - always diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c19f64e..86c1044 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -30,6 +30,7 @@ ansible.builtin.set_fact: win22cis_cloud_based_system: true when: + - ansible_system_vendor == 'Microsoft Corporation' - ansible_virtualization_type == 'Hyper-V' or ansible_virtualization_type == 'hvm' or ansible_virtualization_type == 'kvm' @@ -49,3 +50,40 @@ windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" tags: - always + + +- name: PRELIM | Retrieve Default NTUSER and All Local User Hive Data + block: + - name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile) + ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT + changed_when: false + failed_when: false + + - name: PRELIM | Pull All Username and SIDs + ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID } + changed_when: false + failed_when: false + register: all_users + + - name: PRELIM | Create Results List Fact For Username And SIDs + ansible.builtin.set_fact: + username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}" + + - name: PRELIM | Load All User Hives From Username And SIDs List + ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT + changed_when: false + failed_when: false + loop: "{{ username_and_sid_results_list }}" + + - name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS + ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"} + changed_when: false + failed_when: false + register: current_users_loaded_hku + + - name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS + ansible.builtin.set_fact: + hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}" + when: win22cis_section19 + tags: + - always diff --git a/tasks/section01.yml b/tasks/section01.yml index 91c4eef..97be351 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -155,10 +155,11 @@ - password - name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled." - community.windows.win_security_policy: - section: System Access - key: RelaxMinimumPasswordLengthLimits - value: 1 + ansible.windows.win_regedit: + path: HKLM:\System\CurrentControlSet\Control\SAM + name: RelaxMinimumPasswordLengthLimits + data: 1 + type: dword when: - win22cis_rule_1_1_6 tags: @@ -190,9 +191,7 @@ ansible.builtin.import_tasks: file: section01_cloud_lockout_order.yml when: - - win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - win22cis_cloud_based_system tags: - section01_cloud_lockout_order @@ -228,9 +227,7 @@ - win22cis_bad_login_lockout_count > 0 when: - win22cis_rule_1_2_2 - - not win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - not win22cis_cloud_based_system tags: - level1-domaincontroller - level1-memberserver @@ -245,9 +242,8 @@ value: "{{ win22cis_allow_admin_account_lockout }}" when: - win22cis_rule_1_2_3 - - not win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - win2022cis_is_domain_member + - not win22cis_cloud_based_system tags: - level1-memberserver - rule_1.2.3 @@ -284,9 +280,7 @@ - win22cis_account_lockout_counter_reset <= win22cis_account_lockout_duration when: - win22cis_rule_1_2_4 - - not win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - not win22cis_cloud_based_system tags: - level1-domaincontroller - level1-memberserver @@ -318,9 +312,7 @@ when: win22cis_account_lockout_duration >= 15 when: - win22cis_rule_1_2_1 - - not win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - not win22cis_cloud_based_system tags: - level1-domaincontroller - level1-memberserver diff --git a/tasks/section01_cloud_lockout_order.yml b/tasks/section01_cloud_lockout_order.yml index dbb61ca..cae28b8 100644 --- a/tasks/section01_cloud_lockout_order.yml +++ b/tasks/section01_cloud_lockout_order.yml @@ -80,6 +80,7 @@ value: "{{ win22cis_allow_admin_account_lockout }}" when: - win22cis_rule_1_2_3 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_1.2.3 diff --git a/tasks/section02.yml b/tasks/section02.yml index 320e581..23e4f63 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -300,6 +300,7 @@ when: - win22cis_rule_2_2_20 - win2022cis_is_domain_controller + - not win_skip_for_test tags: - level1-domaincontroller - rule_2.2.20 @@ -378,6 +379,7 @@ when: - win22cis_rule_2_2_25 - win2022cis_is_domain_controller + - not win_skip_for_test tags: - level1-domaincontroller - rule_2.2.25 @@ -394,6 +396,7 @@ when: - win22cis_rule_2_2_26 - win2022cis_is_domain_member + - not win_skip_for_test tags: - level1-memberserver - rule_2.2.26 diff --git a/tasks/section05.yml b/tasks/section05.yml index 851548d..4c67efa 100644 --- a/tasks/section05.yml +++ b/tasks/section05.yml @@ -20,13 +20,13 @@ start_mode: disabled state: stopped when: spooler_service_info.exists - notify: reboot_windows + notify: change_requires_reboot when: - win22cis_rule_5_1 or win22cis_rule_5_2 tags: - level1-domaincontroller - - level2-domainmember + - level2-memberserver - rule_5.1 - rule_5.2 - patch diff --git a/tasks/section18.yml b/tasks/section18.yml index 41b076a..82cc641 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -159,7 +159,7 @@ - name: "18.3.6 | AUDIT | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Warning Check For Variable Standards | Member Server" ansible.builtin.debug: msg: - - "Warning!! You have an invalid password length set for win22cis_laps_password_length please read" + - "Warning!! You have an invalid Password Age Days set for win22cis_laps_password_age_days please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: win22cis_laps_password_age_days > 30 @@ -207,7 +207,7 @@ name: RpcAuthnLevelPrivacyEnabled data: 1 type: dword - notify: reboot_windows + notify: change_requires_reboot when: - win22cis_rule_18_4_2 tags: @@ -239,7 +239,7 @@ data: 0 type: dword state: present - notify: reboot_windows + notify: change_requires_reboot when: - win22cis_rule_18_4_4 tags: @@ -299,11 +299,11 @@ - name: "18.5.1 | PATCH | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon state: present - value: AutoAdminLogon + name: AutoAdminLogon data: 0 - datatype: string + type: string when: - win22cis_rule_18_5_1 tags: @@ -598,19 +598,18 @@ - patch - netbios -- name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only | Member Server" +- name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast - data: 1 + data: 0 type: dword when: - win22cis_rule_18_6_4_3 - - win2022cis_is_domain_member tags: - - level1-domaincontroller - - level1-memberserver + - level1-corporate-enterprise-environment - rule_18.6.4.3 + - automated - patch - dns @@ -931,13 +930,13 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers name: RedirectionguardPolicy - data: 2 + data: 1 type: dword when: - win22cis_rule_18_7_2 tags: - level1-domaincontroller - - level2-memberserver + - level1-memberserver - rule_18.7.2 - patch - printers @@ -952,7 +951,7 @@ - win22cis_rule_18_7_3 tags: - level1-domaincontroller - - level2-memberserver + - level1-memberserver - rule_18.7.3 - patch - printers @@ -967,7 +966,7 @@ - win22cis_rule_18_7_4 tags: - level1-domaincontroller - - level2-memberserver + - level1-memberserver - rule_18.7.4 - patch - printers @@ -982,7 +981,7 @@ - win22cis_rule_18_7_5 tags: - level1-domaincontroller - - level2-memberserver + - level1-memberserver - rule_18.7.5 - patch - printers @@ -1019,7 +1018,7 @@ - win22cis_rule_18_7_6 tags: - level1-domaincontroller - - level2-memberserver + - level1-memberserver - rule_18.7.6 - patch - printers @@ -1034,7 +1033,7 @@ - win22cis_rule_18_7_7 tags: - level1-domaincontroller - - level2-memberserver + - level1-memberserver - rule_18.7.7 - patch - printers @@ -1075,7 +1074,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint name: NoWarningNoElevationOnInstall - data: 1 + data: 0 type: dword when: - win22cis_rule_18_7_10 @@ -1090,7 +1089,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint name: UpdatePromptSettings - data: 1 + data: 0 type: dword when: - win22cis_rule_18_7_11 @@ -1265,18 +1264,18 @@ - patch - vbs -- name: "18.8.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled" +- name: "18.9.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata name: PreventDeviceMetadataFromNetwork data: 1 type: dword when: - - win22cis_rule_18_8_7_2 + - win22cis_rule_18_9_7_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.7.2 + - rule_18.9.7.2 - patch - metadata @@ -1978,7 +1977,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver name: Enabled - data: 1 + data: 0 type: dword when: - win22cis_rule_18_9_50_1_2 @@ -2740,6 +2739,7 @@ loop: - 26190899-1602-49e8-8b27-eb1d0a1ce869 - 3b576869-a4ec-4529-8536-b80a7769e899 + - 56a863a9-875e-4185-98a7-b882c64b5ce5 - 5beb7efe-fd9a-4556-801d-275e5ffc04cc - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c @@ -2809,7 +2809,7 @@ ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableRealtimeMonitoring - data: 1 + data: 0 datatype: dword when: - win22cis_rule_18_10_43_10_2 @@ -3384,20 +3384,6 @@ - patch - wik -- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: EnableUserControl - data: 0 - type: dword - when: - - win22cis_rule_18_10_81_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.10.81.1 - - patch - - name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" block: - name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warning Check For Variable Standards." @@ -3434,6 +3420,34 @@ - automated - patch +- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: EnableUserControl + data: 0 + type: dword + when: + - win22cis_rule_18_10_81_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.81.1 + - patch + +- name: "18.10.81.2 | PATCH | Ensure 'Always install with elevated privileges' is set to 'Disabled'" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + when: + - win22cis_rule_18_10_81_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.81.2 + - patch + - name: "18.10.81.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer @@ -3453,7 +3467,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableMPR - data: 1 + data: 0 type: dword when: - win22cis_rule_18_10_82_1 @@ -3577,7 +3591,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowAutoConfig - data: 1 + data: 0 type: dword when: - win22cis_rule_18_10_89_2_2 @@ -3697,7 +3711,7 @@ - patch - winupdate -- name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds" +- name: "18.10.93.4.1 | PATCH | Ensure 'Manage preview builds' is set to 'Disabled'" block: - name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" ansible.windows.win_regedit: @@ -3710,7 +3724,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue - data: 0 + data: 1 type: dword when: - win22cis_rule_18_10_93_4_1 diff --git a/tasks/section19.yml b/tasks/section19.yml index 1138a71..0c6a872 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -1,20 +1,13 @@ --- - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" - block: - - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string - - - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveActive + data: 1 + type: string + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_1_3_1 tags: @@ -25,20 +18,13 @@ - screensaver - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" - block: - - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string - - - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaverIsSecure + data: 1 + type: string + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_1_3_2 tags: @@ -70,23 +56,12 @@ - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: "{{ win22cis_screen_saver_timeout }}" - type: string - when: - - win22cis_screen_saver_timeout > 0 - - win22cis_screen_saver_timeout <= 900 - - - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut data: "{{ win22cis_screen_saver_timeout }}" type: string - when: - - win22cis_screen_saver_timeout > 0 - - win22cis_screen_saver_timeout <= 900 + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_1_3_3 tags: @@ -97,20 +72,13 @@ - screensaver - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" - block: - - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword - - - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + name: NoToastApplicationNotificationOnLockScreen + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_5_1_1 tags: @@ -121,20 +89,13 @@ - toast - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" - block: - - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword - - - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Assistance\Client\1.0 + name: NoImplicitFeedback + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_6_6_1_1 tags: @@ -145,20 +106,13 @@ - help - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" - block: - - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 2 - type: dword - - - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 2 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + name: SaveZoneInformation + data: 2 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_4_1 tags: @@ -169,20 +123,13 @@ - attachments - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" - block: - - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword - - - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Microsoft\Windows\Currentversion\Policies\Attachments + name: ScanWithAntiVirus + data: 3 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_4_2 tags: @@ -193,20 +140,13 @@ - antivirus - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" - block: - - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword - - - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: ConfigureWindowsSpotlight + data: 2 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_1 tags: @@ -217,20 +157,13 @@ - cloudcontent - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - block: - - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword - - - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: DisableThirdPartySuggestions + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_2 tags: @@ -241,20 +174,13 @@ - cloudcontent - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - block: - - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword - - - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: DisableTailoredExperiencesWithDiagnosticData + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_3 tags: @@ -265,20 +191,13 @@ - cloudcontent - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" - block: - - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword - - - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: DisableWindowsSpotlightFeatures + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_4 tags: @@ -289,20 +208,13 @@ - cloudcontent - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" - block: - - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableSpotlightCollectionOnDesktop - data: 1 - type: dword - - - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableSpotlightCollectionOnDesktop - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\CloudContent + name: DisableSpotlightCollectionOnDesktop + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_5 tags: @@ -313,20 +225,13 @@ - cloudcontent - name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" - block: - - name: "19.7.25.1| PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword - - - name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoInplaceSharing + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_25_1 tags: @@ -338,20 +243,13 @@ - sharing - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - block: - - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword - - - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_40_1 tags: @@ -362,20 +260,13 @@ - permissions - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" - block: - - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword - - - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windowsmediaplayer + name: PreventCodecDownload + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_42_2_1 tags: diff --git a/vars/main.yml b/vars/main.yml index 51f62e8..40755de 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -17,3 +17,7 @@ win22cis_cloud_based_system: false win2022cis_is_standalone: false win2022cis_is_domain_controller: false win2022cis_is_domain_member: false + +# Default setting, this should not be changed +# and is overridden if a task that changed sets the value if required. +reboot_host: false