ansible-lockdown · mfortin · Feb 20, 2024 · Feb 21, 2024 · Feb 21, 2024 · Feb 21, 2024
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,6 +1,27 @@
 # ChangeLog
 
-## Release 1.0.0
+## Release 2.0.1
+
+April 2024 Update
+Thank you @RomainPisters
+    - Fix from Issue #32
+
+March 2024 Update
+Thank you @MrSteve81 for the enhancements to this release!
+    - Improved 19.x section logic for Windows local user SIDs and HKU support.
+    - Reboot handler and logic Improvement with skip_reboot var feature.
+    - win_skip_for_test var update with additional description and supported controls of 2.2.20, 2.2.25, and 2.2.26.
+    - Mislabeled control fix for win22cis_rule_18_9_7_2
+    - Improved logic for win22cis_cloud_based_system 1.2.x controls.
+
+February 2024 Update
+- Issues Addressed:
+    - [#27](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/27) - Thank you @SwaffelSmurf
+    - [#28](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/28) - Thank you @natilik-mikeguy
+    - [PR26](https://github.com/ansible-lockdown/Windows-2022-CIS/pull/26) - Thank you @ai13f
+    - Typo and bug fixes
+
+## Release 2.0.0
 
 September 2023
 - This Release is based on CIS Benchmark v2.0.0

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 MindPoint Group / Lockdown Enterprise
+Copyright (c) 2024 MindPoint Group / Lockdown Enterprise
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -37,20 +37,11 @@ min_ansible_version: "2.10"
 # may fail in some cases.
 complexity_high: true
 
-# Show "changed" for complex items not remediated per complexity-high setting
-# to make them stand out.  "changed" items on a second run of the role would
-# indicate items requiring manual review.
-audit_complex: true
-
 # We've defined disruption-high to indicate items that are likely to cause
 # disruption in a normal workflow. These items can be remediated automatically
 # but are disabled by default to avoid disruption.
 disruption_high: false
 
-# Show "changed" for disruptive items not remediated per disruption-high
-# setting to make them stand out.
-audit_disruptive: false
-
 # Tweak role to run in a non-privileged container
 system_is_container: false
 
@@ -60,16 +51,23 @@ long_running: false
 # win_skip_for_test is used in the playbook to skip over WINRM-based controls that
 # may cause WINRM Basic Connection Type to be disabled.
 # Setting win_skip_for_test to 'false' will enable Secure Connection types only.
-# win22cis_rule_2_3_1_4
-# win22cis_rule_9_3_5
-# win22cis_rule_18_10_89_1_1
-# win22cis_rule_18_10_89_1_2
-# win22cis_rule_18_10_89_2_1
-# win22cis_rule_18_10_89_2_2
-# win22cis_rule_18_10_89_2_3
-# win22cis_rule_18_10_90_1
+# win22cis_rule_2_2_25 - Breaks Local Admin Connection
+# win22cis_rule_2_2_26 - Breaks Local Admin Connection
+# win22cis_rule_2_3_1_4 - Rename default administrator account
+# win22cis_rule_9_3_5 - Enables Firewall Public Rules *Breaks Reboot*
+# win22cis_rule_18_10_89_1_1 - Disables WinRM Allow Client Basic Auth
+# win22cis_rule_18_10_89_1_2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control.
+# win22cis_rule_18_10_89_2_1 - Disables WinRM Allow Service Basic Auth
+# win22cis_rule_18_10_89_2_2 - Disables Remote Server Management through WinRM
+# win22cis_rule_18_10_89_2_3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control.
+# win22cis_rule_18_10_90_1 - Disables Remote Shell Access
 win_skip_for_test: true
 
+# Changes will be made that will require a system reboot.
+# The following option will allow whether or not to skip the reboot.
+# Default: true
+skip_reboot: true
+
 # These variables correspond with the CIS Rule IDs defined in the CIS and allow you to enable/disable specific rules.
 # PLEASE NOTE: These work in coordination with the level1 and level2 group variables. You must enable an entire group
 # in order for the variables below to take effect.
@@ -118,6 +116,8 @@ win22cis_rule_2_2_21: true
 win22cis_rule_2_2_22: true
 win22cis_rule_2_2_23: true
 win22cis_rule_2_2_24: true
+# Setting win22cis_rule_2_2_25 and win22cis_rule_2_2_26 Control To True Will Break Ansible Connection
+# Setting win_skip_for_test: true -- will skip the controls here even if they are set to true.
 win22cis_rule_2_2_25: true
 win22cis_rule_2_2_26: true
 win22cis_rule_2_2_27: true
@@ -355,7 +355,7 @@ win22cis_rule_18_9_5_4: true
 win22cis_rule_18_9_5_5: true
 win22cis_rule_18_9_5_6: true
 win22cis_rule_18_9_5_7: true
-win22cis_rule_18_8_7_2: true
+win22cis_rule_18_9_7_2: true
 win22cis_rule_18_9_13_1: true
 win22cis_rule_18_9_19_2: true
 win22cis_rule_18_9_19_3: true
@@ -709,6 +709,18 @@ win22cis_public_firewall_log_size: 16384
 
 # Section 18 Variables
 
+# 18.3.5
+# win22cis_laps_password_length is the LAPS tool password length.
+# The recommended state for this setting is: Enabled: 15 or more.
+# Default: 15
+win22cis_laps_password_length: 15
+
+# 18.3.6
+# win22cis_laps_password_age_days is the LAPS tool password age in days.
+# The recommended state for this setting is: Enabled: 30 or fewer.
+# Default: 30
+win22cis_laps_password_age_days: 30
+
 # 18.4.6
 # win22cis_netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType
 # Options are a B-node value of 1, P-node value of 2, M-node value of 4, and H-node value of 8. P-node is the recommended setting from CIS

diff --git a/handlers/main.yml b/handlers/main.yml
@@ -1,5 +1,7 @@
 ---
 
-- name: reboot_windows
-  ansible.windows.win_reboot:
-      reboot_timeout: 3600
+- name: change_requires_reboot
+  ansible.builtin.set_fact:
+      reboot_host: true
+  tags:
+      - always
diff --git a/meta/main.yml b/meta/main.yml
@@ -1,7 +1,7 @@
 ---
 
 galaxy_info:
-    author: "George Nalen, Mark Bolwell, Stephen Williams, Frederick Witty Jr."
+    author: "Stephen Williams, Frederick Witty Jr."
     description: "Ansible role to apply Windows Server 2022 CIS Benchmark"
     company: "MindPoint Group"
     license: MIT

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -95,7 +95,7 @@
   ansible.builtin.import_tasks:
       file: section18.yml
   when:
-      - win22cis_section17
+      - win22cis_section18
   tags:
       - section18
 

diff --git a/tasks/post.yml b/tasks/post.yml
@@ -0,0 +1,36 @@
+---
+
+- name: "POST | Flush Handlers"
+  ansible.builtin.meta: flush_handlers
+  tags:
+      - always
+
+- name: "POST | Reboot System Options"
+  block:
+      - name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False"
+        ansible.windows.win_reboot:
+            reboot_timeout: 3600
+        when:
+            - reboot_host
+            - not skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set"
+        ansible.builtin.debug:
+            msg:
+                - "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually."
+                - "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results."
+        changed_when: true
+        when:
+            - reboot_host
+            - skip_reboot
+
+      - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count"
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
+        when:
+            - reboot_host
+            - skip_reboot
+  vars:
+      warn_control_id: Reboot_Required
+  tags:
+      - always
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
@@ -30,6 +30,7 @@
   ansible.builtin.set_fact:
       win22cis_cloud_based_system: true
   when:
+      - ansible_system_vendor == 'Microsoft Corporation'
       - ansible_virtualization_type == 'Hyper-V' or
         ansible_virtualization_type == 'hvm' or
         ansible_virtualization_type == 'kvm'
@@ -49,3 +50,40 @@
       windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
   tags:
       - always
+
+
+- name: PRELIM | Retrieve Default NTUSER and All Local User Hive Data
+  block:
+      - name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile)
+        ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT
+        changed_when: false
+        failed_when: false
+
+      - name: PRELIM | Pull All Username and SIDs
+        ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID }
+        changed_when: false
+        failed_when: false
+        register: all_users
+
+      - name: PRELIM | Create Results List Fact For Username And SIDs
+        ansible.builtin.set_fact:
+            username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}"
+
+      - name: PRELIM | Load All User Hives From Username And SIDs List
+        ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT
+        changed_when: false
+        failed_when: false
+        loop: "{{ username_and_sid_results_list }}"
+
+      - name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS
+        ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"}
+        changed_when: false
+        failed_when: false
+        register: current_users_loaded_hku
+
+      - name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS
+        ansible.builtin.set_fact:
+            hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}"
+  when: win22cis_section19
+  tags:
+      - always
diff --git a/tasks/section01.yml b/tasks/section01.yml
@@ -155,10 +155,11 @@
       - password
 
 - name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled."
-  community.windows.win_security_policy:
-      section: System Access
-      key: RelaxMinimumPasswordLengthLimits
-      value: 1
+  ansible.windows.win_regedit:
+      path: HKLM:\System\CurrentControlSet\Control\SAM
+      name: RelaxMinimumPasswordLengthLimits
+      data: 1
+      type: dword
   when:
       - win22cis_rule_1_1_6
   tags:
@@ -190,9 +191,7 @@
   ansible.builtin.import_tasks:
       file: section01_cloud_lockout_order.yml
   when:
-      - win22cis_cloud_based_system or
-        win2022cis_is_domain_controller or
-        win2022cis_is_domain_member
+      - win22cis_cloud_based_system
   tags:
       - section01_cloud_lockout_order
 
@@ -228,9 +227,7 @@
             - win22cis_bad_login_lockout_count > 0
   when:
       - win22cis_rule_1_2_2
-      - not win22cis_cloud_based_system or
-        win2022cis_is_domain_controller or
-        win2022cis_is_domain_member
+      - not win22cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -245,9 +242,8 @@
       value: "{{ win22cis_allow_admin_account_lockout }}"
   when:
       - win22cis_rule_1_2_3
-      - not win22cis_cloud_based_system or
-        win2022cis_is_domain_controller or
-        win2022cis_is_domain_member
+      - win2022cis_is_domain_member
+      - not win22cis_cloud_based_system
   tags:
       - level1-memberserver
       - rule_1.2.3
@@ -284,9 +280,7 @@
             - win22cis_account_lockout_counter_reset <= win22cis_account_lockout_duration
   when:
       - win22cis_rule_1_2_4
-      - not win22cis_cloud_based_system or
-        win2022cis_is_domain_controller or
-        win2022cis_is_domain_member
+      - not win22cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -318,9 +312,7 @@
         when: win22cis_account_lockout_duration >= 15
   when:
       - win22cis_rule_1_2_1
-      - not win22cis_cloud_based_system or
-        win2022cis_is_domain_controller or
-        win2022cis_is_domain_member
+      - not win22cis_cloud_based_system
   tags:
       - level1-domaincontroller
       - level1-memberserver

diff --git a/tasks/section01_cloud_lockout_order.yml b/tasks/section01_cloud_lockout_order.yml
@@ -80,6 +80,7 @@
       value: "{{ win22cis_allow_admin_account_lockout }}"
   when:
       - win22cis_rule_1_2_3
+      - win2022cis_is_domain_member
   tags:
       - level1-memberserver
       - rule_1.2.3

diff --git a/tasks/section02.yml b/tasks/section02.yml
@@ -300,6 +300,7 @@
   when:
       - win22cis_rule_2_2_20
       - win2022cis_is_domain_controller
+      - not win_skip_for_test
   tags:
       - level1-domaincontroller
       - rule_2.2.20
@@ -378,6 +379,7 @@
   when:
       - win22cis_rule_2_2_25
       - win2022cis_is_domain_controller
+      - not win_skip_for_test
   tags:
       - level1-domaincontroller
       - rule_2.2.25
@@ -394,6 +396,7 @@
   when:
       - win22cis_rule_2_2_26
       - win2022cis_is_domain_member
+      - not win_skip_for_test
   tags:
       - level1-memberserver
       - rule_2.2.26

diff --git a/tasks/section05.yml b/tasks/section05.yml
@@ -20,13 +20,13 @@
             start_mode: disabled
             state: stopped
         when: spooler_service_info.exists
-  notify: reboot_windows
+  notify: change_requires_reboot
   when:
       - win22cis_rule_5_1 or
         win22cis_rule_5_2
   tags:
       - level1-domaincontroller
-      - level2-domainmember
+      - level2-memberserver
       - rule_5.1
       - rule_5.2
       - patch