diff --git a/defaults/main.yml b/defaults/main.yml index 3a73cc4..8dbc121 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -647,6 +647,15 @@ win19cis_cached_logons_count: 1 # The recommended state for this setting is: between 5 and 14 days. win19cis_password_expiry_warning_days: 14 +# 2.3.7.9 +# win19cis_sc_remove_option is the setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. +# Note: Possible Valid Settings +# 1 - Lock Workstation +# 2 - Force Loggoff +# 3 - Disconnect if a Remote Desktop Services session +# Default: 1 +win19cis_sc_remove_option: 1 + # 2.3.9.1 # win19cis_smb_auto_disconnect_time is the policy setting that allows you to specify the amount of continuous idle time that must pass in an # SMB session before the session is suspended because of inactivity. diff --git a/tasks/section02.yml b/tasks/section02.yml index b28a756..8ed8e6b 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1316,12 +1316,35 @@ - patch - logon -- name: "2.3.7.9 | PATCH | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" - ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ScRemoveOption - data: 1 - type: string +- name: "2.3.7.9 | PATCH | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher." + block: + - name: "2.3.7.9 | AUDIT | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win19cis_sc_remove_option. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win19cis_sc_remove_option == 0 or + win19cis_sc_remove_option > 3 + + - name: "2.3.7.9 | AUDIT | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '2.3.7.9' + when: + - win19cis_sc_remove_option == 0 or + win19cis_sc_remove_option > 3 + + - name: "2.3.7.9 | PATCH | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher | Apply Settings To Registry." + ansible.windows.win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ScRemoveOption + data: "{{ win19cis_sc_remove_option }}" + type: string + when: + - win19cis_sc_remove_option >= 1 + - win19cis_sc_remove_option <= 3 when: - win19cis_rule_2_3_7_9 tags: @@ -1457,7 +1480,7 @@ - name: "2.3.9.5 | AUDIT | Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher. | Warning Check For Variable Standards. | MS Only" ansible.builtin.debug: msg: - - "Warning!! You have an invalid number variable set for win10cis_smb_server_name_hardening_level. Please read" + - "Warning!! You have an invalid number variable set for win19cis_smb_server_name_hardening_level. Please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - win19cis_smb_server_name_hardening_level == 0 or diff --git a/tasks/section09.yml b/tasks/section09.yml index 5da8cf1..eeee362 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -422,7 +422,7 @@ warn_control_id: '9.3.8' when: win19cis_public_firewall_log_size < 16384 - - name: Apply Settings To Registry." + - name: "9.3.8 | PATCH | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Apply Settings To Registry." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging name: LogFileSize