diff --git a/.ansible-lint b/.ansible-lint index 20da51a..47f63b5 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -1,22 +1,23 @@ --- + parseable: true quiet: true skip_list: - 'schema' - 'no-changed-when' - - 'var-spacing' - - 'fqcn-builtins' - 'experimental' - - 'name[play]' - 'name[casing]' - 'name[template]' - - 'fqcn[action]' + - 'jinja[spacing]' + - 'yaml[line-length]' + - 'key-order[task]' + - 'var-naming' # Older playbook no new release - '204' + - '208' - '305' - '303' - '403' - '306' - '602' - - '208' use_default_rules: true verbosity: 0 diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 1c05e6c..0000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -name: Report Issue -about: Create a bug issue ticket to help us improve -title: '' -labels: bug -assignees: '' - ---- - -# Describe the Issue - -A clear and concise description of what the bug is. - -## Expected Behavior - -A clear and concise description of what you expected to happen. - -## Actual Behavior** - -A clear and concise description of what's happening. - -## Control(s) Affected - -What controls are being affected by the issue - -## Environment (please complete the following information) - -- Ansible Version: [e.g. 2.10] -- Host Python Version: [e.g. Python 3.7.6] -- Ansible Server Python Version: [e.g. Python 3.7.6] -- Target server details: [e.g. Windows2016 datacenter] -- Additional Details: - -## Additional Notes - -Anything additional goes here - -## Possible Solution - -Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md deleted file mode 100644 index 58542d9..0000000 --- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -name: Feature Request or Enhancement -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -# Feature Request or Enhancement - -- Feature [] -- Enhancement [] - -## Summary of Request - -A clear and concise description of what you want to happen. - -## Describe alternatives you've considered - -A clear and concise description of any alternative solutions or features you've considered. - -## Suggested Code - -Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md deleted file mode 100644 index 9465964..0000000 --- a/.github/ISSUE_TEMPLATE/question.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -name: Question -about: Ask away....... -title: '' -labels: question -assignees: '' - ---- - -# Question - -Pose question here. - -## Environment (please complete the following information) - -- Ansible Version: [e.g. 2.10] -- Host Python Version: [e.g. Python 3.7.6] -- Ansible Server Python Version: [e.g. Python 3.7.6] -- Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 66d2eae..0000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,15 +0,0 @@ -# Overall Review of Changes - -A general description of the changes made that are being requested for merge - -## Issue Fixes - -Please list (using linking) any open issues this PR addresses - -## Enhancements - -Please list any enhancements/features that are not open issue tickets - -## How has this been tested? - -Please give an overview of how these changes were tested. If they were not please use N/A diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml new file mode 100644 index 0000000..44fbd8c --- /dev/null +++ b/.github/workflows/devel_pipeline_validation.yml @@ -0,0 +1,143 @@ +--- + +# This is a basic workflow to help you get started with Actions + +name: Devel Pipeline Validation + +# Controls when the action will run. +# Triggers the workflow on push or pull request +# events but only for the devel branch +on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +# This section contains all the jobs below that are running in the workflow. +jobs: + # This will create messages for the first time contributors and direct them to the Discord server + welcome: + # The type of runner that the job will run on. + runs-on: ubuntu-latest + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well. + + # This workflow will run Terraform to load an instance in Azure to test the playbook against a live cloud-based instance. + playbook-test: + # The type of runner that the job will run on. + runs-on: ubuntu-latest + + env: + ENABLE_DEBUG: false + # Imported as a variable by terraform. + TF_VAR_repository: ${{ github.event.repository.name }} + ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }} + WIN_USERNAME: ${{ secrets.WIN_USERNAME }} + WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} + + defaults: + run: + shell: bash + working-directory: .github/workflows/github_windows_IaC + + # Steps represent a sequence of tasks that will be executed as part of the job. + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it. + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull In Terraform Code For Windows Azure + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_windows_IaC + path: .github/workflows/github_windows_IaC + + # Sensitive Data Stored And Passed To Terraform + # Default Working Dir Defined In Defaults Above. + - name: user details + run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json + + # Show the Os Var and Benchmark Type And Load + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + # Initialize The Terraform Working Directory + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + # Validate The Syntax Of Terraform Files + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + # Execute The Actions And Build Azure Server + - name: Terraform_Apply + id: apply + env: + # Imported from github variables this is used to load the relevant OS.tfvars file + WIN_USERNAME: ${{ secrets.WIN_USERNAME }} + WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "${OSVAR}.tfvars" --auto-approve + + # Debug Section + - name: DEBUG - Show Ansible Hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Run the Ansible Playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_windows_IaC/hosts.yml + galaxy_file: collections/requirements.yml + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Destroy The Azure Test System + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "${OSVAR}.tfvars" --auto-approve diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf deleted file mode 100644 index 162972d..0000000 --- a/.github/workflows/main.tf +++ /dev/null @@ -1,189 +0,0 @@ -# Configure the Azure provider -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 2.65" - } - } - required_version = ">= 1.1.0" -} - -provider "azurerm" { - features {} -} - -data "external" "win_account" { - program = ["cat", "./sensitive_info.json"] -} - -resource "azurerm_resource_group" "main" { - name = "${var.prefix}-${var.OS_version}-RG" - location = var.location - tags = { - environment = var.tagname - } -} - -resource "azurerm_virtual_network" "main" { - name = "${var.prefix}-${var.OS_version}-network" - address_space = ["172.16.0.0/16"] - location = azurerm_resource_group.main.location - resource_group_name = azurerm_resource_group.main.name - tags = { - environment = var.tagname - } -} - -resource "azurerm_subnet" "internal" { - name = "${var.prefix}-${var.OS_version}-intip" - resource_group_name = azurerm_resource_group.main.name - virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = ["172.16.101.0/24"] -} - -resource "azurerm_public_ip" "main" { - name = "${var.prefix}-${var.OS_version}-pubip" - location = var.location - resource_group_name = azurerm_resource_group.main.name - allocation_method = "Static" - tags = { - environment = var.tagname - } -} - -resource "azurerm_network_interface" "main" { - name = "${var.prefix}-${var.OS_version}-nic" - resource_group_name = azurerm_resource_group.main.name - location = azurerm_resource_group.main.location - - ip_configuration { - name = "internal" - subnet_id = azurerm_subnet.internal.id - private_ip_address_allocation = "Dynamic" - public_ip_address_id = azurerm_public_ip.main.id - } - - tags = { - environment = var.tagname - } - -} - -resource "azurerm_network_security_group" "secgroup" { - name = "${var.prefix}-${var.OS_version}-secgroup" - resource_group_name = azurerm_resource_group.main.name - location = azurerm_resource_group.main.location - security_rule { - name = "default-allow-3389" - priority = 1000 - access = "Allow" - direction = "Inbound" - destination_port_range = 3389 - protocol = "*" # rdp uses both - source_port_range = "*" - source_address_prefix = "Internet" - destination_address_prefix = "*" - } - security_rule { - name = "default-allow-winrm" - priority = 1001 - access = "Allow" - direction = "Inbound" - destination_port_range = "5985-5986" - protocol = "*" # rdp uses both - source_port_range = "*" - source_address_prefix = "Internet" - destination_address_prefix = "*" - } - tags = { - environment = var.tagname - } -} - -# Associate subnet and network security group -resource "azurerm_subnet_network_security_group_association" "secgroup-assoc" { - subnet_id = azurerm_subnet.internal.id - network_security_group_id = azurerm_network_security_group.secgroup.id -} - -resource "azurerm_windows_virtual_machine" "main" { - name = "${var.hostname}-${var.OS_version}" - resource_group_name = azurerm_resource_group.main.name - location = azurerm_resource_group.main.location - size = var.system_size - admin_username = data.external.win_account.result.username - admin_password = data.external.win_account.result.password - network_interface_ids = [ - azurerm_network_interface.main.id, - ] - - source_image_reference { - publisher = var.OS_publisher - offer = "WindowsServer" - sku = "${var.OS_version}-${var.system_release}" - version = "latest" - } - - os_disk { - storage_account_type = "Standard_LRS" - caching = "ReadWrite" - } - - tags = { - environment = var.tagname - } -} - -## Install the custom script VM extension to each VM. When the VM comes up, -## the extension will download the ConfigureRemotingForAnsible.ps1 script from GitHub -## and execute it to open up WinRM for Ansible to connect to it from Azure Cloud Shell. -## exit code has to be 0 -resource "azurerm_virtual_machine_extension" "enablewinrm" { - name = "enablewinrm" - virtual_machine_id = azurerm_windows_virtual_machine.main.id - publisher = "Microsoft.Compute" ## az vm extension image list --location eastus Do not use Microsoft.Azure.Extensions here - type = "CustomScriptExtension" ## az vm extension image list --location eastus Only use CustomScriptExtension here - type_handler_version = "1.10" ## az vm extension image list --location eastus - auto_upgrade_minor_version = true - settings = <> sensitive_info.json + + # Show the Os Var and Benchmark Type And Load + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + # Initialize The Terraform Working Directory + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + # Validate The Syntax Of Terraform Files + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relevant OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + # Execute The Actions And Build Azure Server + - name: Terraform_Apply + id: apply + env: + # Imported from github variables this is used to load the relevant OS.tfvars file + WIN_USERNAME: ${{ secrets.WIN_USERNAME }} + WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "${OSVAR}.tfvars" --auto-approve + + # Debug Section + - name: DEBUG - Show Ansible Hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Run the Ansible Playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_windows_IaC/hosts.yml + galaxy_file: collections/requirements.yml + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Destroy The Azure Test System + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "${OSVAR}.tfvars" --auto-approve diff --git a/.github/workflows/new_contrib_message.yml b/.github/workflows/new_contrib_message.yml deleted file mode 100644 index 33bdab6..0000000 --- a/.github/workflows/new_contrib_message.yml +++ /dev/null @@ -1,26 +0,0 @@ -# This is the workflow for sending a welcome message when a new contributor creates a new issue - -name: new_issue_contrib_message - -# Controls when the action will run. -# Triggers the workflow on push or pull request -# events but only for the devel branch -on: - issues: - types: [opened] - -# A workflow run is made up of one or more jobs -# that can run sequentially or in parallel -jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - issue-message: |- - Congrats on opening your first Issue and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happenign on the [Discord Server](https://discord.gg/ArDjfhY8) as well. - diff --git a/.github/workflows/testing_pipeline.yml b/.github/workflows/testing_pipeline.yml deleted file mode 100644 index 559966b..0000000 --- a/.github/workflows/testing_pipeline.yml +++ /dev/null @@ -1,107 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: testing_pipeline - -# Controls when the action will run. -# Triggers the workflow on push or pull request -# events but only for the devel branch -on: - pull_request_target: - branches: - - devel - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - -# A workflow run is made up of one or more jobs -# that can run sequentially or in parallel -jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.gg/ArDjfhY8) as well. - - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - # Set the OS to test on here - # Name matches the os_name.tfvars file - # one of - # - centos7 - # - rocky8 - # - ubuntu20 - # - ubuntu18 - # - windows - - env: - TEST_OS: windows - ENABLE_DEBUG: false - ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }} - WIN_USERNAME: ${{ secrets.WIN_USERNAME }} - WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - -# Sensitive data stored and passed to terraform - - name: user details - working-directory: .github/workflows - run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json - -### Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - run: terraform apply -var-file "${TEST_OS}.tfvars" --auto-approve - -## Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - -# Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml -# verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - -# Remove test system - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - working-directory: .github/workflows - run: terraform destroy -var-file "${TEST_OS}.tfvars" -auto-approve diff --git a/.github/workflows/update_galaxy.yml b/.github/workflows/update_galaxy.yml index 4754c40..14ea5bf 100644 --- a/.github/workflows/update_galaxy.yml +++ b/.github/workflows/update_galaxy.yml @@ -1,17 +1,24 @@ -# Action to create or update Ansible Galaxy entry +# This is a basic workflow to help you get started with Actions -name: update_galaxy +name: Update Galaxy -on: - push: - branches: - - main +# Controls when the action will run. +# Triggers the workflow on push or pull request +# events but only for the devel branch +on: # yamllint disable-line rule:truthy + push: + branches: + - main jobs: - update_role: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: hspaans/ansible-galaxy-action@master - with: - api_key: ${{ secrets.GALAXY_API_KEY }} + update_role: + runs-on: ubuntu-latest + steps: + - name: Checkout V3 + uses: actions/checkout@v3 + + - name: Update Galaxy + uses: robertdebock/galaxy-action@master + with: + galaxy_api_key: ${{ secrets.GALAXY_API_KEY }} + git_branch: main diff --git a/.github/workflows/vars.tf b/.github/workflows/vars.tf deleted file mode 100644 index fa55278..0000000 --- a/.github/workflows/vars.tf +++ /dev/null @@ -1,31 +0,0 @@ -variable "prefix" { - description = "The prefix which should be used for all resources in this example" -} - -variable "location" { - description = "The Azure Region in which all resources in this example should be created." -} - -variable "tagname" { - description = "The Tagname in which all resources in this example should be created." -} - -variable "system_size" { - description = "The size of the system deployed in which all resources in this example should be created." -} - -variable "system_release" { - description = "The OS release in which all resources in this example should be created." -} - -variable "hostname" { - description = "The hostname for the virtual machine in this release" -} - -variable "OS_publisher" { - description = "The version of the OS" -} - -variable "OS_version" { - description = "The version of the OS" -} \ No newline at end of file diff --git a/.github/workflows/windows.tfvars b/.github/workflows/windows.tfvars deleted file mode 100644 index a2ef60b..0000000 --- a/.github/workflows/windows.tfvars +++ /dev/null @@ -1,8 +0,0 @@ -prefix = "github" -location = "eastus" -tagname = "ansible_lockdown" -system_size = "Standard_DC4s_v2" -OS_publisher = "MicrosoftWindowsServer" -OS_version = "2022" -system_release = "Datacenter-g2" -hostname = "github" diff --git a/.yamllint b/.yamllint index a49f497..db1b758 100755 --- a/.yamllint +++ b/.yamllint @@ -31,4 +31,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index a5c4e03..60fcb9a 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -6,14 +6,15 @@ Rules 1) All commits must be GPG signed (details in Signing section) 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) 3) All work is done in your own branch -4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) -5) Be open and nice to eachother +4) All pull requests go into the devel branch. There are automated checks for signed commits, Signed-off-by in commit messages, and functional testing) +5) Be open and nice to each other Workflow -------- -- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge -- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. +- Your work is done in your own individual branch. Make sure to to Signed-off-by and GPG sign all commits you intend to merge +- All community Pull Requests are to the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release + Signing your contribution ------------------------- @@ -29,24 +30,24 @@ The process is to certify the below DCO 1.1 text By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I - have the right to submit it under the open source license + have the right to submit it under the open-source license indicated in the file; or (b) The contribution is based upon previous work that, to the best - of my knowledge, is covered under an appropriate open source + of my knowledge, is covered under an appropriate open-source license and I have the right under that license to submit that work with modifications, whether created in whole or in part - by me, under the same open source license (unless I am + by me, under the same open-source license (unless I am permitted to submit under a different license), as indicated in the file; or - (c) The contribution was provided directly to me by some other - person who certified (a), (b) or (c) and I have not modified + (c) The contribution was provided directly to me by another + contributor who certified (a), (b), or (c) and I have not modified it. (d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all - personal information I submit with it, including my sign-off) is + personal information I submit with it, including my Signed-off-by) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved. :: @@ -63,4 +64,4 @@ following text in your contribution commit message: This message can be entered manually, or if you have configured git with the correct `user.name` and `user.email`, you can use the `-s` -option to `git commit` to automatically include the signoff message. \ No newline at end of file +option to `git commit` to automatically include the Signed-off-by message. diff --git a/ChangeLog.md b/ChangeLog.md new file mode 100644 index 0000000..074c1e8 --- /dev/null +++ b/ChangeLog.md @@ -0,0 +1,12 @@ +# ChangeLog + +## Release 1.0.0 + +September 2023 +- This Release is based on CIS Benchmark v2.0.0 + +- Incorporated order fix for Lockout Controls: + https://github.com/ansible-lockdown/Windows-2022-CIS/pull/16 +- https://github.com/ansible/ansible/issues/62594 + +- Incorporated Disable Print Spooler Service: https://github.com/ansible-lockdown/Windows-2022-CIS/pull/19 diff --git a/LICENSE b/LICENSE index 39810af..b023af9 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise +Copyright (c) 2023 MindPoint Group / Lockdown Enterprise Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal @@ -9,8 +9,8 @@ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, diff --git a/README.md b/README.md index a0d91df..02ec578 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Windows Server 2022 CIS ## Configure a Microsoft Server 2022 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant -### Based on [ CIS Microsoft Windows Server 2022 v1.0.0 - 02-14-2022 ](https://www.cisecurity.org/cis-benchmarks/) +### Based on [ CIS Microsoft Windows Server 2022 v2.0.0 - 04-14-2023 ](https://www.cisecurity.org/cis-benchmarks/) --- @@ -11,14 +11,13 @@ ![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) -![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/Windows-2022-CIS/testing_pipeline.yml?label=Devel%20Build%20Status) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/Windows-2022-CIS/devel?color=dark%20green&label=Devel%20Branch%20commits) +[![Devel Pipeline Status](https://github.com/ansible-lockdown/Windows-2022-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-2022-CIS/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/Windows-2022-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits) -![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/Windows-2022-CIS/testing_pipeline.yml?label=Build%20Status) +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +[![Main Pipeline Status](https://github.com/ansible-lockdown/Windows-2022-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-2022-CIS/actions/workflows/main_pipeline_validation.yml) ![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/Windows-2022-CIS?label=Release%20Date) ![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/Windows-2022-CIS?label=Release%20Tag&&color=success) @@ -38,26 +37,25 @@ ### Community - -On our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users +On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users --- ## Caution(s) -This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. +This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but a remediation tool to be used after an audit. -Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. +Check Mode is not supported! The role will be completed in check mode without errors, but it is not supported and should be used with caution. -This role was developed against a clean install of the Windows 2022 Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. +This role was developed against a clean install of the Windows 2022 Operating System. If you are implementing an existing system please review this role for any site-specific changes that are needed. -To use release version please point to main branch and relevant release for the cis benchmark you wish to work with. +To use the release version please point to the main branch and relevant release for the cis benchmark you wish to work with. --- ## Matching a security Level for CIS -It is possible to to only run level 1 or level 2 controls for CIS. +It is possible to only run level 1 or level 2 controls for CIS. This is managed using tags: - level1-domaincontroller @@ -65,18 +63,18 @@ This is managed using tags: - level2-domaincontroller - level2-memberserver -The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component. +The control found in defaults/main.yml also needs to reflect this as this controls the testing that takes place if you are using the audit component. ## Coming from a previous release -CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release. -This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. +CIS release always contains changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release. +This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) ## Auditing (new) -Currently this release does not have a auditing tool that is up to date. +Currently, this release does not have an auditing tool that is up to date. ## Documentation @@ -97,7 +95,7 @@ Currently this release does not have a auditing tool that is up to date. - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also, familiarize yourself with the variables in the defaults/main.yml file. **Technical Dependencies:** @@ -114,11 +112,11 @@ Package 'python-xmltodict' is required if you enable the OpenSCAP tool installat ## Role Variables -This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. +This role is designed so that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. ## Tags -There are many tags available for added control precision. Each control has it's own set of tags noting what level, if it's scored/notscored, what OS element it relates to, if it's a patch or audit, and the rule number. +There are many tags available for added control precision. Each control has its own set of tags noting what level, what OS element it relates to if it's a patch or audit, and the rule number. Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag smb, this task will be skipped. The opposite can also happen where you run only controls tagged with smb. @@ -126,7 +124,7 @@ Below is an example of the tag section from a control within this role. Using th tags: - level1-domaincontroller - level1-memberserver - - win22cis_rule_18.3.3 + - rule_18.3.3 - patch - smb ``` @@ -135,9 +133,9 @@ Below is an example of the tag section from a control within this role. Using th We encourage you (the community) to contribute to this role. Please read the rules below. -- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. +- Your work is done in your own individual branch. Make sure to Signed-off-by and GPG sign all commits you intend to merge. - All community Pull Requests are pulled into the devel branch -- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved +- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off-by, and a functional test before being approved - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release ## Pipeline Testing @@ -145,6 +143,6 @@ We encourage you (the community) to contribute to this role. Please read the rul uses: - ansible-core 2.12 -- ansible collections - pulls in the latest version based on requirements file +- ansible collections - pulls in the latest version based on the requirements file - runs the audit using the devel branch - This is an automated test that occurs on pull requests into devel diff --git a/collections/requirements.yml b/collections/requirements.yml index 6ff67d5..3bbac16 100644 --- a/collections/requirements.yml +++ b/collections/requirements.yml @@ -1,4 +1,14 @@ --- collections: + - name: ansible.windows + type: git + source: https://github.com/ansible-collections/ansible.windows + - name: community.windows + type: git + source: https://github.com/ansible-collections/community.windows + + - name: community.general + type: git + source: https://github.com/ansible-collections/community.general diff --git a/defaults/main.yml b/defaults/main.yml index 2e9c3e0..739cfbb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,19 +1,39 @@ --- -win2022_os_distribution: Windows-2022 +# Section 1 Account Policies +# 1.1.x Password Policy, 1.2.x Account Lockout Policy +win22cis_section01: true -section01_patch: true -section02_patch: true -section05_patch: true -section09_patch: true -section17_patch: true -section18_patch: true -section19_patch: true +# Section 2 Local Policies +# 2.2.x User Rights Assignment, 2.3.x Security Options +win22cis_section02: true + +# Section 5 System Services +# 5.x Printers +win22cis_section05: true + +# Section 9 Windows Defender Firewall with Advanced Security (formerly Windows Firewall with Advanced Security) +# 9.1.x Domain Profile, 9.2.x Private Profile, 9.3.x Public Profile +win22cis_section09: true + +# Section 17 Advanced Audit Policy Configuration +# 17.1.x Account Logon, 17.2.x Account Management, 17.3.x Detailed Tracking, 17.4.x DS Access, 17.5.x Logon/Logoff +# 17.6.x Object Access, 17.7.x Policy Change, 17.8.x Privilege Use, 17.9.x System +win22cis_section17: true + +# Section 18 Administrative Templates (Computer) +# 18.1.x Control Panel, 18.2.x LAPS, 18.3.x MS Security Guide, 18.4.x MSS (Legacy), 18.5.x Network, 18.6.x Printers +# 18.7.x Start Menu and Taskbar, 18.8.x System, 18.9.x Windows Components +win22cis_section18: true + +# Section 19 Administrative Templates (User) +# 19.1.x Control Panel, 19.5.x Start Menu and Taskbar, 19.6.x System, 19.7.x Windows Components +win22cis_section19: true min_ansible_version: "2.10" # We've defined complexity-high to mean that we cannot automatically remediate -# the rule in question. In the future this might mean that the remediation +# the rule in question. In the future, this might mean that the remediation # may fail in some cases. complexity_high: true @@ -23,7 +43,7 @@ complexity_high: true audit_complex: true # We've defined disruption-high to indicate items that are likely to cause -# disruption in a normal workflow. These items can be remediated automatically +# disruption in a normal workflow. These items can be remediated automatically # but are disabled by default to avoid disruption. disruption_high: false @@ -31,488 +51,548 @@ disruption_high: false # setting to make them stand out. audit_disruptive: false -run_audit: false -setup_audit: false - -skip_for_travis: false - -workaround_for_disa_benchmark: true -workaround_for_ssg_benchmark: true - # tweak role to run in a non-privileged container system_is_container: false -# set to false to skip tasks that either have not been developed or cannot be automated -is_implemented: false - -# set to false to skip long running tasks +# set to false to skip long_running tasks long_running: false -win_skip_for_test: false - -# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules. -# PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group +# win_skip_for_test is used in the playbook to skip over WINRM-based controls that +# may cause WINRM Basic Connection Type to be disabled. +# Setting win_skip_for_test to 'false' will enable Secure Connection types only. +# win22cis_rule_2_3_1_4 +# win22cis_rule_9_3_5 +# win22cis_rule_18_10_89_1_1 +# win22cis_rule_18_10_89_1_2 +# win22cis_rule_18_10_89_2_1 +# win22cis_rule_18_10_89_2_2 +# win22cis_rule_18_10_89_2_3 +# win22cis_rule_18_10_90_1 +win_skip_for_test: true + +# These variables correspond with the CIS Rule IDs defined in the CIS and allow you to enable/disable specific rules. +# PLEASE NOTE: These work in coordination with the level1 and level2 group variables. You must enable an entire group # in order for the variables below to take effect. # section01 -rule_1_1_1: true -rule_1_1_2: true -rule_1_1_3: true -rule_1_1_4: true -rule_1_1_5: true -rule_1_1_6: true -rule_1_1_7: true -rule_1_2_1: true -rule_1_2_2: true -rule_1_2_3: true +win22cis_rule_1_1_1: true +win22cis_rule_1_1_2: true +win22cis_rule_1_1_3: true +win22cis_rule_1_1_4: true +win22cis_rule_1_1_5: true +# win22cis_rule_1_1_6 set To false this control cannot be implemented in 2022. +# This setting is only available within the built-in OS security template of +# Windows 10 Release 2004 and Server 2022 (or newer). Control is Commented out for now. +win22cis_rule_1_1_6: false +win22cis_rule_1_1_7: true +# We have found the order of these three tasks below varies between cloud-based instances +# and VM-based instances locally. The task below breaks out to run in a different order +# for cloud-based systems and local-based systems. Notes are applied in the section01.yml file. +win22cis_rule_1_2_1: true +win22cis_rule_1_2_2: true +win22cis_rule_1_2_3: true +win22cis_rule_1_2_4: true # section02 -rule_2_2_1: true -rule_2_2_2: true -rule_2_2_3: true -rule_2_2_4: true -rule_2_2_5: true -rule_2_2_6: true -rule_2_2_7: true -rule_2_2_8: true -rule_2_2_9: true -rule_2_2_10: true -rule_2_2_11: true -rule_2_2_12: true -rule_2_2_13: true -rule_2_2_14: true -rule_2_2_15: true -rule_2_2_16: true -rule_2_2_17: true -rule_2_2_18: true -rule_2_2_19: true -rule_2_2_20: true -rule_2_2_21: true -rule_2_2_22: true -rule_2_2_23: true -rule_2_2_24: true -rule_2_2_25: true -rule_2_2_26: true -rule_2_2_27: true -rule_2_2_28: true -rule_2_2_29: true -rule_2_2_30: true -rule_2_2_31: true -rule_2_2_32: true -rule_2_2_33: true -rule_2_2_34: true -rule_2_2_35: true -rule_2_2_36: true -rule_2_2_37: true -rule_2_2_38: true -rule_2_2_39: true -rule_2_2_40: true -rule_2_2_41: true -rule_2_2_42: true -rule_2_2_43: true -rule_2_2_44: true -rule_2_2_45: true -rule_2_2_46: true -rule_2_2_47: true -rule_2_2_48: true -rule_2_3_1_1: true -rule_2_3_1_2: true -rule_2_3_1_3: true -rule_2_3_1_4: true -rule_2_3_1_5: true -rule_2_3_1_6: true -rule_2_3_2_1: true -rule_2_3_2_2: true -rule_2_3_4_1: true -rule_2_3_4_2: true -rule_2_3_5_1: true -rule_2_3_5_2: true -rule_2_3_5_3: true -rule_2_3_5_4: true -rule_2_3_5_5: true -rule_2_3_6_1: true -rule_2_3_6_2: true -rule_2_3_6_3: true -rule_2_3_6_4: true -rule_2_3_6_5: true -rule_2_3_6_6: true -rule_2_3_7_1: true -rule_2_3_7_2: true -rule_2_3_7_3: true -rule_2_3_7_4: true -rule_2_3_7_5: true -rule_2_3_7_6: true -rule_2_3_7_7: true -rule_2_3_7_8: true -rule_2_3_7_9: true -rule_2_3_8_1: true -rule_2_3_8_2: true -rule_2_3_8_3: true -rule_2_3_9_1: true -rule_2_3_9_2: true -rule_2_3_9_3: true -rule_2_3_9_4: true -rule_2_3_9_5: true -rule_2_3_10_1: true -rule_2_3_10_2: true -rule_2_3_10_3: true -rule_2_3_10_4: true -rule_2_3_10_5: true -rule_2_3_10_6: true -rule_2_3_10_7: true -rule_2_3_10_8: true -rule_2_3_10_9: true -rule_2_3_10_10: true -rule_2_3_10_11: true -rule_2_3_10_12: true -rule_2_3_10_13: true -rule_2_3_11_1: true -rule_2_3_11_2: true -rule_2_3_11_3: true -rule_2_3_11_4: true -rule_2_3_11_5: true -rule_2_3_11_6: true -rule_2_3_11_7: true -rule_2_3_11_8: true -rule_2_3_11_9: true -rule_2_3_11_10: true -rule_2_3_13_1: true -rule_2_3_15_1: true -rule_2_3_15_2: true -rule_2_3_17_1: true -rule_2_3_17_2: true -rule_2_3_17_3: true -rule_2_3_17_4: true -rule_2_3_17_5: true -rule_2_3_17_6: true -rule_2_3_17_7: true -rule_2_3_17_8: true +win22cis_rule_2_2_1: true +win22cis_rule_2_2_2: true +win22cis_rule_2_2_3: true +win22cis_rule_2_2_4: true +win22cis_rule_2_2_5: true +win22cis_rule_2_2_6: true +win22cis_rule_2_2_7: true +win22cis_rule_2_2_8: true +win22cis_rule_2_2_9: true +win22cis_rule_2_2_10: true +win22cis_rule_2_2_11: true +win22cis_rule_2_2_12: true +win22cis_rule_2_2_13: true +win22cis_rule_2_2_14: true +win22cis_rule_2_2_15: true +win22cis_rule_2_2_16: true +win22cis_rule_2_2_17: true +win22cis_rule_2_2_18: true +win22cis_rule_2_2_19: true +win22cis_rule_2_2_20: true +win22cis_rule_2_2_21: true +win22cis_rule_2_2_22: true +win22cis_rule_2_2_23: true +win22cis_rule_2_2_24: true +win22cis_rule_2_2_25: true +win22cis_rule_2_2_26: true +win22cis_rule_2_2_27: true +win22cis_rule_2_2_28: true +win22cis_rule_2_2_29: true +win22cis_rule_2_2_30: true +win22cis_rule_2_2_31: true +win22cis_rule_2_2_32: true +win22cis_rule_2_2_33: true +win22cis_rule_2_2_34: true +win22cis_rule_2_2_35: true +win22cis_rule_2_2_36: true +win22cis_rule_2_2_37: true +win22cis_rule_2_2_38: true +win22cis_rule_2_2_39: true +win22cis_rule_2_2_40: true +win22cis_rule_2_2_41: true +win22cis_rule_2_2_42: true +win22cis_rule_2_2_43: true +win22cis_rule_2_2_44: true +win22cis_rule_2_2_45: true +win22cis_rule_2_2_46: true +win22cis_rule_2_2_47: true +win22cis_rule_2_2_48: true +win22cis_rule_2_3_1_1: true +win22cis_rule_2_3_1_2: true +win22cis_rule_2_3_1_3: true +win22cis_rule_2_3_1_4: true +# Setting win22cis_rule_2_3_1_5 Control To True Will Break Ansible Connection +# Setting win_skip_for_test: true -- will skip the controls here even if they are set to true. +win22cis_rule_2_3_1_5: true +win22cis_rule_2_3_2_1: true +win22cis_rule_2_3_2_2: true +win22cis_rule_2_3_4_1: true +win22cis_rule_2_3_4_2: true +win22cis_rule_2_3_5_1: true +win22cis_rule_2_3_5_2: true +win22cis_rule_2_3_5_3: true +win22cis_rule_2_3_5_4: true +win22cis_rule_2_3_5_5: true +win22cis_rule_2_3_6_1: true +win22cis_rule_2_3_6_2: true +win22cis_rule_2_3_6_3: true +win22cis_rule_2_3_6_4: true +win22cis_rule_2_3_6_5: true +win22cis_rule_2_3_6_6: true +win22cis_rule_2_3_7_1: true +win22cis_rule_2_3_7_2: true +win22cis_rule_2_3_7_3: true +win22cis_rule_2_3_7_4: true +win22cis_rule_2_3_7_5: true +win22cis_rule_2_3_7_6: true +win22cis_rule_2_3_7_7: true +win22cis_rule_2_3_7_8: true +win22cis_rule_2_3_7_9: true +win22cis_rule_2_3_8_1: true +win22cis_rule_2_3_8_2: true +win22cis_rule_2_3_8_3: true +win22cis_rule_2_3_9_1: true +win22cis_rule_2_3_9_2: true +win22cis_rule_2_3_9_3: true +win22cis_rule_2_3_9_4: true +win22cis_rule_2_3_9_5: true +win22cis_rule_2_3_10_1: true +win22cis_rule_2_3_10_2: true +win22cis_rule_2_3_10_3: true +win22cis_rule_2_3_10_4: true +win22cis_rule_2_3_10_5: true +win22cis_rule_2_3_10_6: true +win22cis_rule_2_3_10_7: true +win22cis_rule_2_3_10_8: true +win22cis_rule_2_3_10_9: true +win22cis_rule_2_3_10_10: true +win22cis_rule_2_3_10_11: true +win22cis_rule_2_3_10_12: true +win22cis_rule_2_3_10_13: true +win22cis_rule_2_3_11_1: true +win22cis_rule_2_3_11_2: true +win22cis_rule_2_3_11_3: true +win22cis_rule_2_3_11_4: true +win22cis_rule_2_3_11_5: true +win22cis_rule_2_3_11_6: true +win22cis_rule_2_3_11_7: true +win22cis_rule_2_3_11_8: true +win22cis_rule_2_3_11_9: true +win22cis_rule_2_3_11_10: true +win22cis_rule_2_3_13_1: true +win22cis_rule_2_3_15_1: true +win22cis_rule_2_3_15_2: true +win22cis_rule_2_3_17_1: true +win22cis_rule_2_3_17_2: true +win22cis_rule_2_3_17_3: true +win22cis_rule_2_3_17_4: true +win22cis_rule_2_3_17_5: true +win22cis_rule_2_3_17_6: true +win22cis_rule_2_3_17_7: true +win22cis_rule_2_3_17_8: true # section05 -rule_5_1: true -rule_5_2: true +win22cis_rule_5_1: true +win22cis_rule_5_2: true # section09 -rule_9_1_1: true -rule_9_1_2: true -rule_9_1_3: true -rule_9_1_4: true -rule_9_1_5: true -rule_9_1_6: true -rule_9_1_7: true -rule_9_1_8: true -rule_9_2_1: true -rule_9_2_2: true -rule_9_2_3: true -rule_9_2_4: true -rule_9_2_5: true -rule_9_2_6: true -rule_9_2_7: true -rule_9_2_8: true -rule_9_3_1: true -rule_9_3_2: true -rule_9_3_3: true -rule_9_3_4: true -rule_9_3_5: true -rule_9_3_6: true -rule_9_3_7: true -rule_9_3_8: true -rule_9_3_9: true -rule_9_3_10: true +win22cis_rule_9_1_1: true +win22cis_rule_9_1_2: true +win22cis_rule_9_1_3: true +win22cis_rule_9_1_4: true +win22cis_rule_9_1_5: true +win22cis_rule_9_1_6: true +win22cis_rule_9_1_7: true +win22cis_rule_9_1_8: true +win22cis_rule_9_2_1: true +win22cis_rule_9_2_2: true +win22cis_rule_9_2_3: true +win22cis_rule_9_2_4: true +win22cis_rule_9_2_5: true +win22cis_rule_9_2_6: true +win22cis_rule_9_2_7: true +win22cis_rule_9_2_8: true +win22cis_rule_9_3_1: true +win22cis_rule_9_3_2: true +win22cis_rule_9_3_3: true +win22cis_rule_9_3_4: true +# Setting win22cis_rule_9_3_5 Control To True Will Break Ansible Connection +# Setting win_skip_for_test: true -- will skip the controls here even if they are set to true. +win22cis_rule_9_3_5: true +win22cis_rule_9_3_6: true +win22cis_rule_9_3_7: true +win22cis_rule_9_3_8: true +win22cis_rule_9_3_9: true +win22cis_rule_9_3_10: true # section17 -rule_17_1_1: true -rule_17_1_2: true -rule_17_1_3: true -rule_17_2_1: true -rule_17_2_2: true -rule_17_2_3: true -rule_17_2_4: true -rule_17_2_5: true -rule_17_2_6: true -rule_17_3_1: true -rule_17_3_2: true -rule_17_4_1: true -rule_17_4_2: true -rule_17_5_1: true -rule_17_5_2: true -rule_17_5_3: true -rule_17_5_4: true -rule_17_5_5: true -rule_17_5_6: true -rule_17_6_1: true -rule_17_6_2: true -rule_17_6_3: true -rule_17_6_4: true -rule_17_7_1: true -rule_17_7_2: true -rule_17_7_3: true -rule_17_7_4: true -rule_17_7_5: true -rule_17_8_1: true -rule_17_9_1: true -rule_17_9_2: true -rule_17_9_3: true -rule_17_9_4: true -rule_17_9_5: true +win22cis_rule_17_1_1: true +win22cis_rule_17_1_2: true +win22cis_rule_17_1_3: true +win22cis_rule_17_2_1: true +win22cis_rule_17_2_2: true +win22cis_rule_17_2_3: true +win22cis_rule_17_2_4: true +win22cis_rule_17_2_5: true +win22cis_rule_17_2_6: true +win22cis_rule_17_3_1: true +win22cis_rule_17_3_2: true +win22cis_rule_17_4_1: true +win22cis_rule_17_4_2: true +win22cis_rule_17_5_1: true +win22cis_rule_17_5_2: true +win22cis_rule_17_5_3: true +win22cis_rule_17_5_4: true +win22cis_rule_17_5_5: true +win22cis_rule_17_5_6: true +win22cis_rule_17_6_1: true +win22cis_rule_17_6_2: true +win22cis_rule_17_6_3: true +win22cis_rule_17_6_4: true +win22cis_rule_17_7_1: true +win22cis_rule_17_7_2: true +win22cis_rule_17_7_3: true +win22cis_rule_17_7_4: true +win22cis_rule_17_7_5: true +win22cis_rule_17_8_1: true +win22cis_rule_17_9_1: true +win22cis_rule_17_9_2: true +win22cis_rule_17_9_3: true +win22cis_rule_17_9_4: true +win22cis_rule_17_9_5: true # section18 -rule_18_1_1_1: true -rule_18_1_1_2: true -rule_18_1_2_2: true -rule_18_1_3: true -rule_18_2_1: true -rule_18_2_2: true -rule_18_2_3: true -rule_18_2_4: true -rule_18_2_5: true -rule_18_2_6: true -rule_18_3_1: true -rule_18_3_2: true -rule_18_3_3: true -rule_18_3_4: true -rule_18_3_5: true -rule_18_3_6: true -rule_18_3_7: true -rule_18_4_1: true -rule_18_4_2: true -rule_18_4_3: true -rule_18_4_4: true -rule_18_4_5: true -rule_18_4_6: true -rule_18_4_7: true -rule_18_4_8: true -rule_18_4_9: true -rule_18_4_10: true -rule_18_4_11: true -rule_18_4_12: true -rule_18_5_4_1: true -rule_18_5_4_2: true -rule_18_5_5_1: true -rule_18_5_8_1: true -rule_18_5_9_1: true -rule_18_5_9_2: true -rule_18_5_10_2: true -rule_18_5_11_2: true -rule_18_5_11_3: true -rule_18_5_11_4: true -rule_18_5_14_1: true -rule_18_5_19_2_1: true -rule_18_5_20_1: true -rule_18_5_20_2: true -rule_18_5_21_1: true -rule_18_5_21_2: true -rule_18_6_1: true -rule_18_6_2: true -rule_18_6_3: true -rule_18_7_1_1: true -rule_18_8_3_1: true -rule_18_8_4_1: true -rule_18_8_4_2: true -rule_18_8_5_1: true -rule_18_8_5_2: true -rule_18_8_5_3: true -rule_18_8_5_4: true -rule_18_8_5_5: true -rule_18_8_5_6: true -rule_18_8_5_7: true -rule_18_8_7_2: true -rule_18_8_14_1: true -rule_18_8_21_2: true -rule_18_8_21_3: true -rule_18_8_21_4: true -rule_18_8_21_5: true -rule_18_8_22_1_1: true -rule_18_8_22_1_2: true -rule_18_8_22_1_3: true -rule_18_8_22_1_4: true -rule_18_8_22_1_5: true -rule_18_8_22_1_6: true -rule_18_8_22_1_7: true -rule_18_8_22_1_8: true -rule_18_8_22_1_9: true -rule_18_8_22_1_10: true -rule_18_8_22_1_11: true -rule_18_8_22_1_12: true -rule_18_8_22_1_13: true -rule_18_8_25_1: true -rule_18_8_26_1: true -rule_18_8_27_1: true -rule_18_8_28_1: true -rule_18_8_28_2: true -rule_18_8_28_3: true -rule_18_8_28_4: true -rule_18_8_28_5: true -rule_18_8_28_6: true -rule_18_8_28_7: true -rule_18_8_31_1: true -rule_18_8_31_2: true -rule_18_8_34_6_1: true -rule_18_8_34_6_2: true -rule_18_8_34_6_3: true -rule_18_8_34_6_4: true -rule_18_8_36_1: true -rule_18_8_36_2: true -rule_18_8_37_1: true -rule_18_8_37_2: true -rule_18_8_40_1: true -rule_18_8_48_5_1: true -rule_18_8_48_11_1: true -rule_18_8_50_1: true -rule_18_8_53_1_1: true -rule_18_8_53_1_2: true -rule_18_9_4_1: true -rule_18_9_6_1: true -rule_18_9_8_1: true -rule_18_9_8_2: true -rule_18_9_8_3: true -rule_18_9_10_1_1: true -rule_18_9_12_1: true -rule_18_9_14_1: true -rule_18_9_14_2: true -rule_18_9_15_1: true -rule_18_9_16_1: true -rule_18_9_16_2: true -rule_18_9_17_1: true -rule_18_9_17_2: true -rule_18_9_17_3: true -rule_18_9_17_4: true -rule_18_9_17_5: true -rule_18_9_17_6: true -rule_18_9_17_7: true -rule_18_9_17_8: true -rule_18_9_27_1_1: true -rule_18_9_27_1_2: true -rule_18_9_27_2_1: true -rule_18_9_27_2_2: true -rule_18_9_27_3_1: true -rule_18_9_27_3_2: true -rule_18_9_27_4_1: true -rule_18_9_27_4_2: true -rule_18_9_31_2: true -rule_18_9_31_3: true -rule_18_9_31_4: true -rule_18_9_41_1: true -rule_18_9_45_1: true -rule_18_9_46_1: true -rule_18_9_47_4_1: true -rule_18_9_47_4_2: true -rule_18_9_47_5_1_1: true -rule_18_9_47_5_1_2: true -rule_18_9_47_5_3_1: true -rule_18_9_47_6_1: true -rule_18_9_47_9_1: true -rule_18_9_47_9_2: true -rule_18_9_47_9_3: true -rule_18_9_47_9_4: true -rule_18_9_47_11_1: true -rule_18_9_47_12_1: true -rule_18_9_47_12_2: true -rule_18_9_47_15: true -rule_18_9_47_16: true -rule_18_9_58_1: true -rule_18_9_64_1: true -rule_18_9_65_2_2: true -rule_18_9_65_3_2_1: true -rule_18_9_65_3_3_1: true -rule_18_9_65_3_3_2: true -rule_18_9_65_3_3_3: true -rule_18_9_65_3_3_4: true -rule_18_9_65_3_3_5: true -rule_18_9_65_3_3_6: true -rule_18_9_65_3_9_1: true -rule_18_9_65_3_9_2: true -rule_18_9_65_3_9_3: true -rule_18_9_65_3_9_4: true -rule_18_9_65_3_9_5: true -rule_18_9_65_3_10_1: true -rule_18_9_65_3_10_2: true -rule_18_9_65_3_11_1: true -rule_18_9_65_3_11_2: true -rule_18_9_66_1: true -rule_18_9_67_2: true -rule_18_9_67_3: true -rule_18_9_72_1: true -rule_18_9_85_1_1: true -rule_18_9_89_1: true -rule_18_9_89_2: true -rule_18_9_90_1: true -rule_18_9_90_2: true -rule_18_9_90_3: true -rule_18_9_91_1: true -rule_18_9_100_1: true -rule_18_9_100_2: true -rule_18_9_102_1_1: true -rule_18_9_102_1_2: true -rule_18_9_102_1_3: true -rule_18_9_102_2_1: true -rule_18_9_102_2_2: true -rule_18_9_102_2_3: true -rule_18_9_102_2_4: true -rule_18_9_102_1: true -rule_18_9_99_2_1: true -rule_18_9_103_1: true -rule_18_9_105_2_1: true -rule_18_9_108_1_1: true -rule_18_9_108_2_1: true -rule_18_9_108_2_2: true -rule_18_9_108_4_1: true -rule_18_9_108_4_2: true -rule_18_9_108_4_3: true +win22cis_rule_18_1_1_1: true +win22cis_rule_18_1_1_2: true +win22cis_rule_18_1_2_2: true +win22cis_rule_18_1_3: true +win22cis_rule_18_3_1: true +win22cis_rule_18_3_2: true +win22cis_rule_18_3_3: true +win22cis_rule_18_3_4: true +win22cis_rule_18_3_5: true +win22cis_rule_18_3_6: true +win22cis_rule_18_4_1: true +win22cis_rule_18_4_2: true +win22cis_rule_18_4_3: true +win22cis_rule_18_4_4: true +win22cis_rule_18_4_5: true +win22cis_rule_18_4_6: true +win22cis_rule_18_4_7: true +win22cis_rule_18_5_1: true +win22cis_rule_18_5_2: true +win22cis_rule_18_5_3: true +win22cis_rule_18_5_4: true +win22cis_rule_18_5_5: true +win22cis_rule_18_5_6: true +win22cis_rule_18_5_7: true +win22cis_rule_18_5_8: true +win22cis_rule_18_5_9: true +win22cis_rule_18_5_10: true +win22cis_rule_18_5_11: true +win22cis_rule_18_5_12: true +win22cis_rule_18_6_4_1: true +win22cis_rule_18_6_4_2: true +win22cis_rule_18_6_4_3: true +win22cis_rule_18_6_5_1: true +win22cis_rule_18_6_8_1: true +win22cis_rule_18_6_9_1: true +win22cis_rule_18_6_9_2: true +win22cis_rule_18_6_10_2: true +win22cis_rule_18_6_11_2: true +win22cis_rule_18_5_11_3: true +win22cis_rule_18_6_11_4: true +win22cis_rule_18_6_14_1: true +win22cis_rule_18_6_19_2_1: true +win22cis_rule_18_6_20_1: true +win22cis_rule_18_6_20_2: true +win22cis_rule_18_6_21_1: true +win22cis_rule_18_6_21_2: true +win22cis_rule_18_7_1: true +win22cis_rule_18_7_2: true +win22cis_rule_18_7_3: true +win22cis_rule_18_7_4: true +win22cis_rule_18_7_5: true +win22cis_rule_18_7_6: true +win22cis_rule_18_7_7: true +win22cis_rule_18_7_8: true +win22cis_rule_18_7_9: true +win22cis_rule_18_7_10: true +win22cis_rule_18_7_11: true +win22cis_rule_18_8_1_1: true +win22cis_rule_18_9_3_1: true +win22cis_rule_18_9_4_1: true +win22cis_rule_18_9_4_2: true +win22cis_rule_18_9_5_1: true +win22cis_rule_18_9_5_2: true +win22cis_rule_18_9_5_3: true +win22cis_rule_18_9_5_4: true +win22cis_rule_18_9_5_5: true +win22cis_rule_18_9_5_6: true +win22cis_rule_18_9_5_7: true +win22cis_rule_18_8_7_2: true +win22cis_rule_18_9_13_1: true +win22cis_rule_18_9_19_2: true +win22cis_rule_18_9_19_3: true +win22cis_rule_18_9_19_4: true +win22cis_rule_18_9_19_5: true +win22cis_rule_18_9_20_1_1: true +win22cis_rule_18_9_20_1_2: true +win22cis_rule_18_9_20_1_3: true +win22cis_rule_18_9_20_1_4: true +win22cis_rule_18_9_20_1_5: true +win22cis_rule_18_9_20_1_6: true +win22cis_rule_18_9_20_1_7: true +win22cis_rule_18_9_20_1_8: true +win22cis_rule_18_9_20_1_9: true +win22cis_rule_18_9_20_1_10: true +win22cis_rule_18_9_20_1_11: true +win22cis_rule_18_9_20_1_12: true +win22cis_rule_18_9_20_1_13: true +win22cis_rule_18_9_23_1: true +win22cis_rule_18_9_24_1: true +win22cis_rule_18_9_25_1: true +win22cis_rule_18_9_25_2: true +win22cis_rule_18_9_26_1: true +win22cis_rule_18_9_27_1: true +win22cis_rule_18_9_27_2: true +win22cis_rule_18_9_27_3: true +win22cis_rule_18_9_27_4: true +win22cis_rule_18_9_27_5: true +win22cis_rule_18_9_27_6: true +win22cis_rule_18_9_27_7: true +win22cis_rule_18_9_30_1: true +win22cis_rule_18_9_30_2: true +win22cis_rule_18_9_32_6_1: true +win22cis_rule_18_3_32_6_2: true +win22cis_rule_18_9_32_6_3: true +win22cis_rule_18_9_32_6_4: true +win22cis_rule_18_9_34_1: true +win22cis_rule_18_9_34_2: true +win22cis_rule_18_9_35_1: true +win22cis_rule_18_9_35_2: true +win22cis_rule_18_9_38_1: true +win22cis_rule_18_9_46_5_1: true +win22cis_rule_18_9_46_11_1: true +win22cis_rule_18_9_48_1: true +win22cis_rule_18_9_50_1_1: true +win22cis_rule_18_9_50_1_2: true +win22cis_rule_18_10_3_1: true +win22cis_rule_18_10_5_1: true +win22cis_rule_18_10_7_1: true +win22cis_rule_18_10_7_2: true +win22cis_rule_18_10_7_3: true +win22cis_rule_18_10_8_1_1: true +win22cis_rule_18_10_10_1: true +win22cis_rule_18_10_12_1: true +win22cis_rule_18_10_12_2: true +win22cis_rule_18_10_12_3: true +win22cis_rule_18_9_14_3: true +win22cis_rule_18_10_13_1: true +win22cis_rule_18_10_14_1: true +win22cis_rule_18_10_14_2: true +win22cis_rule_18_10_15_1: true +win22cis_rule_18_10_15_2: true +win22cis_rule_18_10_15_3: true +win22cis_rule_18_10_15_4: true +win22cis_rule_18_10_15_5: true +win22cis_rule_18_10_15_6: true +win22cis_rule_18_10_15_7: true +win22cis_rule_18_10_15_8: true +win22cis_rule_18_10_17_1: true +win22cis_rule_18_10_17_2: true +win22cis_rule_18_10_17_3: true +win22cis_rule_18_10_17_4: true +win22cis_rule_18_10_26_1_1: true +win22cis_rule_18_10_26_1_2: true +win22cis_rule_18_10_26_2_1: true +win22cis_rule_18_10_26_2_2: true +win22cis_rule_18_10_26_3_1: true +win22cis_rule_18_10_26_3_2: true +win22cis_rule_18_10_26_4_1: true +win22cis_rule_18_10_26_4_2: true +win22cis_rule_18_10_29_2: true +win22cis_rule_18_10_29_3: true +win22cis_rule_18_10_29_4: true +win22cis_rule_18_10_37_1: true +win22cis_rule_18_10_41_1: true +win22cis_rule_18_10_42_1: true +win22cis_rule_18_10_43_5_1: true +win22cis_rule_18_10_43_5_2: true +win22cis_rule_18_10_43_6_1_1: true +win22cis_rule_18_10_43_6_1_2: true +win22cis_rule_18_10_43_6_3_1: true +win22cis_rule_18_10_43_7_1: true +win22cis_rule_18_10_43_10_1: true +win22cis_rule_18_10_43_10_2: true +win22cis_rule_18_10_43_10_3: true +win22cis_rule_18_10_43_10_4: true +win22cis_rule_18_10_43_12_1: true +win22cis_rule_18_10_43_13_1: true +win22cis_rule_18_10_43_13_2: true +win22cis_rule_18_10_43_16: true +win22cis_rule_18_10_43_17: true +win22cis_rule_18_10_51_1: true +win22cis_rule_18_10_56_1: true +win22cis_rule_18_10_57_2_2: true +win22cis_rule_18_10_57_3_2_1: true +win22cis_rule_18_10_57_3_3_1: true +win22cis_rule_18_10_57_3_3_2: true +win22cis_rule_18_10_57_3_3_3: true +win22cis_rule_18_10_57_3_3_4: true +win22cis_rule_18_10_57_3_3_5: true +win22cis_rule_18_10_57_3_3_6: true +win22cis_rule_18_10_57_3_9_1: true +win22cis_rule_18_10_57_3_9_2: true +win22cis_rule_18_10_57_3_9_3: true +win22cis_rule_18_10_57_3_9_4: true +win22cis_rule_18_10_57_3_9_5: true +win22cis_rule_18_10_57_3_10_1: true +win22cis_rule_18_10_57_3_10_2: true +win22cis_rule_18_10_57_3_11_1: true +win22cis_rule_18_10_57_3_11_2: true +win22cis_rule_18_10_58_1: true +win22cis_rule_18_10_59_2: true +win22cis_rule_18_10_59_3: true +win22cis_rule_18_10_59_4: true +win22cis_rule_18_10_63_1: true +win22cis_rule_18_10_76_2_1: true +win22cis_rule_18_10_80_1: true +win22cis_rule_18_10_80_2: true +win22cis_rule_18_10_81_1: true +win22cis_rule_18_10_81_2: true +win22cis_rule_18_10_81_3: true +win22cis_rule_18_10_82_1: true +win22cis_rule_18_10_82_2: true +win22cis_rule_18_10_87_1: true +win22cis_rule_18_10_87_2: true +# WINRM CONTROLS # +# Setting The Following Controls To True Will Break the Ansible Connection +# Setting win_skip_for_test: true -- will skip the controls here even if they are set to true. +# win22cis_rule_18_10_89_1_1 +# win22cis_rule_18_10_89_1_2 +# win22cis_rule_18_10_89_2_1 +# win22cis_rule_18_10_89_2_2 +# win22cis_rule_18_10_89_2_3 +win22cis_rule_18_10_89_1_1: true +win22cis_rule_18_10_89_1_2: true +win22cis_rule_18_10_89_2_1: true +win22cis_rule_18_10_89_2_2: true +win22cis_rule_18_10_89_2_3: true +# This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following +# machine restart. The CIS standard calls for 0 but doing so will break all remote connections to the system. +win22cis_rule_18_10_89_1_3: true +win22cis_rule_18_10_89_2_4: true +win22cis_rule_18_10_90_1: true +# WINRM CONTROLS END # +win22cis_rule_18_10_92_2_1: true +win22cis_rule_18_10_93_1_1: true +win22cis_rule_18_10_93_2_1: true +win22cis_rule_18_10_93_2_2: true +win22cis_rule_18_10_93_4_1: true +win22cis_rule_18_10_93_4_2: true +win22cis_rule_18_10_93_4_3: true + # section19 -rule_19_1_3_1: true -rule_19_1_3_2: true -rule_19_1_3_3: true -rule_19_5_1_1: true -rule_19_6_6_1_1: true -rule_19_7_4_1: true -rule_19_7_4_2: true -rule_19_7_8_1: true -rule_19_7_8_2: true -rule_19_7_8_3: true -rule_19_7_8_4: true -rule_19_7_8_5: true -rule_19_7_28_1: true -rule_19_7_43_1: true -rule_19_7_47_2_1: true +win22cis_rule_19_1_3_1: true +win22cis_rule_19_1_3_2: true +win22cis_rule_19_1_3_3: true +win22cis_rule_19_5_1_1: true +win22cis_rule_19_6_6_1_1: true +win22cis_rule_19_7_4_1: true +win22cis_rule_19_7_4_2: true +win22cis_rule_19_7_7_1: true +win22cis_rule_19_7_7_2: true +win22cis_rule_19_7_7_3: true +win22cis_rule_19_7_7_4: true +win22cis_rule_19_7_7_5: true +win22cis_rule_19_7_25_1: true +win22cis_rule_19_7_40_1: true +win22cis_rule_19_7_42_2_1: true # Section 1 Variables # 1.1.1 -# win22cis_passwordhistorysize is the number of past PW before they can be reused -# This value should be set to 24 or more to be CIS compliant -win22cis_passwordhistorysize: 24 +# win22cis_max_passwords_saved is the variable used to dictate the number of unique passwords +# that have to be associated with a user account before you can reuse an old password. +# The recommended state for this setting is 24 Or More passwords. +# NOTE: As Of the publication of this benchmark, Microsoft has a maximum limit of 24 saved passwords. +# This may change at a later date but we have left it set up as a variable for that reason. +win22cis_max_passwords_saved: 24 # 1.1.2 -# win22cis_maximumpasswordage is the maximum password age in days -# This value should be set to 365 or fewer, but not 0, to be CIS compliant -win22cis_maximumpasswordage: 365 +# win22cis_maximum_password_age is the policy setting that defines how long a user can use their +# password before it expires. +# The recommended state for this setting is 365 or fewer days, but not 0 (zero). +win22cis_maximum_password_age: 365 # 1.1.3 -# win22cis_minimumpasswordage is the minimum password age in days -# This value should be set to 1 or more days to be CIS compliant -win22cis_minimumpasswordage: 1 +# win22cis_minimum_password_age is the policy setting that determines the number of days that you +# must use a password before you can change it. The range of values for this policy setting is +# between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) +# The default value for this setting is 0 days. +# The recommended state for this setting is: 1 or more day(s) +win22cis_minimum_password_age: 1 # 1.1.4 -# win22cis_minimumpasswordlength is the minimum number of characters needed for a password -# This value should be set to 14 or more to be CIS compliant -win22cis_minimumpasswordlength: 14 +# win22cis_minimum_password_length is the policy setting that determines the least number of characters +# that make up a password for a user account. +# The recommended state for this setting is: 14 or more character(s). +win22cis_minimum_password_length: 14 # 1.2.1 -# win22cis_lockoutduration is the duration a locked account stays locked in minutes -# This value should be set to 15 or more to be CIS compliant -win22cis_lockoutduration: "15" +# win22cis_account_lockout_duration is the policy setting determines the length of time that +# must pass before a locked account is unlocked and a user can try to log on again. +# NOTE: If the value for this policy setting is configured to 0, locked-out accounts will remain locked-out +# until an administrator manually unlocks them. +# The recommended state for this setting is: 15 or more minute(s). +win22cis_account_lockout_duration: 15 # 1.2.2 -# win22cis_lockoutbadcount is the number of failed login attempts before locking account -# This value should be set to 5 or fewer, but not 0, to be CIS compliant -win22cis_lockoutbadcount: 5 +# win22cis_lockout_bad_count is the policy setting that determines the number of failed logon +# attempts before the account is locked. +# The recommended state for this setting is: 5 or fewer invalid logon attempt(s), but not 0. +win22cis_bad_login_lockout_count: 5 # 1.2.3 -# win22cis_resetlockoutcount is the amount of time in minutes before a reset after an account lockout -# This value should be set to 15 or fewer to be CIS compliant -win22cis_resetlockoutcount: 15 +# win22cis_allow_admin_account_lockout is the policy setting that determines whether the built-in +# Administrator account is subject to the following Account Lockout Policy settings. +# 1 = enabled or 0 = disabled +win22cis_allow_admin_account_lockout: 1 + +# 1.2.4 +# win22cis_account_lockout_counter_reset is the policy setting that determines the length of time before the +# Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. +# NOTE: If the Account lockout threshold is defined (win22cis_account_lockout_duration), this reset +# time must be less than or equal to the value for the Account lockout duration setting. +# The recommended state for this setting is: 15 or more minute(s). +win22cis_account_lockout_counter_reset: 15 # Section 2 Variables @@ -520,160 +600,224 @@ win22cis_resetlockoutcount: 15 # is_hyperv_installed is Hyper-V installed win22cis_hyperv_installed: false -# 2.3.1.5 +# 2.2.33 +# Window Manager\Window Manager Group only exists on non-Core installations +# windows_installation_type should be 'Server Core' for Core installations +# This is a variable to determine if Windows Manager should be included in this step +win22cis_increase_scheduling_priority_users: '{{ ["Administrators"] if (windows_installation_type=="Server Core") else (["Administrators","Window Manager\Window Manager Group"]) }}' + +# 2.2.37 +# win22cis_exchange_server_running is the policy setting that determines which users can change the auditing options for +# files and directories and clear the Security log. Setting to true will set both groups to be added. +# False will only add Administrators. +# True will add administrators and (when Exchange is running in the environment) Exchange Servers. +# The recommended state for this setting is: Administrators and when Exchange is running in the environment) Exchange Servers. +win22cis_exchange_server_running: false + +# 2.3.1.4 # win22cis_admin_username is the name the administrator account will be renamed to win22cis_admin_username: adminchangethis -# 2.3.1.6 +# 2.3.1.5 # win22cis_guest_username is the name the guest account will be renamed to win22cis_guest_username: guestchangethis # 2.3.6.5 -# win22cis_machine_acct_pw_age is the max machine account pw age in days -# This value should be set to 30 or fewer, but not zero, to be CIS compliant -win22cis_machine_acct_pw_age: 30 +# win22cis_domain_member_maximum_password_age is the policy setting that determines the maximum allowable age for a +# computer account password. By default, domain members automatically change their domain passwords every 30 days. +# The recommended state for this setting is: 30 or fewer days, but not 0. +win22cis_domain_member_maximum_password_age: 30 # 2.3.7.3 -# win22cis_inactivity_timeout is the timeout in seconds for how long to wait for activity -# This value should be 900 or vewer, but not zero, to be CIS compliant -win22cis_inactivity_timeout: 900 +# win22cis_inactivity_timeout_seconds is the variable used to set when Windows notices inactivity of a logon session, +# and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. +# The recommended state for this setting is: 900 or fewer second(s), but not 0. +win22cis_inactivity_timeout_seconds: 900 + +# 2.3.7.4 +# win22cis_legal_notice is the setting that specifies a text message that displays to users when they log on. +# Configure this setting in a manner that is consistent with the security and operational requirements of your organization. +win22cis_legal_notice: | + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + +# 2.3.7.5 +# win22cis_legal_notice_caption is the policy setting that specifies the text displayed in the title bar of the window that users see +# when they log on to the system. Configure this setting in a manner that is consistent with the security and operational +# requirements of your organization. +win22cis_legal_notice_caption: "DoD Notice and Consent Banner" # 2.3.7.6 -# win22cis_cached_logons_count is the number of logons that are cached -# This needs to be 4 or fewer to be CIS compliant -win22cis_cached_logons_count: 4 +# win22cis_cached_logons_count is the number that is assigned to this policy setting and indicates the number of users whose +# logon information the computer will cache locally. If this value is set to 0, the logon cache feature is disabled. +# The recommended state for this setting is: 4 or fewer logon(s). +win22cis_cached_logons_count: 1 # 2.3.7.7 -# win22cis_passwd_expiry_warn is the number of days before an expring password users will receive warnings about the expring password -# This needs to be between 4 adn 14 days to be CIS compliant -win22cis_passwd_expiry_warn: 14 - -# 2.3.7.9 -# win22cis_smartc_remove_option is the reg key option on the action when a SmartCard is removed -# This needs to be set to 1 (Lock Workstation) or 2 (Force Logoff) to be CIS compliant -win22cis_smartc_remove_option: "1" +# win22cis_password_expiry_warning_days is the policy setting that determines how far in advance users are warned that their password will expire. +# The recommended state for this setting is: between 5 and 14 days. +win22cis_password_expiry_warning_days: 14 # 2.3.9.1 -# win22cis_auto_disconnect is the duration in minutes of idle time before suspending the session -# This needs to be set to 15 or fewer to be CIS compliant -win22cis_auto_disconnect: 15 +# win22cis_smb_auto_disconnect_time is the policy setting that allows you to specify the amount of continuous idle time that must pass in an +# SMB session before the session is suspended because of inactivity. +# The recommended state for this setting is: 15 or fewer minute(s). +win22cis_smb_auto_disconnect_time: 15 # Section 9 Variables # 9.1.5 -# domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log -# This is a variable to give some leway on where to store these log files +# win22cis_domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log +# This is a variable to give some leeway on where to store these log files win22cis_domain_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\domainfw.log' # 9.1.6 -# domain_firewall_log_size is the size of the log file generated +# win22cis_domain_firewall_log_size is the size of the log file generated # To conform to CIS standards the value should be 16,384 or greater. Value is in KB -win22cis_domain_firewall_log_size: 16,384 +win22cis_domain_firewall_log_size: 16384 # 9.2.5 # private_firewall_log_path is the path to the private firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\privatefw.log -# This is a variable to give some leway on where to store these log files +# This is a variable to give some leeway on where to store these log files win22cis_private_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\privatefw.log' # 9.2.6 # private_firewall_log_size is the size of the log file -# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB -win22cis_private_firewall_log_size: 16,384 +# To conform to CIS standards the value should be 16,384 or greater. Value is in KB +win22cis_private_firewall_log_size: 16384 # 9.3.7 -# public_firewall_log_path is the path to the public firewall log file. The control suggests %SystemRoot%\System32\logfiles\firewall\publicfw.log -# This is a variable to give some leway on where to store these log files +# win22cis_public_firewall_log_path is the path to the public firewall log file. The control suggests %SystemRoot%\System32\logfiles\firewall\publicfw.log +# This is a variable to give some leeway on where to store these log files win22cis_public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' # 9.3.8 # public_firewall_log_size is the size of the log file -# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB -win22cis_public_firewall_log_size: 16,384 +# To conform to CIS standards the value should be 16,384 or greater. Value is in KB +win22cis_public_firewall_log_size: 16384 # Section 18 Variables -# Control 18.2.5 -# laps_passwordlength is the LAPS tool password length. -# To conform to CIS standards please use a min value of 15 and max value of 127 -win22cis_laps_passwordlength: 15 - -# Control 18.2.6 -# laps_passwordagedays is the LAPS tool password age in days -# To conform to CIS standards please use a max value of 30 -win22cis_laps_passwordagedays: 30 - -# 18.3.6 -# netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType -# Options are B-node value of 1, P-node value of 2, M-node value of 4, H-node value of 8. P-node is the recommended setting from CIS +# 18.4.6 +# win22cis_netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType +# Options are a B-node value of 1, P-node value of 2, M-node value of 4, and H-node value of 8. P-node is the recommended setting from CIS win22cis_netbt_nodetype: 2 -# 18.4.9 -# win22cis_screen_saver_grace is the time in seconds before the screen saver grace period expires -# To conform to CIS standards the value should be 5 or fewer, with zero as recommended -win22cis_screen_saver_grace: 0 - -# 18.4.12 -# win22cis_mss_security_warn_thresh is the threshold at which the event log will start warning -# To conform to CIS standards the value should be 90 or less -win22cis_mss_security_warn_thresh: 90 - -# 18.5.4.1 -# win22cis_dns_over_https is the registry value for the DoHPolicy regkey entry -# To conform to CIS standards this value needs to be 0 or 1 -win22cis_dns_over_https: 1 - -# 18.8.40.1 -# win22cis_sam_ng_key_roc is the value for the ROCA-vulnerable WHfB keys during authentication registry key value -# To conform to CIS standards this value needs to be 1 or 2 -win22cis_sam_ng_key_roc: 1 - -# 18.9.15.1 -# wincis_require_pin_pairing is the value for the require pin for pairing registry key -# To conform to CIS standards this value should be 1 or 2 -win22cis_require_pin_pairing: 1 - -# 18.9.17.1 -# win22cis_diag_data is the value for the Allow Diagnostic Data registry key -# To confrom to CIS standards this value should be a 0 or 1 -win22cis_diag_data: 0 - -# 18.9.27.1.2 -# win22cis_elm_applog_max_size is the max size of the Event Log Manager Application logs can become, in KB -# To conform to CIS stadnards this value should be 32768 or greater -win22cis_elm_applog_max_size: 65538 - -# 18.9.27.2.2 -# win22cis_elm_seclog_max_size is the max size of the Event Log Manager Security logs can become, in KB -# To confrom to CIS standards this value should be 196608 or greater -win22cis_elm_seclog_max_size: 196608 - -# 18.9.27.3.2 -# win22cis_elm_setup_max_size is the max size of the Even Log Manager non- standard logs can become, in KB -# To conform to CIS standards this value should be 32768 or higher -win22cis_elm_setup_max_size: 32768 - -# 18.9.27.4.2 -# win22cis_elm_syslog_max_size is the max size of the Event Long Manager System logs can become, in KB -# To conform to CIS standards this value should be 32768 or higher -win22cis_elm_syslog_max_size: 32768 - -# 18.9.65.3.10.1 -# win22cis_terminal_max_idle_time is the time limit for active but idle remote desktop services connections in seconds -# This value needs to be 15 minutes (900000) or less, but not zero (0) to conform to CIS standards -win22cis_terminal_max_idle_time: 900000 - -# 18.9.89.2 -# win22cis_allow_ink_workspace is the registry key value for the allowing windows ink workspace -# To conform to CIS stadnards this value should be a 0 or 1 -win22cis_allow_ink_workspace: 1 - -# 19.9.108.4.2 -# win22cis_defer_feature_update_period is the duration in days to delay feature updates in automatic updates -# To conform to CIS stadnards this value should be 180 or more (365 is max allowed by Windows) -win22cis_defer_feature_update_period: 180 +# 18.5.9 +# win22cis_screen_saver_grace_period is the grace period between when the screen saver is launched and when the console is actually +# locked automatically when screen saver locking is enabled. +# The recommended state for this setting is: Enabled: 5 or fewer seconds. +win22cis_screen_saver_grace_period: 5 + +# 18.5.12 +# win22cis_log_threshold_audit_event is the setting that can generate a security audit in the Security event log when the +# log reaches a user-defined threshold. +# The recommended state for this setting is: Enabled: 90% or less. +win22cis_log_threshold_audit_event: 90 + +# 18.6.4.1 +# win22cis_doh_policy os the setting determines if DNS over HTTPS (DoH) is used by the system. DNS over HTTPS (DoH) is a protocol +# for performing remote Domain Name System (DNS) resolution over the Hypertext Transfer Protocol Secure (HTTPS). +# The recommended state for this setting is: Enabled: Allow DoH. +# Note: Possible Valid Settings +# 2 - Enabled: Allow DoH +# 3 - Enabled: Require DoH +# Default: 2 +win22cis_doh_policy: 2 + +# 18.6.4.2 +# win22cis_enable_netbios_policy is the policy that setting specifies if the Domain Name System (DNS) client will perform name resolution +# over Network Basic Input/Output System (NetBIOS). +# The recommended state for this setting is: Enabled: Disable NetBIOS name resolution on public networks. +# Note: Possible Valid Settings +# 0 - Enabled: Disable NetBIOS name resolution +# 2 - Enabled: Disable NetBIOS name resolution on public networks +# Default: 2 +win22cis_enable_netbios_policy: 2 + +# 18.7.6 +# win22cis_force_kerberos_for_rpc is the policy setting controls which protocols incoming Remote Procedure Call (RPC) connections to the +# print spooler are allowed to use. +# The recommended state for this setting is: Enabled: Negotiate or higher. +# 0 - Negotiate +# 1 - Kerberos +# Default: 0 +win22cis_force_kerberos_for_rpc: 0 + +# 18.10.13.1 +# win22cis_require_pin_for_pairing is the policy setting that controls whether or not a PIN is required for pairing to a wireless display device. +# The recommended state for this setting is: Enabled: First Time OR Enabled: Always. +# 1 - First Time +# 2 - Always +# Default: 1 +win22cis_require_pin_for_pairing: 1 + +# 18.10.15.1 +# win22cis_allow_telemetry is the policy setting that determines the amount of diagnostic and usage data reported to Microsoft +# Note: If your organization relies on Windows Update, the minimum recommended setting is Required diagnostic data. +# 0 - Diagnostic data off (not recommended) +# 1 - Send required diagnostic data. +# Default: 1 +win22cis_allow_telemetry: 1 + +# 18.10.26.1.2 +# win22cis_application_max_log_file_size is the setting that specifies the maximum size of the log file in kilobytes. The maximum log file size can be +# configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. +# The recommended state for this setting is: Enabled: 32,768 or greater +win22cis_application_max_log_file_size: 32768 + +# 18.10.26.2.2 +# win22cis_security_max_log_file_size is the setting that specifies the maximum size of the log file in kilobytes. The maximum log file size can +# be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. +# The recommended state for this setting is: Enabled: 196,608 or greater. +win22cis_security_max_log_file_size: 196608 + +# 18.10.26.3.2 +# win22cis_setup_max_log_file_size is the setting that specifies the maximum size of the log file in kilobytes. The maximum log file size can be +# configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments.# +# The recommended state for this setting is: Enabled: 32,768 or greater. +win22cis_setup_max_log_file_size: 32768 + +# 18.10.26.4.2 +# win22cis_system_max_log_file_size is the setting that specifies the maximum size of the log file in kilobytes. The maximum log file size +# can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments. +# The recommended state for this setting is: Enabled: 32,768 or greater. +win22cis_system_max_log_file_size: 32768 + +# 18.10.57.3.10.1 +# win22cis_idle_rdp_session_disconnect_time is the setting that allows you to specify the maximum amount of time that an active Remote Desktop +# Services session can be idle (without user input) before it is automatically disconnected. +# The recommended state for this setting is: Enabled: 15 minutes or less, but not Never (0). +# 1 min = 60000, 5 min = 300000, 10 min = 600000, 15 min = 900000 +win22cis_idle_rdp_session_disconnect_time: 900000 + +# 18.10.80.2 +# win22cis_allow_windows_ink_workspace is the policy setting that determines whether Windows Ink items are allowed above the lock screen. +# The recommended state for this setting is: Enabled: On, but disallow access above lock OR Enabled: Disabled. +# 0 - Enabled: Disabled +# 1 - Enabled: On, but disallow access above lock +win22cis_allow_windows_ink_workspace: 1 + +# 18.10.93.4.2 +# win22cis_defer_feature_updates_period_in_days is the policy setting that determines when Preview Build or Feature Updates are received. +# Recommended setting: Enabled: 180 or more days +# Default: 180 +win22cis_defer_feature_updates_period_in_days: 180 # Section 19 Variables -# win22cis_screen_saver_timeout is the time in seconds until the screen saver turns on -# This needs to be set to 900 or fewer, but not zero, to be CIS compliant +# 19.1.3.3 +# win22cis_screen_saver_timeout is the setting that specifies how much user idle time must elapse before the screen saver is launched. +# The recommended state for this setting is: Enabled: 900 seconds or fewer, but not 0. win22cis_screen_saver_timeout: 900 diff --git a/handlers/main.yml b/handlers/main.yml index e5d8930..0cb78d6 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,9 +1,5 @@ --- + - name: reboot_windows ansible.windows.win_reboot: reboot_timeout: 3600 - -- name: restart print spooler - ansible.windows.win_service: - name: Spooler - state: restarted diff --git a/manifest.txt b/manifest.txt deleted file mode 100644 index f7102b6..0000000 --- a/manifest.txt +++ /dev/null @@ -1,582 +0,0 @@ - -1.1 -1.1.1 - L1 Ensure Enforce password history is set to 24 or more passwords -1.1.2 - L1 Ensure Maximum password age is set to 60 or fewer days but not 0 -1.1.3 - L1 Ensure Minimum password age is set to 1 or more days -1.1.4 - L1 Ensure Minimum password length is set to 14 or more characters -1.1.5 - L1 Ensure Password must meet complexity requirements is set to Enabled -1.1.6 - L1 Ensure Store passwords using reversible encryption is set to Disabled - -1.2 -1.2.1 - L1 Ensure Account lockout duration is set to 15 or more minutes -1.2.2 - L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0 -1.2.3 - L1 Ensure Reset account lockout counter after is set to 15 or more minutes - -17.1 -17.1.1 - L1 Ensure Audit Credential Validation is set to Success and Failure - -17.2 -17.2.1 - L1 Ensure Audit Application Group Management is set to Success and Failure -17.2.2 - L1 Ensure Audit Computer Account Management is set to include Success DC only -17.2.3 - L1 Ensure Audit Distribution Group Management is set to include Success DC only -17.2.4 - L1 Ensure Audit Other Account Management Events is set to include Success DC only -17.2.5 - L1 Ensure Audit Security Group Management is set to include Success -17.2.6 - L1 Ensure Audit User Account Management is set to Success and Failure - -17.3 -17.3.1 - L1 Ensure Audit PNP Activity is set to include Success -17.3.2 - L1 Ensure Audit Process Creation is set to include Success - -17.4 -17.4.1 - L1 Ensure Audit Directory Service Access is set to include Failure DC only -17.4.2 - L1 Ensure Audit Directory Service Changes is set to include Success DC only - -17.5 -17.5.1 - L1 Ensure Audit Account Lockout is set to include Failure -17.5.2 - L1 Ensure Audit Group Membership is set to include Success -17.5.3 - L1 Ensure Audit Logoff is set to include Success -17.5.4 - L1 Ensure Audit Logon is set to Success and Failure -17.5.5 - L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure -17.5.6 - L1 Ensure Audit Special Logon is set to include Success - -17.6 -17.6.1 - L1 Ensure Audit Detailed File Share is set to include Failure -17.6.2 - L1 Ensure Audit File Share is set to Success and Failure -17.6.3 - L1 Ensure Audit Other Object Access Events is set to Success and Failure -17.6.4 - L1 Ensure Audit Removable Storage is set to Success and Failure - -17.7 -17.7.1 - L1 Ensure Audit Audit Policy Change is set to include Success -17.7.2 - L1 Ensure Audit Authentication Policy Change is set to include Success -17.7.3 - L1 Ensure Audit Authorization Policy Change is set to include Success -17.7.4 - L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure -17.7.5 - L1 Ensure Audit Other Policy Change Events is set to include Failure - -17.8 -17.8.1 - L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure - -17.9 -17.9.1 - L1 Ensure Audit IPsec Driver is set to Success and Failure -17.9.2 - L1 Ensure Audit Other System Events is set to Success and Failure -17.9.3 - L1 Ensure Audit Security State Change is set to include Success -17.9.4 - L1 Ensure Audit Security System Extension is set to include Success -17.9.5 - L1 Ensure Audit System Integrity is set to Success and Failure - -18.1 -18.1.3 - L2 Ensure Allow Online Tips is set to Disabled - -18.1.1 -18.1.1.1 - L1 Ensure Prevent enabling lock screen camera is set to Enabled -18.1.1.2 - L1 Ensure Prevent enabling lock screen slide show is set to Enabled - -18.1.2 -18.1.2.2 - L1 Ensure Allow users to enable online speech recognition services is set to Disabled - -18.2 -18.2.1 - L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only -18.2.2 - L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only -18.2.3 - L1 Ensure Enable Local Admin Password Management is set to Enabled MS only -18.2.4 - L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only -18.2.5 - L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only -18.2.6 - L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only - -18.3 -18.3.1 - L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only -18.3.2 - L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended -18.3.3 - L1 Ensure Configure SMB v1 server is set to Disabled -18.3.4 - L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled -18.3.5 - L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only -18.3.6 - L1 Ensure WDigest Authentication is set to Disabled - -18.4 -18.4.1 - L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled -18.4.2 - L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled -18.4.3 - L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled -18.4.4 - L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled -18.4.5 - L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended -18.4.6 - L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled -18.4.7 - L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled -18.4.8 - L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled -18.4.9 - L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds -18.4.10 - L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3 -18.4.11 - L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3 -18.4.12 - L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less - -18.5.4 -18.5.4.1 - L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only -18.5.4.2 - L1 Ensure Turn off multicast name resolution is set to Enabled MS Only - -18.5.5 -18.5.5.1 - L2 Ensure Enable Font Providers is set to Disabled - -18.5.8 -18.5.8.1 - L1 Ensure Enable insecure guest logons is set to Disabled - -18.5.9 -18.5.9.1 - L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled -18.5.9.2 - L2 Ensure Turn on Responder RSPNDR driver is set to Disabled - -18.5.10 -18.5.10.2 - L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled - -18.5.11 -18.5.11.2 - L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled -18.5.11.3 - L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled -18.5.11.4 - L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled - -18.5.14 -18.5.14.1 - L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares - -18.5.19.1 -18.5.19.1.1 - L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255 - -18.5.20 -18.5.20.1 - L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled -18.5.20.2 - L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled - -18.5.21 -18.5.21.1 - L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled -18.5.21.2 - L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only - -18.7.1 -18.7.1.1 - L2 Ensure Turn off notifications network usage is set to Enabled - -18.8.3 -18.8.3.1 - L1 Ensure Include command line in process creation events is set to Disabled - -18.8.4 -18.8.4.1 - L1 Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients -18.8.4.2 - L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled - -18.8.5 -18.8.5.1 - NG Ensure Turn On Virtualization Based Security is set to Enabled -18.8.5.2 - NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection -18.8.5.3 - NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock -18.8.5.4 - NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked -18.8.5.5 - NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only -18.8.5.6 - NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Disabled DC Only -18.8.5.7 - NG Ensure Turn On Virtualization Based Security Secure Launch Configuration is set to Enabled - -18.8.14 -18.8.14.1 - L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical - -18.8.21 -18.8.21.2 - L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE -18.8.21.3 - L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE -18.8.21.4 - L1 Ensure Continue experiences on this device is set to Disabled -18.8.21.5 - L1 Ensure Turn off background refresh of Group Policy is set to Disabled - -18.8.22.1 -18.8.22.1.1 - L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled -18.8.22.1.2 - L2 Ensure Turn off handwriting personalization data sharing is set to Enabled -18.8.22.1.3 - L2 Ensure Turn off handwriting recognition error reporting is set to Enabled -18.8.22.1.4 - L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled -18.8.22.1.5 - L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled -18.8.22.1.6 - L2 Ensure Turn off printing over HTTP is set to Enabled -18.8.22.1.7 - L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled -18.8.22.1.8 - L2 Ensure Turn off Search Companion content file updates is set to Enabled -18.8.22.1.9 - L2 Ensure Turn off the Order Prints picture task is set to Enabled -18.8.22.1.10 - L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled -18.8.22.1.11 - L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled -18.8.22.1.12 - L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled -18.8.22.1.13 - L2 Ensure Turn off Windows Error Reporting is set to Enabled - -18.8.25 -18.8.25.1 - L2 Ensure Support device authentication using certificate is set to Enabled Automatic - -18.8.26 -18.8.26.1 - L1 Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All - -18.8.27 -18.8.27.1 - L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled - -18.8.28 -18.8.28.1 - L1 Ensure Block user from showing account details on sign-in is set to Enabled -18.8.28.2 - L1 Ensure Do not display network selection UI is set to Enabled -18.8.28.3 - L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled -18.8.28.4 - L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only -18.8.28.5 - L1 Ensure Turn off app notifications on the lock screen is set to Enabled -18.8.28.6 - L1 Ensure Turn off picture password sign-in is set to Enabled -18.8.28.7 - L1 Ensure Turn on convenience PIN sign-in is set to Disabled - -18.8.31 -18.8.31.1 - L2 Ensure Allow Clipboard synchronization across devices is set to Disabled -18.8.31.2 - L2 Ensure Allow upload of User Activities is set to Disabled - -18.8.34.6 -18.8.34.6.1 - L2 Ensure Allow network connectivity during connected-standby on battery is set to Disabled -18.8.34.6.2 - L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled -18.8.34.6.3 - L1 Ensure Require a password when a computer wakes on battery is set to Enabled -18.8.34.6.4 - L1 Ensure Require a password when a computer wakes plugged in is set to Enabled - -18.8.36 -18.8.36.1 - L1 Ensure Configure Offer Remote Assistance is set to Disabled -18.8.36.2 - L1 Ensure Configure Solicited Remote Assistance is set to Disabled - -18.8.37 -18.8.37.1 - L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only -18.8.37.2 - L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only - -18.8.45.5 -18.8.45.5.1 - L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled - -18.8.45.11 -18.8.45.11.1 - L2 Ensure EnableDisable PerfTrack is set to Disabled - -18.8.47 -18.8.47.1 - L2 Ensure Turn off the advertising ID is set to Enabled - -18.8.50.1 -18.8.50.1.1 - L2 Ensure Enable Windows NTP Client is set to Enabled -18.8.50.1.2 - L2 Ensure Enable Windows NTP Server is set to Disabled MS only - -18.9.4 -18.9.4.1 - L2 Ensure Allow a Windows app to share application data between users is set to Disabled - -18.9.6 -18.9.6.1 - L1 Ensure Allow Microsoft accounts to be optional is set to Enabled - -18.9.8 -18.9.8.1 - L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled -18.9.8.2 - L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands -18.9.8.3 - L1 Ensure Turn off Autoplay is set to Enabled All drives - -18.9.10.1 -18.9.10.1.1 - L1 Ensure Configure enhanced anti-spoofing is set to Enabled - -18.9.12 -18.9.12.1 - L2 Ensure Allow Use of Camera is set to Disabled - -18.9.13 -18.9.13.1 - L1 Ensure Turn off Microsoft consumer experiences is set to Enabled - -18.9.14 -18.9.14.1 - L1 Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always - -18.9.15 -18.9.15.1 - L1 Ensure Do not display the password reveal button is set to Enabled -18.9.15.2 - L1 Ensure Enumerate administrator accounts on elevation is set to Disabled - -18.9.16 -18.9.16.1 - L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic -18.9.16.2 - L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage -18.9.16.3 - L1 Ensure Do not show feedback notifications is set to Enabled -18.9.16.4 - L1 Ensure Toggle user control over Insider builds is set to Disabled - -18.9.26.1 -18.9.26.1.1 - L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled -18.9.26.1.2 - L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater - -18.9.26.2 -18.9.26.2.1 - L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled -18.9.26.2.2 - L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater - -18.9.26.3 -18.9.26.3.1 - L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled -18.9.26.3.2 - L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater - -18.9.26.4 -18.9.26.4.1 - L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled -18.9.26.4.2 - L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater - -18.9.30 -18.9.30.2 - L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled -18.9.30.3 - L1 Ensure Turn off heap termination on corruption is set to Disabled -18.9.30.4 - L1 Ensure Turn off shell protocol protected mode is set to Disabled - -18.9.39 -18.9.39.2 - L2 Ensure Turn off location is set to Enabled - -18.9.43 -18.9.43.1 - L2 Ensure Allow Message Service Cloud Sync is set to Disabled - -18.9.44 -18.9.44.1 - L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled - -18.9.52 -18.9.52.1 - L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled - -18.9.59.2 -18.9.59.2.2 - L1 Ensure Do not allow passwords to be saved is set to Enabled - -18.9.59.3.2 -18.9.59.3.2.1 - L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled - -18.9.59.3.3 -18.9.59.3.3.1 - L2 Ensure Do not allow COM port redirection is set to Enabled -18.9.59.3.3.2 - L1 Ensure Do not allow drive redirection is set to Enabled -18.9.59.3.3.3 - L2 Ensure Do not allow LPT port redirection is set to Enabled -18.9.59.3.3.4 - L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled - -18.9.59.3.9 -18.9.59.3.9.1 - L1 Ensure Always prompt for password upon connection is set to Enabled -18.9.59.3.9.2 - L1 Ensure Require secure RPC communication is set to Enabled -18.9.59.3.9.3 - L1 Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL -18.9.59.3.9.4 - L1 Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled -18.9.59.3.9.5 - L1 Ensure Set client connection encryption level is set to Enabled High Level - -18.9.59.3.10 -18.9.59.3.10.1 - L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less -18.9.59.3.10.2 - L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute - -18.9.59.3.11 -18.9.59.3.11.1 - L1 Ensure Do not delete temp folders upon exit is set to Disabled -18.9.59.3.11.2 - L1 Ensure Do not use temporary folders per session is set to Disabled - -18.9.60 -18.9.60.1 - L1 Ensure Prevent downloading of enclosures is set to Enabled - -18.9.61 -18.9.61.2 - L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search -18.9.61.3 - L1 Ensure Allow indexing of encrypted files is set to Disabled - -18.9.66 -18.9.66.1 - L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled - -18.9.77 -18.9.77.14 - L1 Ensure Configure detection for potentially unwanted applications is set to Enabled Block -18.9.77.15 - L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled - -18.9.77.3 -18.9.77.3.1 - L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled -18.9.77.3.2 - L2 Ensure Join Microsoft MAPS is set to Disabled - -18.9.77.7 -18.9.77.7.1 - L1 Ensure Turn on behavior monitoring is set to Enabled - -18.9.77.9 -18.9.77.9.1 - L2 Ensure Configure Watson events is set to Disabled - -18.9.77.10 -18.9.77.10.1 - L1 Ensure Scan removable drives is set to Enabled -18.9.77.10.2 - L1 Ensure Turn on e-mail scanning is set to Enabled - -18.9.77.13.1 -18.9.77.13.1.1 - L1 Ensure Configure Attack Surface Reduction rules is set to Enabled -18.9.77.13.1.2 - L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured - -18.9.77.13.3 -18.9.77.13.3.1 - L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block - -18.9.80.1 -18.9.80.1.1 - L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass - -18.9.84 -18.9.84.1 - L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled -18.9.84.2 - L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On - -18.9.85 -18.9.85.1 - L1 Ensure Allow user control over installs is set to Disabled -18.9.85.2 - L1 Ensure Always install with elevated privileges is set to Disabled -18.9.85.3 - L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled - -18.9.86 -18.9.86.1 - L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled - -18.9.95 -18.9.95.1 - L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled -18.9.95.2 - L1 Ensure Turn on PowerShell Transcription is set to Disabled - -18.9.97.1 -18.9.97.1.1 - L1 Ensure Allow Basic authentication is set to Disabled -18.9.97.1.2 - L1 Ensure Allow unencrypted traffic is set to Disabled -18.9.97.1.3 - L1 Ensure Disallow Digest authentication is set to Enabled - -18.9.97.2 -18.9.97.2.1 - L1 Ensure Allow Basic authentication is set to Disabled -18.9.97.2.2 - L2 Ensure Allow remote server management through WinRM is set to Disabled -18.9.97.2.3 - L1 Ensure Allow unencrypted traffic is set to Disabled -18.9.97.2.4 - L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled - -18.9.98 -18.9.98.1 - L2 Ensure Allow Remote Shell Access is set to Disabled - -18.9.99.2 -18.9.99.2.1 - L1 Ensure Prevent users from modifying settings is set to Enabled - -18.9.102 -18.9.102.2 - L1 Ensure Configure Automatic Updates is set to Enabled -18.9.102.3 - L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day -18.9.102.4 - L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled - -18.9.102.1 -18.9.102.1.1 - L1 Ensure Manage preview builds is set to Enabled Disable preview builds -18.9.102.1.2 - L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days -18.9.102.1.3 - L1 Ensure Select when Quality Updates are received is set to Enabled 0 days - -19.1.3 -19.1.3.1 - L1 Ensure Enable screen saver is set to Enabled -19.1.3.2 - L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr -19.1.3.3 - L1 Ensure Password protect the screen saver is set to Enabled -19.1.3.4 - L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0 - -19.5.1 -19.5.1.1 - L1 Ensure Turn off toast notifications on the lock screen is set to Enabled - -19.6.6.1 -19.6.6.1.1 - L2 Ensure Turn off Help Experience Improvement Program is set to Enabled - -19.7.4 -19.7.4.1 - L1 Ensure Do not preserve zone information in file attachments is set to Disabled -19.7.4.2 - L1 Ensure Notify antivirus programs when opening attachments is set to Enabled - -19.7.7 -19.7.7.1 - L1 Ensure Configure Windows spotlight on lock screen is set to Disabled -19.7.7.2 - L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled -19.7.7.3 - L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled -19.7.7.4 - L2 Ensure Turn off all Windows spotlight features is set to Enabled - -19.7.26 -19.7.26.1 - L1 Ensure Prevent users from sharing files within their profile. is set to Enabled - -19.7.41 -19.7.41.1 - L1 Ensure Always install with elevated privileges is set to Disabled - -19.7.45.2 -19.7.45.2.1 - L2 Ensure Prevent Codec Download is set to Enabled - -2.2 -2.2.1 - L1 Ensure Access Credential Manager as a trusted caller is set to No One -2.2.2 - L1 Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only -2.2.3 - L1 Ensure Access this computer from the network is set to Administrators Authenticated Users MS only -2.2.4 - L1 Ensure Act as part of the operating system is set to No One -2.2.5 - L1 Ensure Add workstations to domain is set to Administrators DC only -2.2.6 - L1 Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE -2.2.7 - L1 Ensure Allow log on locally is set to Administrators -2.2.8 - L1 Ensure Allow log on through Remote Desktop Services is set to Administrators DC only -2.2.9 - L1 Ensure Allow log on through Remote Desktop Services is set to Administrators Remote Desktop Users MS only -2.2.10 - L1 Ensure Back up files and directories is set to Administrators -2.2.11 - L1 Ensure Change the system time is set to Administrators LOCAL SERVICE -2.2.12 - L1 Ensure Change the time zone is set to Administrators LOCAL SERVICE -2.2.13 - L1 Ensure Create a pagefile is set to Administrators -2.2.14 - L1 Ensure Create a token object is set to No One -2.2.15 - L1 Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE -2.2.16 - L1 Ensure Create permanent shared objects is set to No One -2.2.17 - L1 Ensure Create symbolic links is set to Administrators DC only -2.2.18 - L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only -2.2.19 - L1 Ensure Debug programs is set to Administrators -2.2.20 - L1 Ensure Deny access to this computer from the network to include Guests DC only -2.2.21 - L1 Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only -2.2.22 - L1 Ensure Deny log on as a batch job to include Guests -2.2.23 - L1 Ensure Deny log on as a service to include Guests -2.2.24 - L1 Ensure Deny log on locally to include Guests -2.2.25 - L1 Ensure Deny log on through Remote Desktop Services to include Guests DC only -2.2.26 - L1 Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only -2.2.27 - L1 Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only -2.2.28 - L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only -2.2.29 - L1 Ensure Force shutdown from a remote system is set to Administrators -2.2.30 - L1 Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE -2.2.31 - L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only -2.2.32 - L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only -2.2.33 - L1 Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group -2.2.34 - L1 Ensure Load and unload device drivers is set to Administrators -2.2.35 - L1 Ensure Lock pages in memory is set to No One -2.2.36 - L2 Ensure Log on as a batch job is set to Administrators DC Only -2.2.37 - L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only -2.2.38 - L1 Ensure Manage auditing and security log is set to Administrators MS only -2.2.39 - L1 Ensure Modify an object label is set to No One -2.2.40 - L1 Ensure Modify firmware environment values is set to Administrators -2.2.41 - L1 Ensure Perform volume maintenance tasks is set to Administrators -2.2.42 - L1 Ensure Profile single process is set to Administrators -2.2.43 - L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost -2.2.44 - L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE -2.2.45 - L1 Ensure Restore files and directories is set to Administrators -2.2.46 - L1 Ensure Shut down the system is set to Administrators -2.2.47 - L1 Ensure Synchronize directory service data is set to No One DC only -2.2.48 - L1 Ensure Take ownership of files or other objects is set to Administrators - -2.3.1 -2.3.1.1 - L1 Ensure Accounts Administrator account status is set to Disabled MS only -2.3.1.2 - L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts -2.3.1.3 - L1 Ensure Accounts Guest account status is set to Disabled MS only -2.3.1.4 - L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled -2.3.1.5 - L1 Configure Accounts Rename administrator account -2.3.1.6 - L1 Configure Accounts Rename guest account - -2.3.2 -2.3.2.1 - L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled -2.3.2.2 - L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled - -2.3.4 -2.3.4.1 - L1 Ensure Devices Allowed to format and eject removable media is set to Administrators -2.3.4.2 - L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled - -2.3.5 -2.3.5.1 - L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only -2.3.5.2 - L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only -2.3.5.3 - L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only - -2.3.6 -2.3.6.1 - L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled -2.3.6.2 - L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled -2.3.6.3 - L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled -2.3.6.4 - L1 Ensure Domain member Disable machine account password changes is set to Disabled -2.3.6.5 - L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0 -2.3.6.6 - L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled - -2.3.7 -2.3.7.1 - L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled -2.3.7.2 - L1 Ensure Interactive logon Dont display last signed-in is set to Enabled -2.3.7.3 - L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0 -2.3.7.4 - L1 Configure Interactive logon Message text for users attempting to log on -2.3.7.5 - L1 Configure Interactive logon Message title for users attempting to log on -2.3.7.6 - L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only -2.3.7.7 - L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days -2.3.7.8 - L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only -2.3.7.9 - L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher - -2.3.8 -2.3.8.1 - L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled -2.3.8.2 - L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled -2.3.8.3 - L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled - -2.3.9 -2.3.9.1 - L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes -2.3.9.2 - L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled -2.3.9.3 - L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled -2.3.9.4 - L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled -2.3.9.5 - L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only - -2.3.10 -2.3.10.1 - L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled -2.3.10.2 - L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only -2.3.10.3 - L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only -2.3.10.4 - L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled -2.3.10.5 - L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled -2.3.10.6 - L1 Configure Network access Named Pipes that can be accessed anonymously DC only -2.3.10.7 - L1 Configure Network access Named Pipes that can be accessed anonymously MS only -2.3.10.8 - L1 Configure Network access Remotely accessible registry paths -2.3.10.9 - L1 Configure Network access Remotely accessible registry paths and sub-paths -2.3.10.10 - L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled -2.3.10.11 - L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only -2.3.10.12 - L1 Ensure Network access Shares that can be accessed anonymously is set to None -2.3.10.13 - L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves - -2.3.11 -2.3.11.1 - L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled -2.3.11.2 - L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled -2.3.11.3 - L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled -2.3.11.4 - L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types -2.3.11.5 - L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled -2.3.11.6 - L1 Ensure Network security Force logoff when logon hours expire is set to Enabled -2.3.11.7 - L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM -2.3.11.8 - L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher -2.3.11.9 - L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption -2.3.11.10 - L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption - -2.3.13 -2.3.13.1 - L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled - -2.3.15 -2.3.15.1 - L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled -2.3.15.2 - L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled - -2.3.17 -2.3.17.1 - L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled -2.3.17.2 - L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop -2.3.17.3 - L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests -2.3.17.4 - L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled -2.3.17.5 - L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled -2.3.17.6 - L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled -2.3.17.7 - L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled -2.3.17.8 - L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml index 1b36615..ddc4dae 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: - author: "Mark Bolwell, George Nalen" + author: "George Nalen, Mark Bolwell, Stephen Williams, Frederick Witty Jr." description: "Ansible role to apply Windows Server 2022 CIS Benchmark" company: "MindPoint Group" license: MIT @@ -17,11 +17,15 @@ galaxy_info: - security - cis - hardening + - benchmark - microsoft - windows + - complianceascode - compliance -collections: - - community.windows - - ansible.builtin - - ansible.windows -dependencies: [] + + collections: + - ansible.windows + - community.windows + - community.general + + dependencies: [] diff --git a/site.yml b/site.yml index 2161d3d..b71f45a 100644 --- a/site.yml +++ b/site.yml @@ -2,5 +2,7 @@ - hosts: all # noqa: name[play] + gather_facts: true + roles: - role: "{{ playbook_dir }}" diff --git a/tasks/main.yml b/tasks/main.yml index 9ddd11b..07dfcb6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,11 @@ --- +- name: Display Banner + ansible.builtin.debug: + msg: "{{ lockdown_banner.split('\n') }}" + tags: + - always + - name: Gather distribution info ansible.builtin.setup: gather_subset: distribution,!all,!min @@ -30,61 +36,80 @@ path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion name: InstallationType register: get_windows_installation_type + tags: + - always - name: Set Windows installation type ansible.builtin.set_fact: windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" + tags: + - always - name: Include the preliminary tasks - ansible.builtin.import_tasks: prelim.yml + ansible.builtin.import_tasks: + file: prelim.yml tags: - prelim_tasks - name: Execute the section 1 tasks - ansible.builtin.import_tasks: section01.yml + ansible.builtin.import_tasks: + file: section01.yml when: - - section01_patch + - win22cis_section01 tags: - section01 - name: Execute the section 2 tasks - ansible.builtin.import_tasks: section02.yml + ansible.builtin.import_tasks: + file: section02.yml when: - - section02_patch + - win22cis_section02 tags: - section02 - name: Execute the section 5 tasks - ansible.builtin.import_tasks: section05.yml + ansible.builtin.import_tasks: + file: section05.yml when: - - section05_patch + - win22cis_section05 tags: - section05 - name: Execute the section 9 tasks - ansible.builtin.import_tasks: section09.yml + ansible.builtin.import_tasks: + file: section09.yml when: - - section09_patch + - win22cis_section09 tags: - section09 - name: Execute the section 17 tasks - ansible.builtin.import_tasks: section17.yml + ansible.builtin.import_tasks: + file: section17.yml when: - - section17_patch + - win22cis_section17 tags: - section17 - name: Execute the section 18 tasks - ansible.builtin.import_tasks: section18.yml + ansible.builtin.import_tasks: + file: section18.yml when: - - section18_patch + - win22cis_section17 tags: - section18 - name: Execute the section 19 tasks - ansible.builtin.import_tasks: section19.yml + ansible.builtin.import_tasks: + file: section19.yml when: - - section19_patch + - win22cis_section19 tags: - section19 + +- name: If Warnings found Output count and control IDs affected + ansible.builtin.debug: + msg: + - "You have {{ warn_count }} Warning(s) that require investigation(s). Their IDs are listed below:" + - "{{ warn_control_list }}" + when: warn_count != 0 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index fbfe0cf..c19f64e 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,12 +1,12 @@ --- -- name: Set system facts based on gather facts module +- name: Set System Facts Based On Gather Facts Module block: - name: Set fact is system is standalone ansible.builtin.set_fact: win2022cis_is_standalone: true when: - - ansible_windows_domain_role == 'Stand-alone server' + - ansible_windows_domain_role == 'Stand-alone server' - name: Set fact if domain controller role ansible.builtin.set_fact: @@ -19,5 +19,33 @@ win2022cis_is_domain_member: true when: - ansible_windows_domain_role == 'Member server' + tags: + - always + +# HVM is Amazon AMI's, Hyper-V is Azure's, KVM is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') +# Current list is elastic and will be updated as we test more cloud based services. +# Current testing is working in Azure using Hyper-V. We are currently using this for reference: +# https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205 +- name: Set Fact If Cloud-Based System. + ansible.builtin.set_fact: + win22cis_cloud_based_system: true when: - - run_audit + - ansible_virtualization_type == 'Hyper-V' or + ansible_virtualization_type == 'hvm' or + ansible_virtualization_type == 'kvm' + tags: + - always + +- name: Get Windows installation type + ansible.windows.win_reg_stat: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion + name: InstallationType + register: get_windows_installation_type + tags: + - always + +- name: Set Windows installation type + ansible.builtin.set_fact: + windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" + tags: + - always diff --git a/tasks/run_audit.yml b/tasks/run_audit.yml deleted file mode 100644 index 9f24a73..0000000 --- a/tasks/run_audit.yml +++ /dev/null @@ -1,71 +0,0 @@ ---- - -- name: Run prereqs for standalone server - block: - - name: "run {{ audit_time }} remediation secedit export" - ansible.windows.win_command: "powershell.exe -noninteractive -noprofile -command secedit.exe /export /cfg {{ audit_capture_path }}\\secedit_{{ audit_time }}.txt" - - - name: "run {{ audit_time }} remediation auditpol report" - win_shell: "auditpol.exe /get /category:* > {{ audit_capture_path }}auditpol_{{ audit_time }}.txt" - when: - - win2016cis_is_standalone - -- name: Run prereqs for Domain members or controllers - block: - - name: "run {{ audit_time }} remediation secedit export" - ansible.windows.win_command: "powershell.exe -noninteractive -noprofile -command gpresult /v /r {{ audit_capture_path }}\\gpresult_{{ audit_time }}.txt" - - - name: "run {{ audit_time }} remediation auditpol report" - win_shell: "auditpol.exe /get /category:* > {{ audit_capture_path }}auditpol_{{ audit_time }}.txt" - when: - - not win2016cis_is_standalone - -# Copied pre and post to capture output files. -- name: copy the template used by ansible for consistent checks - win_template: - src: ansible_vars_goss.yml.j2 - dest: "{{ goss_vars_path }}" - -- name: Run the goss audit - win_shell: "{{ audit_capture_path }}{{ goss_exe }} -g {{ audit_capture_path }}{{ win2016_os_distribution }}-{{ benchmark }}-Audit\\goss.yml --vars {{ goss_vars_path }} v -f {{ audit_format }} -o pretty | Out-File {{ audit_results_file }}" - failed_when: false - -- name: Capture the pre remediation audit data summary - block: - - name: Capture pre remediation audit data - ansible.windows.win_command: "powershell.exe -noninteractive -noprofile -command (Get-Content {{ audit_results_file }} | ConvertFrom-Json).summary" - register: pre_audit - changed_when: false - - - name: Capture pre-audit result - ansible.builtin.set_fact: - pre_audit_summary: "{{ pre_audit.stdout }}" - vars: - summary: 'summary."summary-line"' - when: - - audit_time == 'pre' - -- name: Capture the post remediation audit data summary - block: - - name: Capture post remediation audit data - ansible.windows.win_command: "powershell.exe -noninteractive -noprofile -command (Get-Content {{ audit_results_file }} | ConvertFrom-Json).summary" - register: post_audit - changed_when: false - - - name: Capture post-audit result - ansible.builtin.set_fact: - post_audit_summary: "{{ post_audit.stdout }}" - vars: - summary: 'summary."summary-line"' - when: - - audit_time == 'post' - -- name: remove environment variable if set during remediation setup - win_environment: - state: absent - name: GOSS_USE_ALPHA - value: 1 - level: user - when: - - audit_time == 'post' - - goss_env.changed diff --git a/tasks/section01.yml b/tasks/section01.yml index 68d8715..91c4eef 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -1,144 +1,329 @@ --- -- name: "1.1.1 | PATCH | Ensure Enforce password history is set to 24 or more passwords" - ansible.builtin.win_security_policy: - section: System Access - key: passwordhistorysize - value: "{{ win22cis_passwordhistorysize }}" +- name: "1.1.1 | PATCH | Ensure Enforce password history is set to 24 or more passwords." + block: + - name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords. | Check for more than 24 saved passwords warning." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of maximum passwords set in win22cis_max_passwords_saved please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_max_passwords_saved > 24 or + win22cis_max_passwords_saved <= 23 + + - name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords. | Set warning count" + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.1.1' + when: + - win22cis_max_passwords_saved > 24 or + win22cis_max_passwords_saved <= 23 + + - name: "1.1.1 | PATCH | Ensure Enforce password history is set to 24 or more passwords. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: PasswordHistorySize + value: "{{ win22cis_max_passwords_saved }}" + when: win22cis_max_passwords_saved == 24 when: - - rule_1_1_1 + - win22cis_rule_1_1_1 tags: - level1-domaincontroller - level1-memberserver - rule_1.1.1 - - automated - - passwords + - patch + - password - name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0" - ansible.builtin.win_security_policy: - section: System Access - key: MaximumPasswordAge - value: "{{ win22cis_maximumpasswordage }}" + block: + - name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Warning check for maximum password age time." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid age set for win22cis_maximum_password_age please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_maximum_password_age > 365 or + win22cis_maximum_password_age == 0 + + - name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set warning count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.1.2' + when: + - win22cis_maximum_password_age > 365 or + win22cis_maximum_password_age == 0 + + - name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: MaximumPasswordAge + value: "{{ win22cis_maximum_password_age }}" + when: + - win22cis_maximum_password_age <= 365 + - win22cis_maximum_password_age > 0 when: - - rule_1_1_2 + - win22cis_rule_1_1_2 tags: - level1-domaincontroller - level1-memberserver - rule_1.1.2 - - automated - - passwords + - patch + - password - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days" - ansible.builtin.win_security_policy: - section: System Access - key: MinimumPasswordAge - value: "{{ win22cis_minimumpasswordage }}" + block: + - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Warning check for minimum password age." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid age set for win22cis_maximum_password_age please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_maximum_password_age > 999 or + win22cis_maximum_password_age == 0 + + - name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Set warning count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.1.3' + when: + - win22cis_maximum_password_age > 999 or + win22cis_maximum_password_age == 0 + + - name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: MinimumPasswordAge + value: "{{ win22cis_minimum_password_age }}" + when: + - win22cis_maximum_password_age <= 999 or + win22cis_maximum_password_age > 0 when: - - rule_1_1_3 + - win22cis_rule_1_1_3 tags: - level1-domaincontroller - level1-memberserver - rule_1.1.3 - - automated - - passwords + - patch + - password - name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters" - ansible.builtin.win_security_policy: - section: System Access - key: MinimumPasswordLength - value: "{{ win22cis_minimumpasswordlength }}" + block: + - name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid length set for win22cis_minimum_password_length please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_minimum_password_length < 14 + + - name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters. | Set warning count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.1.4' + when: win22cis_minimum_password_length < 14 + + - name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: MinimumPasswordLength + value: "{{ win22cis_minimum_password_length }}" + when: win22cis_minimum_password_length >= 14 when: - - rule_1_1_4 + - win22cis_rule_1_1_4 tags: - level1-domaincontroller - level1-memberserver - rule_1.1.4 - - automated - - passwords + - patch + - password -- name: "1.1.5 | PATCH | Ensure Password must meet complexity requirements is set to Enabled" - ansible.builtin.win_security_policy: +- name: "1.1.5 | PATCH | Ensure Password must meet complexity requirements is set to Enabled." + community.windows.win_security_policy: section: System Access key: PasswordComplexity value: 1 when: - - rule_1_1_5 + - win22cis_rule_1_1_5 tags: - level1-domaincontroller - level1-memberserver - rule_1.1.5 - - automated - - passwords - -- name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to enabled" - ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Control\SAM - name: RelaxMinimumPasswordLengthLimits - data: 1 - type: dword + - patch + - password + +- name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled." + community.windows.win_security_policy: + section: System Access + key: RelaxMinimumPasswordLengthLimits + value: 1 when: - - rule_1_1_6 + - win22cis_rule_1_1_6 tags: - - level1-domaincontroller - level1-memberserver - rule_1.1.6 - - automated - - passwords + - patch + - password - name: "1.1.7 | PATCH | Ensure Store passwords using reversible encryption is set to Disabled" - ansible.builtin.win_security_policy: + community.windows.win_security_policy: section: System Access key: ClearTextPassword - value: "0" + value: 0 when: - - rule_1_1_7 + - win22cis_rule_1_1_7 tags: - level1-domaincontroller - level1-memberserver - rule_1.1.7 - - automated - - passwords + - patch + - password -# This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable -- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempts but not 0" - ansible.builtin.win_security_policy: - section: System Access - key: LockoutBadCount - value: "{{ win22cis_lockoutbadcount }}" +# We have found the order of tasks varies between cloud-based instances and VM-based instances. +# The task below loads the control group in the correct order for cloud-based systems +- name: + “1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. + 1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes + 1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." + ansible.builtin.import_tasks: + file: section01_cloud_lockout_order.yml when: - - rule_1_2_2 + - win22cis_cloud_based_system or + win2022cis_is_domain_controller or + win2022cis_is_domain_member + tags: + - section01_cloud_lockout_order + +# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL-BASED SYSTEMS +# CONTROL 1.2.2, CONTROL 1.2.4, CONTROL 1.2.1 +- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0." + block: + - name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of attempts set for win22cis_bad_login_lockout_count please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_bad_login_lockout_count > 5 or + win22cis_bad_login_lockout_count == 0 + + - name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set warning count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.2.2' + when: + - win22cis_bad_login_lockout_count > 5 or + win22cis_bad_login_lockout_count == 0 + + - name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: LockoutBadCount + value: "{{ win22cis_bad_login_lockout_count }}" + when: + - win22cis_bad_login_lockout_count <= 5 + - win22cis_bad_login_lockout_count > 0 + when: + - win22cis_rule_1_2_2 + - not win22cis_cloud_based_system or + win2022cis_is_domain_controller or + win2022cis_is_domain_member tags: - level1-domaincontroller - level1-memberserver - rule_1.2.2 - - automated + - patch - account -# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp -- name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes" - ansible.builtin.win_security_policy: +- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" + community.windows.win_security_policy: section: System Access - key: LockoutDuration - value: "{{ win22cis_lockoutduration }}" + key: AllowAdministratorLockout + value: "{{ win22cis_allow_admin_account_lockout }}" + when: + - win22cis_rule_1_2_3 + - not win22cis_cloud_based_system or + win2022cis_is_domain_controller or + win2022cis_is_domain_member + tags: + - level1-memberserver + - rule_1.2.3 + - patch + - password + +- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." + block: + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of minutes set for win22cis_account_lockout_counter_reset please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_account_lockout_counter_reset > win22cis_account_lockout_duration or + win22cis_account_lockout_counter_reset < 15 + + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | | Set warning count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.2.4' + when: + - win22cis_account_lockout_counter_reset > win22cis_account_lockout_duration or + win22cis_account_lockout_counter_reset < 15 + + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ win22cis_account_lockout_counter_reset }}" + when: + - win22cis_account_lockout_counter_reset >= 15 + - win22cis_account_lockout_counter_reset <= win22cis_account_lockout_duration when: - - rule_1_2_1 + - win22cis_rule_1_2_4 + - not win22cis_cloud_based_system or + win2022cis_is_domain_controller or + win2022cis_is_domain_member tags: - level1-domaincontroller - level1-memberserver - - rule_1.2.1 - - automated + - rule_1.2.4 + - patch - account -- name: "1.2.3 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes" - ansible.builtin.win_security_policy: - section: System Access - key: ResetLockoutCount - value: "{{ win22cis_resetlockoutcount }}" +- name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes" + block: + - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of minutes set for win22cis_account_lockout_duration please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_account_lockout_duration < 15 + + - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Set warning count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.2.1' + when: win22cis_account_lockout_duration < 15 + + - name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes. | Set Variable" + community.windows.win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ win22cis_account_lockout_duration }}" + when: win22cis_account_lockout_duration >= 15 when: - - rule_1_2_3 + - win22cis_rule_1_2_1 + - not win22cis_cloud_based_system or + win2022cis_is_domain_controller or + win2022cis_is_domain_member tags: - level1-domaincontroller - level1-memberserver - - rule_1.2.3 - - automated + - rule_1.2.1 + - patch - account diff --git a/tasks/section01_cloud_lockout_order.yml b/tasks/section01_cloud_lockout_order.yml new file mode 100644 index 0000000..dbb61ca --- /dev/null +++ b/tasks/section01_cloud_lockout_order.yml @@ -0,0 +1,124 @@ +--- + +# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR CLOUD-BASED SYSTEMS +# CONTROL 1.2.2, CONTROL 1.2.1, CONTROL 1.2.4 +- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0." + block: + - name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of attempts set for win22cis_bad_login_lockout_count please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_bad_login_lockout_count > 5 or + win22cis_bad_login_lockout_count == 0 + + - name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set warning count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.2.2' + when: + - win22cis_bad_login_lockout_count > 5 or + win22cis_bad_login_lockout_count == 0 + + - name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: LockoutBadCount + value: "{{ win22cis_bad_login_lockout_count }}" + when: + - win22cis_bad_login_lockout_count <= 5 + - win22cis_bad_login_lockout_count > 0 + when: + - win22cis_rule_1_2_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_1.2.2 + - patch + - account + +- name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes" + block: + - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of minutes set for win22cis_account_lockout_duration please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_account_lockout_duration < 15 + + - name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Set warning count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.2.1' + when: + - win22cis_account_lockout_duration < 15 + + - name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes. | Set Variable" + community.windows.win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ win22cis_account_lockout_duration }}" + when: + - win22cis_account_lockout_duration >= 15 + when: + - win22cis_rule_1_2_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_1.2.1 + - patch + - account + +- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled" + community.windows.win_security_policy: + section: System Access + key: AllowAdministratorLockout + value: "{{ win22cis_allow_admin_account_lockout }}" + when: + - win22cis_rule_1_2_3 + tags: + - level1-memberserver + - rule_1.2.3 + - patch + - password + +- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes." + block: + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of minutes set for win22cis_account_lockout_counter_reset please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_account_lockout_counter_reset > win22cis_account_lockout_duration or + win22cis_account_lockout_counter_reset < 15 + + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | | Set warning count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '1.2.4' + when: + - win22cis_account_lockout_counter_reset > win22cis_account_lockout_duration or + win22cis_account_lockout_counter_reset < 15 + + - name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ win22cis_account_lockout_counter_reset }}" + when: + - win22cis_account_lockout_counter_reset >= 15 + - win22cis_account_lockout_counter_reset <= win22cis_account_lockout_duration + when: + - win22cis_rule_1_2_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_1.2.4 + - patch + - account diff --git a/tasks/section02.yml b/tasks/section02.yml index b4f50e8..320e581 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -6,15 +6,15 @@ users: [] action: set when: - - rule_2_2_1 + - win22cis_rule_2_2_1 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.1 - - automated - - credential_manager + - patch + - userrights -- name: "2.2.2 | PATCH | Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" +- name: "2.2.2 | PATCH | Ensure Access this computer from the network is set to Administrators, Authenticated Users, & ENTERPRISE DOMAIN CONTROLLERS DC only | Domain Controller" ansible.windows.win_user_right: name: SeNetworkLogonRight users: @@ -23,15 +23,16 @@ - ENTERPRISE DOMAIN CONTROLLERS action: set when: - - rule_2_2_2 - - "'Primary domain controller' in ansible_windows_domain_role" + - win22cis_rule_2_2_2 + - win2022cis_is_domain_controller tags: - level1-domaincontroller + - level1-memberserver - rule_2.2.2 - - automated - - access + - patch + - userrights -- name: "2.2.3 | PATCH | Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)" +- name: "2.2.3 | PATCH | Ensure Access this computer from the network is set to Administrators, Authenticated Users, & ENTERPRISE DOMAIN CONTROLLERS MS only | Member Server" ansible.windows.win_user_right: name: SeNetworkLogonRight users: @@ -39,13 +40,14 @@ - Authenticated Users action: set when: - - rule_2_2_3 - - "'Primary domain controller' not in ansible_windows_domain_role" + - win22cis_rule_2_2_3 + - win2022cis_is_domain_member tags: + - level1-domaincontroller - level1-memberserver - rule_2.2.3 - - automated - - access + - patch + - userrights - name: "2.2.4 | PATCH | Ensure Act as part of the operating system is set to No One" ansible.windows.win_user_right: @@ -53,25 +55,27 @@ users: [] action: set when: - - rule_2_2_4 + - win22cis_rule_2_2_4 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.4 - - automated + - patch + - userrights -- name: "2.2.5 | PATCH | Ensure Add workstations to domain is set to Administrators DC only" +- name: "2.2.5 | PATCH | Ensure Add workstations to domain is set to Administrators DC only | Domain Controller" ansible.windows.win_user_right: name: SeMachineAccountPrivilege users: Administrators action: set when: - - rule_2_2_5 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_2_5 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.5 - - automated + - patch + - userrights - name: "2.2.6 | PATCH | Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" ansible.windows.win_user_right: @@ -82,40 +86,30 @@ - Network Service action: set when: - - rule_2_2_6 + - win22cis_rule_2_2_6 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.6 - - automated + - patch + - userrights - name: "2.2.7 | PATCH | Ensure Allow log on locally is set to Administrators" ansible.windows.win_user_right: name: SeInteractiveLogonRight - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_7 + - win22cis_rule_2_2_7 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.7 - - automated + - patch + - userrights -- name: "2.2.8 | PATCH | Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" - ansible.windows.win_user_right: - name: SeRemoteInteractiveLogonRight - users: Administrators - action: set - when: - - rule_2_2_8 - - "'Primary domain controller' in ansible_windows_domain_role" - tags: - - level1-domaincontroller - - rule_2.2.8 - - automated - -- name: "2.2.9 | PATCH | Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)" +- name: "2.2.8 & 2.2.9 | PATCH | Ensure Allow log on through Remote Desktop Services is set to Administrators | Domain Controller & Member Server" ansible.windows.win_user_right: name: SeRemoteInteractiveLogonRight users: @@ -123,25 +117,30 @@ - Remote Desktop Users action: set when: - - rule_2_2_9 - - "'Primary domain controller' not in ansible_windows_domain_role" + - win22cis_rule_2_2_8 or + win22cis_rule_2_2_9 tags: + - level1-domaincontroller - level1-memberserver + - rule_2.2.8 - rule_2.2.9 - - automated + - patch + - userrights - name: "2.2.10 | PATCH | Ensure Back up files and directories is set to Administrators" ansible.windows.win_user_right: name: SeBackupPrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_10 + - win22cis_rule_2_2_10 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.10 - - automated + - patch + - userrights - name: "2.2.11 | PATCH | Ensure Change the system time is set to Administrators LOCAL SERVICE" ansible.windows.win_user_right: @@ -151,12 +150,12 @@ - Local Service action: set when: - - rule_2_2_11 + - win22cis_rule_2_2_11 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.11 - - automated + - patch - name: "2.2.12 | PATCH | Ensure Change the time zone is set to Administrators LOCAL SERVICE" ansible.windows.win_user_right: @@ -166,25 +165,28 @@ - Local Service action: set when: - - rule_2_2_12 + - win22cis_rule_2_2_12 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.12 - - automated + - patch + - userrights - name: "2.2.13 | PATCH | Ensure Create a pagefile is set to Administrators" ansible.windows.win_user_right: name: SeCreatePagefilePrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_13 + - win22cis_rule_2_2_13 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.13 - - automated + - patch + - userrights - name: "2.2.14 | PATCH | Ensure Create a token object is set to No One" ansible.windows.win_user_right: @@ -192,12 +194,13 @@ users: [] action: set when: - - rule_2_2_14 + - win22cis_rule_2_2_14 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.14 - - automated + - patch + - userrights - name: "2.2.15 | PATCH | Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" ansible.windows.win_user_right: @@ -209,12 +212,13 @@ - Service action: set when: - - rule_2_2_15 + - win22cis_rule_2_2_15 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.15 - - automated + - patch + - userrights - name: "2.2.16 | PATCH | Ensure Create permanent shared objects is set to No One" ansible.windows.win_user_right: @@ -222,36 +226,40 @@ users: [] action: set when: - - rule_2_2_16 + - win22cis_rule_2_2_16 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.16 - - automated + - patch + - userrights -- name: "2.2.17 | PATCH | Ensure Create symbolic links is set to Administrators DC only" +- name: "2.2.17 | PATCH | Ensure Create symbolic links is set to Administrators DC only | Domain Controller" ansible.windows.win_user_right: name: SeCreateSymbolicLinkPrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_17 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_2_17 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.17 - - automated + - patch + - userrights -- name: "2.2.18 | PATCH | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" +- name: "2.2.18 | PATCH | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINE-Virtual Machines MS only | Member Server" block: - - name: "2.2.18 | PATCH | (L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | No Hyper-v" + - name: "2.2.18 | PATCH | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINE-Virtual Machines | Without Hyper-v | Member Server" ansible.windows.win_user_right: name: SeCreateSymbolicLinkPrivilege - users: Administrators + users: + - Administrators action: set when: not win22cis_hyperv_installed - - name: "2.2.18 | PATCH | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | With Hyper-v" + - name: "2.2.18 | PATCH | Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINE-Virtual Machines MS only | With Hyper-v | Member Server" ansible.windows.win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -260,112 +268,123 @@ action: set when: win22cis_hyperv_installed when: - - rule_2_2_18 - - not ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_2_18 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_2.2.18 - - automated + - patch + - userrights - name: "2.2.19 | PATCH | Ensure Debug programs is set to Administrators" ansible.windows.win_user_right: name: SeDebugPrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_19 + - win22cis_rule_2_2_19 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.19 - - automated + - patch + - userrights -# Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes -- name: "2.2.20 | PATCH | Ensure Deny access to this computer from the network to include Guests DC only" +- name: "2.2.20 | PATCH | Ensure Deny access to this computer from the network to include Guests DC only | Domain Controller" ansible.windows.win_user_right: name: SeDenyNetworkLogonRight - users: Guests - action: set + users: + - Guests + action: add when: - - rule_2_2_20 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_2_20 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.20 - - automated + - patch + - userrights -- name: "2.2.21 | PATCH | Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" +- name: "2.2.21 | PATCH | Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only | Member Server" ansible.windows.win_user_right: name: SeDenyNetworkLogonRight users: - Guests - # - Local Account - # - Administrators - action: set + - Local Account + - Administrators + action: add when: - - rule_2_2_21 - - ansible_windows_domain_member - - "'domain controller' not in ansible_windows_domain_role" + - win22cis_rule_2_2_21 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_2.2.21 - - automated + - patch + - userrights - name: "2.2.22 | PATCH | Ensure Deny log on as a batch job to include Guests" ansible.windows.win_user_right: name: SeDenyBatchLogonRight - users: Guests - action: set + users: + - Guests + action: add when: - - rule_2_2_22 + - win22cis_rule_2_2_22 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.22 - - automated + - patch + - userrights - name: "2.2.23 | PATCH | Ensure Deny log on as a service to include Guests" ansible.windows.win_user_right: name: SeDenyServiceLogonRight - users: Guests - action: set + users: + - Guests + action: add when: - - rule_2_2_23 + - win22cis_rule_2_2_23 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.23 - - automated + - patch + - userrights - name: "2.2.24 | PATCH | Ensure Deny log on locally to include Guests" ansible.windows.win_user_right: name: SeDenyInteractiveLogonRight - users: Guests - action: set + users: + - Guests + action: add when: - - rule_2_2_24 + - win22cis_rule_2_2_24 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.24 - - automated + - patch + - userrights -- name: "2.2.25 | PATCH | Ensure Deny log on through Remote Desktop Services to include Guests DC only" +- name: "2.2.25 | PATCH | Ensure Deny log on through Remote Desktop Services to include Guests DC only | Domain Controller" ansible.windows.win_user_right: name: SeDenyRemoteInteractiveLogonRight users: - Guests # - Local Account - action: set + action: add when: - - rule_2_2_25 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_2_25 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.25 - - automated + - patch + - guest -- name: "2.2.26 | PATCH | Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" +- name: "2.2.26 | PATCH | Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only | Member Server" ansible.windows.win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -373,53 +392,58 @@ - Local Account action: set when: - - rule_2_2_26 - - ansible_windows_domain_member - - "'domain controller' not in ansible_windows_domain_role" + - win22cis_rule_2_2_26 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_2.2.26 - - automated + - patch + - guest -- name: "2.2.27 | PATCH | Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" +- name: "2.2.27 | PATCH | Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only | Domain Controller" ansible.windows.win_user_right: name: SeEnableDelegationPrivilege users: Administrators action: set when: - - rule_2_2_27 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_2_27 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.27 - - automated + - patch + - userrights + - administrators -- name: "2.2.28 | PATCH | Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" +- name: "2.2.28 | PATCH | Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only | Member Server" ansible.windows.win_user_right: name: SeEnableDelegationPrivilege users: [] action: set when: - - rule_2_2_28 - - ansible_windows_domain_member - - "'domain controller' not in ansible_windows_domain_role" + - win22cis_rule_2_2_28 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_2.2.28 - - automated + - patch + - userrights - name: "2.2.29 | PATCH | Ensure Force shutdown from a remote system is set to Administrators" ansible.windows.win_user_right: name: SeRemoteShutdownPrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_29 + - win22cis_rule_2_2_29 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.29 - - automated + - patch + - userrights + - administrators - name: "2.2.30 | PATCH | Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" ansible.windows.win_user_right: @@ -429,14 +453,16 @@ - Network Service action: set when: - - rule_2_2_30 + - win22cis_rule_2_2_30 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.30 - - automated + - patch + - userrights + - services -- name: "2.2.31 | PATCH | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" +- name: "2.2.31 | PATCH | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only | Domain Controller" ansible.windows.win_user_right: name: SeImpersonatePrivilege users: @@ -446,14 +472,17 @@ - Service action: set when: - - rule_2_2_31 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_2_31 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.31 - - automated + - patch + - userrights + - services + - administrators -- name: "2.2.32 | PATCH | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" +- name: "2.2.32 | PATCH | Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only | Member Server" ansible.windows.win_user_right: name: SeImpersonatePrivilege users: @@ -464,13 +493,15 @@ - Service action: set when: - - rule_2_2_32 - - ansible_windows_domain_member - - "'domain controller' not in ansible_windows_domain_role" + - win22cis_rule_2_2_32 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_2.2.32 - - automated + - patch + - userrights + - administrators + - services - name: "2.2.33 | PATCH | Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group" ansible.windows.win_user_right: @@ -478,25 +509,28 @@ users: "{{ win22cis_increase_scheduling_priority_users }}" action: set when: - - rule_2_2_33 + - win22cis_rule_2_2_33 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.33 - - automated + - patch + - userrights - name: "2.2.34 | PATCH | Ensure Load and unload device drivers is set to Administrators" ansible.windows.win_user_right: name: SeLoadDriverPrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_34 + - win22cis_rule_2_2_34 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.34 - - automated + - patch + - userrights - name: "2.2.35 | PATCH | Ensure Lock pages in memory is set to No One" ansible.windows.win_user_right: @@ -504,42 +538,72 @@ users: [] action: set when: - - rule_2_2_35 + - win22cis_rule_2_2_35 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.35 - - automated + - patch + - userrights -- name: "2.2.36 | PATCH | Ensure Log on as a batch job is set to Administrators DC Only" +- name: "2.2.36 | PATCH | Ensure Log on as a batch job is set to Administrators DC Only | Domain Controller" ansible.windows.win_user_right: name: SeBatchLogonRight users: Administrators action: set when: - - rule_2_2_36 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_2_36 + - win2022cis_is_domain_controller tags: - level2-domaincontroller - rule_2.2.36 - - automated + - patch + - userrights + - administrators + +- name: "2.2.37 | PATCH | Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only | Domain Controller" + block: + - name: "2.2.37 | PATCH | Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only | Set Non-Exchange Server Groups | Domain Controller" + ansible.windows.win_user_right: + name: SeSecurityPrivilege + users: + - Administrators + action: set + when: not win22cis_exchange_server_running -- name: | - "2.2.37 | PATCH | Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" - "2.2.38 | PATCH | Ensure Manage auditing and security log is set to Administrators MS only" + - name: "2.2.37 | PATCH | Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only | Set Exchange Server Groups | Domain Controller" + ansible.windows.win_user_right: + name: SeSecurityPrivilege + users: + - Administrators + - Exchange Servers + action: set + when: win22cis_exchange_server_running + when: + - win22cis_rule_2_2_37 + - win2022cis_is_domain_controller + tags: + - level1-domaincontroller + - rule_2.2.37 + - patch + - userrights + - administrators + +- name: "2.2.38 | PATCH | Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only | Domain Controller" ansible.windows.win_user_right: name: SeSecurityPrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_37 or - rule_2_2_38 + - win22cis_rule_2_2_38 + - win2022cis_is_domain_controller tags: - - level1-domaincontroller - level1-memberserver - - rule_2.2.37 - rule_2.2.38 - - automated + - patch + - userrights + - administrators - name: "2.2.39 | PATCH | Ensure Modify an object label is set to No One" ansible.windows.win_user_right: @@ -547,53 +611,63 @@ users: [] action: set when: - - rule_2_2_39 + - win22cis_rule_2_2_39 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.39 - - automated + - patch + - userrights - name: "2.2.40 | PATCH | Ensure Modify firmware environment values is set to Administrators" ansible.windows.win_user_right: name: SeSystemEnvironmentPrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_40 + - win22cis_rule_2_2_40 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.40 - - automated + - patch + - userrights + - administrators - name: "2.2.41 | PATCH | Ensure Perform volume maintenance tasks is set to Administrators" ansible.windows.win_user_right: name: SeManageVolumePrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_41 + - win22cis_rule_2_2_41 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.41 - - automated + - patch + - userrights + - administrators - name: "2.2.42 | PATCH | Ensure Profile single process is set to Administrators" ansible.windows.win_user_right: name: SeProfileSingleProcessPrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_42 + - win22cis_rule_2_2_42 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.42 - - automated + - patch + - userrights + - administrators -- name: "2.2.43 | PATCH | Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" +- name: "2.2.43 | PATCH | Ensure Profile system performance is set to Administrators NT SERVICE.WdiServiceHost" ansible.windows.win_user_right: name: SeSystemProfilePrivilege users: @@ -601,12 +675,15 @@ - NT SERVICE\WdiServiceHost action: set when: - - rule_2_2_43 + - win22cis_rule_2_2_43 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.43 - - automated + - patch + - userrights + - administrator + - service - name: "2.2.44 | PATCH | Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" ansible.windows.win_user_right: @@ -616,173 +693,213 @@ - NETWORK SERVICE action: set when: - - rule_2_2_44 + - win22cis_rule_2_2_44 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.44 - - automated + - patch + - userrights + - service - name: "2.2.45 | PATCH | Ensure Restore files and directories is set to Administrators" ansible.windows.win_user_right: name: SeRestorePrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_45 + - win22cis_rule_2_2_45 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.45 - - automated + - patch + - userright + - administrator - name: "2.2.46 | PATCH | Ensure Shut down the system is set to Administrators" ansible.windows.win_user_right: name: SeShutdownPrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_46 + - win22cis_rule_2_2_46 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.46 - - automated + - patch + - userright + - administrator -- name: "2.2.47 | PATCH | Ensure Synchronize directory service data is set to No One DC only" +- name: "2.2.47 | PATCH | Ensure Synchronize directory service data is set to No One DC only | Domain Controller" ansible.windows.win_user_right: name: SeSyncAgentPrivilege users: [] action: set when: - - rule_2_2_47 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_2_47 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.2.47 - - automated + - patch + - userright - name: "2.2.48 | PATCH | Ensure Take ownership of files or other objects is set to Administrators" ansible.windows.win_user_right: name: SeTakeOwnershipPrivilege - users: Administrators + users: + - Administrators action: set when: - - rule_2_2_48 + - win22cis_rule_2_2_48 tags: - level1-domaincontroller - level1-memberserver - rule_2.2.48 - - automated - -- name: "2.3.1.1 | PATCH | Ensure Accounts Administrator account status is set to Disabled MS only" - ansible.builtin.win_security_policy: - section: System Access - key: EnableAdminAccount - value: 0 - when: - - rule_2_3_1_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1-memberserver - - rule_2.3.1.1 - - automated + - patch + - userright + - administrator -- name: "2.3.1.2 | PATCH | Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" +- name: "2.3.1.1 | PATCH | Ensure Accounts Block Microsoft accounts is set to Users can not add or log on with Microsoft accounts" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: NoConnectedUser data: 3 type: dword when: - - rule_2_3_1_2 + - win22cis_rule_2_3_1_1 tags: - level1-domaincontroller - level1-memberserver - - rule_2.3.1.2 - - automated + - rule_2.3.1.1 + - patch + - securitypolicy -- name: "2.3.1.3 | PATCH | Ensure Accounts Guest account status is set to Disabled MS only" - ansible.builtin.win_security_policy: +- name: "2.3.1.2 | PATCH | Ensure Accounts Guest account status is set to Disabled MS only | Member Server" + community.windows.win_security_policy: section: System Access key: EnableGuestAccount value: 0 when: - - rule_2_3_1_3 - - not ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_3_1_2 + - win2022cis_is_domain_member tags: - level1-memberserver - - rule_2.3.1.3 - - automated + - rule_2.3.1.2 + - patch + - securitypolicy -- name: "2.3.1.4 | PATCH | Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" +- name: "2.3.1.3 | PATCH | Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: LimitBlankPasswordUse data: 1 type: dword when: - - rule_2_3_1_4 + - win22cis_rule_2_3_1_3 tags: - level1-domaincontroller - level1-memberserver - - rule_2.3.1.4 - - automated + - rule_2.3.1.3 + - patch + - account -- name: "2.3.1.5 | PATCH | Configure Accounts Rename administrator account" - ansible.builtin.win_security_policy: - section: System Access - key: newadministratorname - value: "{{ win22cis_admin_username }}" - when: - - rule_2_3_1_5 +- name: "2.3.1.4 | PATCH | Configure Accounts Rename administrator account" + block: + - name: "2.3.1.4 | AUDIT | Configure Accounts Rename administrator account. | Warning Msg For Default Variable Not Edited." + ansible.builtin.debug: + msg: + - "Warning!! You have not changed the default admin username in win22cis_admin_username please" + - "make the necessary change to the variable to be in compliance." + when: "'adminchangethis' in win22cis_admin_username" + + - name: "2.3.1.4 | AUDIT | Configure Accounts Rename administrator account. | Add Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '2.3.1.4' + when: "'adminchangethis' in win22cis_admin_username" + + - name: "2.3.1.4 | PATCH | Configure Accounts Rename administrator account. | Make Changes To Admin Name." + community.windows.win_security_policy: + section: System Access + key: newadministratorname + value: "{{ win22cis_admin_username }}" + when: "'adminchangethis' not in win22cis_admin_username" + when: + - win22cis_rule_2_3_1_4 - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver - - rule_2.3.1.5 - - automated + - rule_2.3.1.4 + - patch + - securitypolicy -- name: "2.3.1.6 | PATCH | Configure Accounts Rename guest account" - ansible.builtin.win_security_policy: - section: System Access - key: NewGuestName - value: "{{ win22cis_guest_username }}" - when: - - rule_2_3_1_6 +- name: "2.3.1.5 | PATCH | Configure Accounts Rename guest account" + block: + - name: "2.3.1.5 | AUDIT | Configure Accounts Rename guest account. | Warning Msg For Default Variable Not Edited." + ansible.builtin.debug: + msg: + - "Warning!! You have not changed the default guest name in win22cis_guest_username please" + - "make the necessary change to the variable to be in compliance." + when: "'guestchangethis' in win22cis_guest_username" + + - name: "2.3.1.5 | AUDIT | Configure Accounts Rename guest account. | Add Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '2.3.1.5' + when: "'guestchangethis' in win22cis_guest_username" + + - name: "2.3.1.5 | AUDIT | Configure Accounts Rename guest account. | Make Changes To Guest Name." + community.windows.win_security_policy: + section: System Access + key: NewGuestName + value: "{{ win22cis_guest_username }}" + when: "'guestchangethis' not in win22cis_guest_username" + when: + - win22cis_rule_2_3_1_5 tags: - level1-domaincontroller - level1-memberservers - - rule_2.3.1.6 - - automated + - rule_2.3.1.5 + - patch + - securitypolicy - name: "2.3.2.1 | PATCH | Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa + path: HKLM:\System\CurrentControlSet\Control\Lsa name: SCENoApplyLegacyAuditPolicy data: 1 type: dword when: - - rule_2_3_2_1 + - win22cis_rule_2_3_2_1 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.2.1 - - automated + - patch + - auditpolicy - name: "2.3.2.2 | PATCH | Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa + path: HKLM:\System\CurrentControlSet\Control\Lsa name: CrashOnAuditFail data: 0 type: dword when: - - rule_2_3_2_2 + - win22cis_rule_2_3_2_2 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.2.2 - - automated + - patch + - auditpolicy - name: "2.3.4.1 | PATCH | Ensure Devices Allowed to format and eject removable media is set to Administrators" ansible.windows.win_regedit: @@ -791,12 +908,13 @@ data: 0 type: string when: - - rule_2_3_4_1 + - win22cis_rule_2_3_4_1 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.4.1 - - automated + - patch + - devices - name: "2.3.4.2 | PATCH | Ensure Devices Prevent users from installing printer drivers is set to Enabled" ansible.windows.win_regedit: @@ -805,82 +923,88 @@ data: 1 type: dword when: - - rule_2_3_4_2 + - win22cis_rule_2_3_4_2 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.4.2 - - automated + - patch + - devices -- name: "2.3.5.1 | PATCH | Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" +- name: "2.3.5.1 | PATCH | Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only | Domain Controller" ansible.windows.win_regedit: path: HKLM:\System\CurrentControlSet\Control\Lsa name: SubmitControl data: 0 type: dword when: - - rule_2_3_5_1 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_3_5_1 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.3.5.1 - - automated + - patch + - scheduledtasks -- name: "2.3.5.2 | PATCH | Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only)" +- name: "2.3.5.2 | PATCH | Ensure Domain controller Allow vulnerable Netlogon secure channel connections is set to Not Configured DC only | Domain Controller" ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NetLogon\Parameters - name: VulnerableChannleAllowList + path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters + name: VulnerableChannelAllowList data: 0 type: dword when: - - rule_2_3_5_2 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_3_5_2 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.3.5.2 - - automated + - patch + - logon -- name: "2.3.5.3 | PATCH | Ensure Domain controller LDAP server channel binding token requirements is set to Always DC only" +- name: "2.3.5.3 | PATCH | Ensure Domain controller LDAP server channel binding token requirements' is set to Always DC only | Domain Controller" ansible.windows.win_regedit: path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters name: LdapEnforceChannelBinding - data: 0 + data: 2 type: dword when: - - rule_2_3_5_3 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_3_5_3 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.3.5.3 - - automated + - patch + - ladp -- name: "2.3.5.4 | PATCH | Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" +- name: "2.3.5.4 | PATCH | Ensure Domain controller LDAP server signing requirements is set to Require signing DC only | Domain Controller" ansible.windows.win_regedit: path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters name: LDAPServerIntegrity data: 2 type: dword when: - - rule_2_3_5_4 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_3_5_4 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.3.5.4 - - automated + - patch + - ladp -- name: "2.3.5.5 | PATCH | Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" +- name: "2.3.5.5 | PATCH | Ensure Domain controller Refuse machine account password changes is set to Disabled DC only | Domain Controller" ansible.windows.win_regedit: path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters name: RefusePasswordChange data: 0 type: dword when: - - rule_2_3_5_5 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_3_5_5 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.3.5.5 - - automated + - patch + - account - name: "2.3.6.1 | PATCH | Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" ansible.windows.win_regedit: @@ -889,73 +1013,103 @@ data: 1 type: dword when: - - rule_2_3_6_1 + - win22cis_rule_2_3_6_1 - not ansible_windows_domain_role == "Primary domain controller" + - not win2022cis_is_standalone tags: - level1-domaincontroller - level1-memberserver - rule_2.3.6.1 - - automated + - patch + - encryption - name: "2.3.6.2 | PATCH | Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: sealsecurechannel + name: SealSecureChannel data: 1 type: dword when: - - rule_2_3_6_2 + - win22cis_rule_2_3_6_2 - not ansible_windows_domain_role == "Primary domain controller" + - not win2022cis_is_standalone tags: - level1-domaincontroller - level1-memberserver - rule_2.3.6.2 - - automated + - patch + - encryption - name: "2.3.6.3 | PATCH | Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: signsecurechannel + name: SignSecureChannel data: 1 type: dword when: - - rule_2_3_6_3 + - win22cis_rule_2_3_6_3 - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - level1-memberserver - rule_2.3.6.3 - - automated + - patch + - logon - name: "2.3.6.4 | PATCH | Ensure Domain member Disable machine account password changes is set to Disabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: disablepasswordchange + name: DisablePasswordChange data: 0 type: dword when: - - rule_2_3_6_4 + - win22cis_rule_2_3_6_4 - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - level1-memberserver - rule_2.3.6.4 - - automated + - patch + - logon - name: "2.3.6.5 | PATCH | Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" - ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: MaximumPasswordAge - data: "{{ win22cis_machine_acct_pw_age }}" - type: dword - when: - - rule_2_3_6_5 + block: + - name: "2.3.6.5 | AUDIT | Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0. | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of days set for win22cis_domain_member_maximum_password_age please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_domain_member_maximum_password_age > 30 or + win22cis_domain_member_maximum_password_age == 0 + + - name: "2.3.6.5 | AUDIT | Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0. | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '2.3.6.5' + when: + - win22cis_domain_member_maximum_password_age > 30 or + win22cis_domain_member_maximum_password_age == 0 + + - name: "2.3.6.5 | PATCH | Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0. | Apply Settings To Registry." + ansible.windows.win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: MaximumPasswordAge + data: "{{ win22cis_domain_member_maximum_password_age }}" + type: dword + when: + - win22cis_domain_member_maximum_password_age <= 30 + - win22cis_domain_member_maximum_password_age > 0 + when: + - win22cis_rule_2_3_6_5 - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - level1-memberserver - rule_2.3.6.5 - - automated + - patch + - account - name: "2.3.6.6 | PATCH | Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" ansible.windows.win_regedit: @@ -964,139 +1118,212 @@ data: 1 type: dword when: - - rule_2_3_6_6 + - win22cis_rule_2_3_6_6 - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - level1-memberserver - rule_2.3.6.6 - - automated + - patch + - logon -- name: "2.3.7.1 | PATCH | Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" +- name: "2.3.7.1 | PATCH | Ensure Interactive logon Do not require CTRL+ALT+DEL is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DisableCAD data: 0 type: dword when: - - rule_2_3_7_1 + - win22cis_rule_2_3_7_1 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.7.1 - - automated + - patch + - logon -- name: "2.3.7.2 | PATCH | Ensure Interactive logon Dont display last signed-in is set to Enabled" +- name: "2.3.7.2 | PATCH | Ensure Interactive logon Do not display last signed-in is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DontDisplayLastUserName data: 1 type: dword when: - - rule_2_3_7_2 + - win22cis_rule_2_3_7_2 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.7.2 - - automated + - patch + - logon - name: "2.3.7.3 | PATCH | Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" - ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: InactivityTimeoutSecs - data: "{{ win22cis_inactivity_timeout }}" - type: dword - when: - - rule_2_3_7_3 + block: + - name: "2.3.7.3 | AUDIT | Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0. | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of seconds set for win22cis_inactivity_timeout_seconds please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_inactivity_timeout_seconds > 900 or + win22cis_inactivity_timeout_seconds == 0 + + - name: "2.3.7.3 | AUDIT | Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0. | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '2.3.7.3' + when: + - win22cis_inactivity_timeout_seconds > 900 or + win22cis_inactivity_timeout_seconds == 0 + + - name: "2.3.7.3 | PATCH | Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0. | Apply Settings To Registry." + ansible.windows.win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: InactivityTimeoutSecs + data: "{{ win22cis_inactivity_timeout_seconds }}" + type: dword + when: + - win22cis_inactivity_timeout_seconds <= 900 + - win22cis_inactivity_timeout_seconds > 0 + when: + - win22cis_rule_2_3_7_3 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.7.3 - - automated + - patch + - logon - name: "2.3.7.4 | PATCH | Configure Interactive logon Message text for users attempting to log on" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LegalNoticeText - data: "{{ win22cis_legalnoticetext }}" + data: "{{ win22cis_legal_notice }}" type: string when: - - rule_2_3_7_4 + - win22cis_rule_2_3_7_4 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.7.4 - - automated + - patch + - logon - name: "2.3.7.5 | PATCH | Configure Interactive logon Message title for users attempting to log on" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LegalNoticeCaption - data: "{{ win22cis_legalnoticecaption }}" + data: "{{ win22cis_legal_notice_caption }}" type: string when: - - rule_2_3_7_5 + - win22cis_rule_2_3_7_5 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.7.5 - - automated + - patch + - logon -- name: "2.3.7.6 | PATCH | Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" - ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: cachedlogonscount - data: "{{ win22cis_cached_logons_count }}" - type: string - when: - - rule_2_3_7_6 - - "'domain controller' not in ansible_windows_domain_role" +- name: "2.3.7.6 | PATCH | Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only | Member Server" + block: + - name: "2.3.7.6 | AUDIT| Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only | Warning Check For Variable Standards | Member Server" + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of logons set for win22cis_cached_logons_count please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_cached_logons_count > 4 + + - name: "2.3.7.6 | AUDIT | Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only | Warn Count | Member Server" + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '2.3.7.6' + when: win22cis_cached_logons_count > 4 + + - name: "2.3.7.6 | PATCH | Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only. | Apply Settings To Registry | Member Server" + ansible.windows.win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: CachedLogonsCount + data: "{{ win22cis_cached_logons_count }}" + type: string + when: win22cis_cached_logons_count <= 4 + when: + - win22cis_rule_2_3_7_6 + - win2022cis_is_domain_member tags: - level2-memberserver - rule_2.3.7.6 - - automated + - patch + - logon - name: "2.3.7.7 | PATCH | Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" - ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: PasswordExpiryWarning - data: "{{ win22cis_passwd_expiry_warn }}" - type: dword - when: - - rule_2_3_7_7 + block: + - name: "2.3.7.7 | AUDIT | Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days. | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of days set for win22cis_password_expiry_warning_days please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_password_expiry_warning_days < 5 or + win22cis_password_expiry_warning_days > 14 + + - name: "2.3.7.7 | AUDIT | Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days. | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '2.3.7.7' + when: + - win22cis_password_expiry_warning_days < 5 or + win22cis_password_expiry_warning_days > 14 + + - name: "2.3.7.7 | PATCH | Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days. | Apply Settings To Registry." + ansible.windows.win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: PasswordExpiryWarning + data: "{{ win22cis_password_expiry_warning_days }}" + type: dword + when: + - win22cis_password_expiry_warning_days >= 5 + - win22cis_password_expiry_warning_days <= 14 + when: + - win22cis_rule_2_3_7_7 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.7.7 - - automated + - patch + - logon -- name: "2.3.7.8 | PATCH | Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" +- name: "2.3.7.8 | PATCH | Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: ForceUnlockLogon data: 1 type: dword when: - - rule_2_3_7_8 - - ansible_windows_domain_role == "Member server" + - win22cis_rule_2_3_7_8 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_2.3.7.8 - - automated + - patch + - logon - name: "2.3.7.9 | PATCH | Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: scremoveoption - data: "{{ win22cis_smartc_remove_option }}" + name: ScRemoveOption + data: 1 type: string when: - - rule_2_3_7_9 + - win22cis_rule_2_3_7_9 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.7.9 - - automated + - patch + - logon - name: "2.3.8.1 | PATCH | Ensure Microsoft network client Digitally sign communications always is set to Enabled" ansible.windows.win_regedit: @@ -1105,12 +1332,13 @@ data: 1 type: dword when: - - rule_2_3_8_1 + - win22cis_rule_2_3_8_1 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.8.1 - - automated + - patch + - logon - name: "2.3.8.2 | PATCH | Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" ansible.windows.win_regedit: @@ -1119,12 +1347,13 @@ data: 1 type: dword when: - - rule_2_3_8_2 + - win22cis_rule_2_3_8_2 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.8.2 - - automated + - patch + - logon - name: "2.3.8.3 | PATCH | Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" ansible.windows.win_regedit: @@ -1133,123 +1362,150 @@ data: 0 type: dword when: - - rule_2_3_8_3 + - win22cis_rule_2_3_8_3 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.8.3 - - automated + - patch + - encryption - name: "2.3.9.1 | PATCH | Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" - ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: autodisconnect - data: "{{ win22cis_auto_disconnect }}" - type: dword + block: + - name: "2.3.9.1 | AUDIT | Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes. | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of minutes set for win22cis_smb_auto_disconnect_time please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_smb_auto_disconnect_time > 15 + + - name: "2.3.9.1 | AUDIT | Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes. | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '2.3.7.7' + when: win22cis_smb_auto_disconnect_time > 15 + + - name: "2.3.9.1 | PATCH | Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes. | Apply Settings To Registry." + ansible.windows.win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: AutoDisconnect + data: "{{ win22cis_smb_auto_disconnect_time }}" + type: dword + when: win22cis_smb_auto_disconnect_time <= 15 when: - - rule_2_3_9_1 + - win22cis_rule_2_3_9_1 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.9.1 - - automated + - patch + - account - name: "2.3.9.2 | PATCH | Ensure Microsoft network server Digitally sign communications always is set to Enabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: requiresecuritysignature + name: RequireSecuritySignature data: 1 type: dword when: - - rule_2_3_9_2 + - win22cis_rule_2_3_9_2 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.9.2 - - automated + - patch + - account - name: "2.3.9.3 | PATCH | Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: enablesecuritysignature + name: EnableSecuritySignature data: 1 type: dword when: - - rule_2_3_9_3 + - win22cis_rule_2_3_9_3 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.9.3 - - automated + - patch + - account - name: "2.3.9.4 | PATCH | Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: enableforcedlogoff + name: EnableForcedLogoff data: 1 type: dword when: - - rule_2_3_9_4 + - win22cis_rule_2_3_9_4 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.9.4 - - automated + - patch + - account -- name: "2.3.9.5 | PATCH | Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" +- name: "2.3.9.5 | PATCH | Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher | Member Server" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: SMBServerNameHardeningLevel data: 1 type: dword when: - - rule_2_3_9_5 - - ansible_windows_domain_role == "Member server" + - win22cis_rule_2_3_9_5 + - win2022cis_is_domain_member + - not win2022cis_is_standalone tags: - level1-memberserver - rule_2.3.9.5 - - automated + - patch + - account -- name: "2.3.10.1 | PATCH | Ensure Network access Allow anonymous SIDName translation is set to Disabled" - ansible.builtin.win_security_policy: +- name: "2.3.10.1 | PATCH | Ensure Network access Allow anonymous SID/Name translation is set to Disabled" + community.windows.win_security_policy: section: System Access key: LSAAnonymousNameLookup value: 0 when: - - rule_2_3_10_1 + - win22cis_rule_2_3_10_1 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.10.1 - - automated + - patch + - securitypolicy -- name: "2.3.10.2 | PATCH | Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" +- name: "2.3.10.2 | PATCH | Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: RestrictAnonymousSAM data: 1 type: dword when: - - rule_2_3_10_2 - - ansible_windows_domain_role == "Member server" + - win22cis_rule_2_3_10_2 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_2.3.10.2 - - automated + - patch + - sam -- name: "2.3.10.3 | PATCH | Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" +- name: "2.3.10.3 | PATCH | Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: RestrictAnonymous data: 1 type: dword when: - - rule_2_3_10_3 - - ansible_windows_domain_role == "Member server" + - win22cis_rule_2_3_10_3 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_2.3.10.3 - - automated + - patch + - sam - name: "2.3.10.4 | PATCH | Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" ansible.windows.win_regedit: @@ -1258,12 +1514,13 @@ data: 1 type: dword when: - - rule_2_3_10_4 + - win22cis_rule_2_3_10_4 tags: - level2-domaincontroller - level2-memberserver - rule_2.3.10.4 - - automated + - patch + - accounts - name: "2.3.10.5 | PATCH | Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" ansible.windows.win_regedit: @@ -1272,68 +1529,71 @@ data: 0 type: dword when: - - rule_2_3_10_5 + - win22cis_rule_2_3_10_5 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.10.5 - - automated + - patch + - accounts -- name: "2.3.10.6 | PATCH | Configure Network access Named Pipes that can be accessed anonymously DC only" +- name: "2.3.10.6 | PATCH | Configure Network access Named Pipes that can be accessed anonymously DC only | Domain Controller" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionPipes data: "" type: multistring when: - - rule_2_3_10_6 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_2_3_10_6 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_2.3.10.6 - - automated + - patch + - namedpipes -- name: "2.3.10.7 | PATCH | Configure Network access Named Pipes that can be accessed anonymously MS only" +- name: "2.3.10.7 | PATCH | Configure Network access Named Pipes that can be accessed anonymously MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionPipes data: "" type: multistring when: - - rule_2_3_10_7 - - ansible_windows_domain_role == "Member server" + - win22cis_rule_2_3_10_7 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_2.3.10.7 - - automated + - patch + - namedpipes -- name: "2.3.10.8 | PATCH | Configure Network access Remotely accessible registry paths is configured" +- name: "2.3.10.8 | PATCH | Configure Network access Remotely accessible registry paths" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths name: "Machine" data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] type: multistring when: - - rule_2_3_10_8 + - win22cis_rule_2_3_10_8 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.10.8 - - automated + - patch -- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths is configured" +- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths name: "Machine" - data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] + data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc', 'System\CurrentControlSet\Services\SysmonLog'] type: multistring when: - - rule_2_3_10_9 + - win22cis_rule_2_3_10_9 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.10.9 - - automated + - patch - name: "2.3.10.10 | PATCH | Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" ansible.windows.win_regedit: @@ -1342,26 +1602,28 @@ data: 1 type: dword when: - - rule_2_3_10_10 + - win22cis_rule_2_3_10_10 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.10.10 - - automated + - patch + - namedpipes -- name: "2.3.10.11 | PATCH | Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" +- name: "2.3.10.11 | PATCH | Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\System\CurrentControlSet\Control\Lsa name: RestrictRemoteSAM data: "O:BAG:BAD:(A;;RC;;;BA)" type: string when: - - rule_2_3_10_11 - - ansible_windows_domain_role == "Member server" + - win22cis_rule_2_3_10_11 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_2.3.10.11 - - automated + - patch + - sam - name: "2.3.10.12 | PATCH | Ensure Network access Shares that can be accessed anonymously is set to None" ansible.windows.win_regedit: @@ -1370,12 +1632,13 @@ data: "" type: multistring when: - - rule_2_3_10_12 + - win22cis_rule_2_3_10_12 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.10.12 - - automated + - patch + - shares - name: "2.3.10.13 | PATCH | Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" ansible.windows.win_regedit: @@ -1384,12 +1647,13 @@ data: 0 type: dword when: - - rule_2_3_10_13 + - win22cis_rule_2_3_10_13 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.10.13 - - automated + - patch + - guest - name: "2.3.11.1 | PATCH | Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" ansible.windows.win_regedit: @@ -1398,26 +1662,28 @@ data: 1 type: dword when: - - rule_2_3_11_1 + - win22cis_rule_2_3_11_1 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.11.1 - - automated + - patch + - ntlm - name: "2.3.11.2 | PATCH | Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: allownullsessionfallback + name: AllowNullSessionFallback data: 0 type: dword when: - - rule_2_3_11_2 + - win22cis_rule_2_3_11_2 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.11.2 - - automated + - patch + - localsystem - name: "2.3.11.3 | PATCH | Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" ansible.windows.win_regedit: @@ -1426,12 +1692,13 @@ data: 0 type: dword when: - - rule_2_3_11_3 + - win22cis_rule_2_3_11_3 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.11.3 - - automated + - patch + - authentication - name: "2.3.11.4 | PATCH | Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" ansible.windows.win_regedit: @@ -1440,12 +1707,13 @@ data: 2147483640 type: dword when: - - rule_2_3_11_4 + - win22cis_rule_2_3_11_4 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.11.4 - - automated + - patch + - encryption - name: "2.3.11.5 | PATCH | Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" ansible.windows.win_regedit: @@ -1454,12 +1722,13 @@ data: 1 type: dword when: - - rule_2_3_11_5 + - win22cis_rule_2_3_11_5 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.11.5 - - automated + - patch + - network - name: "2.3.11.6 | PATCH | Ensure Network security Force logoff when logon hours expire is set to Enabled" ansible.windows.win_regedit: @@ -1468,12 +1737,13 @@ data: 1 type: dword when: - - rule_2_3_11_6 + - win22cis_rule_2_3_11_6 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.11.6 - - manual + - patch + - network - name: "2.3.11.7 | PATCH | Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" ansible.windows.win_regedit: @@ -1482,12 +1752,13 @@ data: 5 type: dword when: - - rule_2_3_11_7 + - win22cis_rule_2_3_11_7 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.11.7 - - automated + - patch + - network - name: "2.3.11.8 | PATCH | Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" ansible.windows.win_regedit: @@ -1496,12 +1767,13 @@ data: 1 type: dword when: - - rule_2_3_11_8 + - win22cis_rule_2_3_11_8 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.11.8 - - automated + - patch + - ladp - name: "2.3.11.9 | PATCH | Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" ansible.windows.win_regedit: @@ -1510,12 +1782,13 @@ data: 537395200 type: dword when: - - rule_2_3_11_9 + - win22cis_rule_2_3_11_9 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.11.9 - - automated + - patch + - ntlm - name: "2.3.11.10 | PATCH | Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" ansible.windows.win_regedit: @@ -1524,12 +1797,13 @@ data: 537395200 type: dword when: - - rule_2_3_11_10 + - win22cis_rule_2_3_11_10 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.11.10 - - automated + - patch + - ntlm - name: "2.3.13.1 | PATCH | Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" ansible.windows.win_regedit: @@ -1538,12 +1812,14 @@ data: 0 type: dword when: - - rule_2_3_13_1 + - win22cis_rule_2_3_13_1 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.13.1 - - automated + - patch + - system + - shutdown - name: "2.3.15.1 | PATCH | Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" ansible.windows.win_regedit: @@ -1552,12 +1828,12 @@ data: 1 type: dword when: - - rule_2_3_15_1 + - win22cis_rule_2_3_15_1 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.15.1 - - automated + - patch - name: "2.3.15.2 | PATCH | Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" ansible.windows.win_regedit: @@ -1566,12 +1842,12 @@ data: 1 type: dword when: - - rule_2_3_15_2 + - win22cis_rule_2_3_15_2 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.15.2 - - automated + - patch - name: "2.3.17.1 | PATCH | Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" ansible.windows.win_regedit: @@ -1580,12 +1856,13 @@ data: 1 type: dword when: - - rule_2_3_17_1 + - win22cis_rule_2_3_17_1 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.17.1 - - automated + - patch + - uac - name: "2.3.17.2 | PATCH | Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" ansible.windows.win_regedit: @@ -1594,12 +1871,13 @@ data: 2 type: dword when: - - rule_2_3_17_2 + - win22cis_rule_2_3_17_2 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.17.2 - - automated + - patch + - uac - name: "2.3.17.3 | PATCH | Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" ansible.windows.win_regedit: @@ -1608,12 +1886,13 @@ data: 0 type: dword when: - - rule_2_3_17_3 + - win22cis_rule_2_3_17_3 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.17.3 - - automated + - patch + - uac - name: "2.3.17.4 | PATCH | Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" ansible.windows.win_regedit: @@ -1622,12 +1901,13 @@ data: 1 type: dword when: - - rule_2_3_17_4 + - win22cis_rule_2_3_17_4 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.17.4 - - automated + - patch + - uac - name: "2.3.17.5 | PATCH | Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" ansible.windows.win_regedit: @@ -1636,12 +1916,13 @@ data: 1 type: dword when: - - rule_2_3_17_5 + - win22cis_rule_2_3_17_5 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.17.5 - - automated + - patch + - uac - name: "2.3.17.6 | PATCH | Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" ansible.windows.win_regedit: @@ -1650,12 +1931,13 @@ data: 1 type: dword when: - - rule_2_3_17_6 + - win22cis_rule_2_3_17_6 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.17.6 - - automated + - patch + - uac - name: "2.3.17.7 | PATCH | Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" ansible.windows.win_regedit: @@ -1664,12 +1946,13 @@ data: 1 type: dword when: - - rule_2_3_17_7 + - win22cis_rule_2_3_17_7 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.17.7 - - automated + - patch + - uac - name: "2.3.17.8 | PATCH | Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" ansible.windows.win_regedit: @@ -1678,9 +1961,10 @@ data: 1 type: dword when: - - rule_2_3_17_8 + - win22cis_rule_2_3_17_8 tags: - level1-domaincontroller - level1-memberserver - rule_2.3.17.8 - - automated + - patch + - uac diff --git a/tasks/section05.yml b/tasks/section05.yml index b104a84..851548d 100644 --- a/tasks/section05.yml +++ b/tasks/section05.yml @@ -1,18 +1,33 @@ --- - name: | - "5.1 | PATCH | Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only)" - "5.2 | PATCH | Ensure 'Print Spooler (Spooler)' is set to 'Disabled' ( MS only)" - ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Services\Spooler - name: Start - data: 0 - type: dword + "5.1 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled Domain Controller & + 5.2 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled Member Server" + block: + - name: "5.1 & 5.2 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled | Check to see if Spooler service exists." + ansible.windows.win_service_info: + name: Spooler + register: spooler_service_info + - name: "5.1 & 5.2 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled | RegEdit" + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Spooler + name: Start + data: 4 + type: dword + - name: "5.1 & 5.2 | PATCH | Ensure Print Spooler (Spooler) is set to Disabled | Service" + ansible.windows.win_service: + name: Spooler + start_mode: disabled + state: stopped + when: spooler_service_info.exists + notify: reboot_windows when: - - rule_5_1 + - win22cis_rule_5_1 or + win22cis_rule_5_2 tags: - level1-domaincontroller - - level1-memberserver + - level2-domainmember - rule_5.1 - - automated + - rule_5.2 + - patch - printer diff --git a/tasks/section09.yml b/tasks/section09.yml index 85b566d..34e9ecd 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -7,12 +7,14 @@ data: 1 type: dword when: - - rule_9_1_1 + - win22cis_rule_9_1_1 tags: - level1-domaincontroller - level1-memberserver - rule_9.1.1 - - automated + - patch + - firewall + - domain - name: "9.1.2 | PATCH | Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" ansible.windows.win_regedit: @@ -21,12 +23,14 @@ data: 1 type: dword when: - - rule_9_1_2 + - win22cis_rule_9_1_2 tags: - level1-domaincontroller - level1-memberserver - rule_9.1.2 - - automated + - patch + - firewall + - domain - name: "9.1.3 | PATCH | Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" ansible.windows.win_regedit: @@ -35,12 +39,14 @@ data: 0 type: dword when: - - rule_9_1_3 + - win22cis_rule_9_1_3 tags: - level1-domaincontroller - level1-memberserver - rule_9.1.3 - - automated + - patch + - firewall + - domain - name: "9.1.4 | PATCH | Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" ansible.windows.win_regedit: @@ -49,12 +55,14 @@ data: 1 type: dword when: - - rule_9_1_4 + - win22cis_rule_9_1_4 tags: - level1-domaincontroller - level1-memberserver - rule_9.1.4 - - automated + - patch + - firewall + - domain # title has slashes switched - name: "9.1.5 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" @@ -64,26 +72,47 @@ data: '{{ win22cis_domain_firewall_log_path }}' type: string when: - - rule_9_1_5 + - win22cis_rule_9_1_5 tags: - level1-domaincontroller - level1-memberserver - rule_9.1.5 - - automated + - patch + - firewall + - domain - name: "9.1.6 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogFileSize - data: '{{ win22cis_domain_firewall_log_size }}' - type: dword + block: + - name: "9.1.6 | AUDIT | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'. | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid size set for win22cis_domain_firewall_log_size please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_domain_firewall_log_size < 16384 + + - name: "9.1.6 | AUDIT | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '9.1.6' + when: win22cis_domain_firewall_log_size < 16384 + + - name: "9.1.6 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Apply Settings To Registry." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFileSize + data: '{{ win22cis_domain_firewall_log_size }}' + type: dword + when: win22cis_domain_firewall_log_size >= 16384 when: - - rule_9_1_6 + - win22cis_rule_9_1_6 tags: - level1-domaincontroller - level1-memberserver - rule_9.1.6 - patch + - firewall + - domain - name: "9.1.7 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" ansible.windows.win_regedit: @@ -92,12 +121,14 @@ data: 1 type: dword when: - - rule_9_1_7 + - win22cis_rule_9_1_7 tags: - level1-domaincontroller - level1-memberserver - rule_9.1.7 - - automated + - patch + - firewall + - domain - name: "9.1.8 | PATCH | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" ansible.windows.win_regedit: @@ -106,12 +137,14 @@ data: 1 type: dword when: - - rule_9_1_8 + - win22cis_rule_9_1_8 tags: - level1-domaincontroller - level1-memberserver - - rule_9.1.7 - - automated + - rule_9.1.8 + - patch + - firewall + - domain - name: "9.2.1 | PATCH | Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" ansible.windows.win_regedit: @@ -120,12 +153,14 @@ data: 1 type: dword when: - - rule_9_2_1 + - win22cis_rule_9_2_1 tags: - level1-domaincontroller - level1-memberserver - rule_9.2.1 - - automated + - patch + - firewall + - private - name: "9.2.2 | PATCH | Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" ansible.windows.win_regedit: @@ -134,12 +169,14 @@ data: 1 type: dword when: - - rule_9_2_2 + - win22cis_rule_9_2_2 tags: - level1-domaincontroller - level1-memberserver - rule_9.2.2 - - automated + - patch + - firewall + - private - name: "9.2.3 | PATCH | Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" ansible.windows.win_regedit: @@ -148,12 +185,14 @@ data: 0 type: dword when: - - rule_9_2_3 + - win22cis_rule_9_2_3 tags: - level1-domaincontroller - level1-memberserver - rule_9.2.3 - - automated + - patch + - firewall + - private - name: "9.2.4 | PATCH | Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" ansible.windows.win_regedit: @@ -162,12 +201,14 @@ data: 1 type: dword when: - - rule_9_2_4 + - win22cis_rule_9_2_4 tags: - level1-domaincontroller - level1-memberserver - rule_9.2.4 - - automated + - patch + - firewall + - private # title has slashes switched - name: "9.2.5 | PATCH | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" @@ -177,26 +218,47 @@ data: '{{ win22cis_private_firewall_log_path }}' type: string when: - - rule_9_2_5 + - win22cis_rule_9_2_5 tags: - level1-domaincontroller - level1-memberserver - rule_9.2.5 - - automated + - patch + - firewall + - private - name: "9.2.6 | PATCH | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogFileSize - data: '{{ win22cis_private_firewall_log_size }}' - type: dword + block: + - name: "9.2.6 | AUDIT | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid size set for win22cis_private_firewall_log_size please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_private_firewall_log_size < 16384 + + - name: "9.2.6 | AUDIT | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '9.2.6' + when: win22cis_private_firewall_log_size < 16384 + + - name: "9.2.6 | PATCH | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Apply Settings To Registry." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFileSize + data: '{{ win22cis_private_firewall_log_size }}' + type: dword + when: win22cis_private_firewall_log_size >= 16384 when: - - rule_9_2_6 + - win22cis_rule_9_2_6 tags: - level1-domaincontroller - level1-memberserver - rule_9.2.6 - patch + - firewall + - private - name: "9.2.7 | PATCH | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" ansible.windows.win_regedit: @@ -205,12 +267,14 @@ data: 1 type: dword when: - - rule_9_2_7 + - win22cis_rule_9_2_7 tags: - level1-domaincontroller - level1-memberserver - rule_9.2.7 - - automated + - patch + - firewall + - private - name: "9.2.8 | PATCH | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" ansible.windows.win_regedit: @@ -219,12 +283,14 @@ data: 1 type: dword when: - - rule_9_2_8 + - win22cis_rule_9_2_8 tags: - level1-domaincontroller - level1-memberserver - rule_9.2.8 - - automated + - patch + - firewall + - private - name: "9.3.1 | PATCH | Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" ansible.windows.win_regedit: @@ -233,12 +299,14 @@ data: 1 type: dword when: - - rule_9_3_1 + - win22cis_rule_9_3_1 tags: - level1-domaincontroller - level1-memberserver - rule_9.3.1 - - automated + - patch + - firewall + - public - name: "9.3.2 | PATCH | Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" ansible.windows.win_regedit: @@ -247,12 +315,14 @@ data: 1 type: dword when: - - rule_9_3_2 + - win22cis_rule_9_3_2 tags: - level1-domaincontroller - level1-memberserver - rule_9.3.2 - - automated + - patch + - firewall + - public - name: "9.3.3 | PATCH | Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" ansible.windows.win_regedit: @@ -261,12 +331,14 @@ data: 0 type: dword when: - - rule_9_3_3 + - win22cis_rule_9_3_3 tags: - level1-domaincontroller - level1-memberserver - rule_9.3.3 - - automated + - patch + - firewall + - public - name: "9.3.4 | PATCH | Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" ansible.windows.win_regedit: @@ -275,12 +347,14 @@ data: 1 type: dword when: - - rule_9_3_4 + - win22cis_rule_9_3_4 tags: - level1-domaincontroller - level1-memberserver - rule_9.3.4 - - automated + - patch + - firewall + - public - name: "9.3.5 | PATCH | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" ansible.windows.win_regedit: @@ -289,13 +363,15 @@ data: 0 type: dword when: - - rule_9_3_5 + - win22cis_rule_9_3_5 - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver - rule_9.3.5 - - automated + - patch + - firewall + - public - name: "9.3.6 | PATCH | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" ansible.windows.win_regedit: @@ -304,12 +380,14 @@ data: 0 type: dword when: - - rule_9_3_6 + - win22cis_rule_9_3_6 tags: - level1-domaincontroller - level1-memberserver - rule_9.3.6 - - automated + - patch + - firewall + - public # title has slashes switched - name: "9.3.7 | PATCH | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" @@ -319,26 +397,47 @@ data: '{{ win22cis_public_firewall_log_path }}' type: string when: - - rule_9_3_7 + - win22cis_rule_9_3_7 tags: - level1-domaincontroller - level1-memberserver - rule_9.3.7 - - automated + - patch + - firewall + - public - name: "9.3.8 | PATCH | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogFileSize - data: '{{ win22cis_public_firewall_log_size }}' - type: dword + block: + - name: "9.3.8 | AUDIT | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid size set for win22cis_public_firewall_log_size please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_public_firewall_log_size < 16384 + + - name: "9.3.8 | AUDIT | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '9.3.8' + when: win22cis_public_firewall_log_size < 16384 + + - name: Apply Settings To Registry." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFileSize + data: '{{ win22cis_public_firewall_log_size }}' + type: dword + when: win22cis_public_firewall_log_size >= 16384 when: - - rule_9_3_8 + - win22cis_rule_9_3_8 tags: - level1-domaincontroller - level1-memberserver - rule_9.3.8 - - automated + - patch + - firewall + - public - name: "9.3.9 | PATCH | Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" ansible.windows.win_regedit: @@ -347,12 +446,14 @@ data: 1 type: dword when: - - rule_9_3_9 + - win22cis_rule_9_3_9 tags: - level1-domaincontroller - level1-memberserver - rule_9.3.9 - - automated + - patch + - firewall + - public - name: "9.3.10 | PATCH | Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" ansible.windows.win_regedit: @@ -361,9 +462,11 @@ data: 1 type: dword when: - - rule_9_3_10 + - win22cis_rule_9_3_10 tags: - level1-domaincontroller - level1-memberserver - rule_9.3.10 - - automated + - patch + - firewall + - public diff --git a/tasks/section17.yml b/tasks/section17.yml index 1bbdd83..2b8d8a3 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -1,547 +1,732 @@ --- - name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure" - community.windows.win_audit_policy_system: - subcategory: Credential Validation - audit_type: success, failure + block: + - name: "17.1.1 | AUDIT | Ensure Audit Credential Validation is set to Success and Failure. | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_1_1_audit + + - name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure | Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable + when: "'Success' not in rule_17_1_1_audit.stdout" + + - name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable + when: "'Failure' not in rule_17_1_1_audit.stdout" when: - - rule_17_1_1 - - ansible_windows_domain_role == "Primary domain controller" or - ansible_windows_domain_role == "Member server" + - win22cis_rule_17_1_1 tags: - level1-domaincontroller - level1-memberserver - rule_17.1.1 - - automated + - patch -- name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" - community.windows.win_audit_policy_system: - subcategory: Kerberos Authentication Service - audit_type: success, failure +- name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only | Domain Controller" + block: + - name: "17.1.2 | AUDIT | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only | Get current audit events | Domain Controller" + ansible.windows.win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_1_2_audit + + - name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only | Success | Domain Controller" + ansible.windows.win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable + when: "'Success' not in rule_17_1_2_audit.stdout" + + - name: "17.1.2 | PATCH | Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only | Failure | Domain Controller" + ansible.windows.win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /failure:enable + when: "'Failure' not in rule_17_1_2_audit.stdout" when: - - rule_17_1_2 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_17_1_2 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_17.1.2 - - automated + - patch -- name: "17.1.3 | PATCH | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' DC Only" - community.windows.win_audit_policy_system: - subcategory: Kerberos Service Ticket Operations - audit_type: success, failure +- name: "17.1.3 | PATCH | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" + block: + - name: "17.1.3 | AUDIT | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_1_3_audit + + - name: "17.1.3 | PATCH | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'| Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable + when: "'Success' not in rule_17_1_3_audit.stdout" + + - name: "17.1.3 | PATCH | Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /failure:enable + when: "'Failure' not in rule_17_1_3_audit.stdout" when: - - rule_17_1_3 + - win22cis_rule_17_1_3 - ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - - rule_17.1.2 - - automated + - rule_17.1.3 + - patch - name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure" - community.windows.win_audit_policy_system: - subcategory: Security Group Management - audit_type: success, failure + block: + - name: "17.2.1 | AUDIT | Ensure Audit Application Group Management is set to Success and Failure | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"Application Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_2_1_audit + + - name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure | Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"Application Group Management" /success:enable + when: "'Success' not in rule_17_2_1_audit.stdout" + + - name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"Application Group Management" /failure:enable + when: "'Failure' not in rule_17_2_1_audit.stdout" when: - - rule_17_2_1 - - ansible_windows_domain_role == "Primary domain controller" or - ansible_windows_domain_role == "Member server" + - win22cis_rule_17_2_1 tags: - level1-domaincontroller - level1-memberserver - rule_17.2.1 - - automated + - patch -- name: "17.2.2 | PATCH | Ensure Audit Computer Account Management is set to include Success DC only" +- name: "17.2.2 | PATCH | Ensure Audit Computer Account Management is set to include Success DC only | Domain Controller" block: - - name: "17.2.2 | AUDIT | Ensure Audit Computer Account Management is set to include Success DC only | Gather existing settings" + - name: "17.2.2 | AUDIT | Ensure Audit Computer Account Management is set to include Success DC only | Get current audit events | Domain Controller" ansible.windows.win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_2_2_audit + check_mode: false + register: rule_17_2_2_audit - - name: "17.2.2 | PATCH | Ensure Audit Computer Account Management is set to include Success DC only | Set success if needed" + - name: "17.2.2 | PATCH | Ensure Audit Computer Account Management is set to include Success DC only | Success | Domain Controller" ansible.windows.win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable - changed_when: "'Success' not in win22cis_17_2_2_audit.stdout" - when: "'Success' not in win22cis_17_2_2_audit.stdout" + changed_when: "'Success' not in rule_17_2_2_audit.stdout" + when: "'Success' not in rule_17_2_2_audit.stdout" when: - - rule_17_2_2 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_17_2_2 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_17.2.2 - - automated + - patch -- name: "17.2.3 | PATCH | Ensure Audit Distribution Group Management is set to include Success DC only" +- name: "17.2.3 | PATCH | Ensure Audit Distribution Group Management is set to include Success DC only | Domain Controller" block: - - name: "17.2.3 | AUDIT | Ensure Audit Distribution Group Management is set to include Success DC only | Gather existing settings" + - name: "17.2.3 | AUDIT | Ensure Audit Distribution Group Management is set to include Success DC only | Get current audit events | Domain Controller" ansible.windows.win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_2_3_audit + check_mode: false + register: rule_17_2_3_audit - - name: "17.2.3 | PATCH | Ensure Audit Distribution Group Management is set to include Success DC only | Set success if needed" + - name: "17.2.3 | PATCH | Ensure Audit Distribution Group Management is set to include Success DC only | Success | Domain Controller" ansible.windows.win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable - when: "'Success' not in win22cis_17_2_3_audit.stdout" + when: "'Success' not in rule_17_2_3_audit.stdout" when: - - rule_17_2_3 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_17_2_3 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_17.2.3 - - automated + - patch -- name: "17.2.4 | PATCH | Ensure Audit Other Account Management Events is set to include Success DC only" +- name: "17.2.4 | PATCH | Ensure Audit Other Account Management Events is set to include Success DC only | Domain Controller" block: - - name: "17.2.4 | AUDIT | Ensure Audit Other Account Management Events is set to include Success DC only | Gather existing settings" + - name: "17.2.4 | AUDIT | Ensure Audit Other Account Management Events is set to include Success DC only | Get current audit events| Domain Controller" ansible.windows.win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_2_4_audit + check_mode: false + register: rule_17_2_4_audit - - name: "17.2.4 | PATCH | Ensure Audit Other Account Management Events is set to include Success DC only | Set success if needed" + - name: "17.2.4 | PATCH | Ensure Audit Other Account Management Events is set to include Success DC only | Success | Domain Controller" ansible.windows.win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable - when: "'Success' not in win22cis_17_2_4_audit.stdout" + when: "'Success' not in rule_17_2_4_audit.stdout" when: - - rule_17_2_4 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_17_2_4 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_17.2.4 - - automated + - patch - name: "17.2.5 | AUDIT | Ensure Audit Security Group Management is set to include Success" block: - - name: "17.2.5 | AUDIT | Ensure Audit Security Group Management is set to include Success | Gather existing settings" + - name: "17.2.5 | AUDIT | Ensure Audit Security Group Management is set to include Success | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_2_5_audit + check_mode: false + register: rule_17_2_5_audit - - name: "17.2.5 | PATCH | Ensure Audit Security Group Management is set to include Success | Set success if needed" + - name: "17.2.5 | PATCH | Ensure Audit Security Group Management is set to include Success | Success" ansible.windows.win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable - when: "'Success' not in win22cis_17_2_5_audit.stdout" + when: "'Success' not in rule_17_2_5_audit.stdout" when: - - rule_17_2_5 + - win22cis_rule_17_2_5 tags: - level1-domaincontroller - level1-memberserver - rule_17.2.5 - - automated + - patch - name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure" - community.windows.win_audit_policy_system: - subcategory: User Account Management - audit_type: success, failure + block: + - name: "17.2.6 | AUDIT | Ensure Audit User Account Management is set to Success and Failure | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_2_6_audit + + - name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure | Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable + when: "'Success' not in rule_17_2_6_audit.stdout" + + - name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable + when: "'Failure' not in rule_17_2_6_audit.stdout" when: - - rule_17_2_6 + - win22cis_rule_17_2_6 tags: - level1-domaincontroller - level1-memberserver - rule_17.2.6 - - automated + - patch - name: "17.3.1 | PATCH | Ensure Audit PNP Activity is set to include Success" block: - - name: "17.3.1 | AUDIT | Ensure Audit PNP Activity is set to include Success | Gather existing settings" + - name: "17.3.1 | AUDIT | Ensure Audit PNP Activity is set to include Success | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_3_1_audit + check_mode: false + register: rule_17_3_1_audit - - name: "17.3.1 | PATCH | Ensure Audit PNP Activity is set to include Success | Set success if needed" + - name: "17.3.1 | PATCH | Ensure Audit PNP Activity is set to include Success | Success" ansible.windows.win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable - when: "'Success' not in win22cis_17_3_1_audit.stdout" + when: "'Success' not in rule_17_3_1_audit.stdout" when: - - rule_17_3_1 + - win22cis_rule_17_3_1 tags: - level1-domaincontroller - level1-memberserver - rule_17.3.1 - - automated + - patch - name: "17.3.2 | PATCH | Ensure Audit Process Creation is set to include Success" block: - - name: "17.3.2 | AUDIT | Ensure Audit Process Creation is set to include Success | Gather existing settings" + - name: "17.3.2 | AUDIT | Ensure Audit Process Creation is set to include Success | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_3_2_audit + check_mode: false + register: rule_17_3_2_audit - - name: "17.3.2 | PATCH | Ensure Audit Process Creation is set to include Success | Set success if needed" + - name: "17.3.2 | PATCH | Ensure Audit Process Creation is set to include Success | Success" ansible.windows.win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable - when: "'Success' not in win22cis_17_3_2_audit.stdout" + when: "'Success' not in rule_17_3_2_audit.stdout" when: - - rule_17_3_2 + - win22cis_rule_17_3_2 tags: - level1-domaincontroller - level1-memberserver - rule_17.3.2 - - automated + - patch -- name: "17.4.1 | PATCH | Ensure Audit Directory Service Access is set to include Failure DC only" +- name: "17.4.1 | PATCH | Ensure Audit Directory Service Access is set to include Failure DC only | Domain Controller" block: - - name: "17.4.1 | AUDIT | Ensure Audit Directory Service Access is set to include Failure DC only | Gather existing settings" + - name: "17.4.1 | AUDIT | Ensure Audit Directory Service Access is set to include Failure DC only | Get current audit events | Domain Controller" ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_4_1_audit + check_mode: false + register: rule_17_4_1_audit - - name: "17.4.1 | PATCH | Ensure Audit Directory Service Access is set to include Failure DC only | Set failure if needed" + - name: "17.4.1 | PATCH | Ensure Audit Directory Service Access is set to include Failure DC only | Failure | Domain Controller" ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Access" /failure:enable - when: "'Failure' not in win22cis_17_4_1_audit.stdout" + when: "'Failure' not in rule_17_4_1_audit.stdout" when: - - rule_17_4_1 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_17_4_1 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_17.4.1 - - automated + - patch -- name: "17.4.2 | PATCH | Ensure Audit Directory Service Changes is set to include Success DC only" +- name: "17.4.2 | PATCH | Ensure Audit Directory Service Changes is set to include Success DC only | Domain Controller" block: - - name: "17.4.2 | AUDIT | Ensure Audit Directory Service Changes is set to include Success DC only | Gather existing settings" + - name: "17.4.2 | AUDIT | Ensure Audit Directory Service Changes is set to include Success DC only | Get current audit events | Domain Controller" ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_4_2_audit + check_mode: false + register: rule_17_4_2_audit - - name: "17.4.2 | PATCH | Ensure Audit Directory Service Changes is set to include Success DC only | Set success if needed" + - name: "17.4.2 | PATCH | Ensure Audit Directory Service Changes is set to include Success DC only | Success | Domain Controller" ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable - when: "'Success' not in win22cis_17_4_2_audit.stdout" + when: "'Success' not in rule_17_4_2_audit.stdout" when: - - rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_17_4_2 + - win2022cis_is_domain_controller tags: - level1-domaincontroller - rule_17.4.2 - - automated + - patch - name: "17.5.1 | PATCH | Ensure Audit Account Lockout is set to include Failure" block: - - name: "17.5.1 | AUDIT | Ensure Audit Account Lockout is set to include Failure | Gather existing settings" + - name: "17.5.1 | AUDIT | Ensure Audit Account Lockout is set to include Failure | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_5_1_audit + check_mode: false + register: rule_17_5_1_audit - - name: "17.5.1 | PATCH | Ensure Audit Account Lockout is set to include Failure | Set failure if needed" + - name: "17.5.1 | PATCH | Ensure Audit Account Lockout is set to include Failure | Failure" ansible.windows.win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable - when: "'Failure' not in win22cis_17_5_1_audit.stdout" + when: "'Failure' not in rule_17_5_1_audit.stdout" when: - - rule_17_5_1 + - win22cis_rule_17_5_1 tags: - level1-domaincontroller - level1-memberserver - rule_17.5.1 - - automated + - patch - name: "17.5.2 | PATCH | Ensure Audit Group Membership is set to include Success" block: - - name: "17.5.2 | AUDIT | Ensure Audit Group Membership is set to include Success | Gather existing settings" + - name: "17.5.2 | AUDIT | Ensure Audit Group Membership is set to include Success | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_5_2_audit + check_mode: false + register: rule_17_5_2_audit - - name: "17.5.2 | PATCH | Ensure Audit Group Membership is set to include Success | Set success if needed" + - name: "17.5.2 | PATCH | Ensure Audit Group Membership is set to include Success | Success" ansible.windows.win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable - when: "'Success' not in win22cis_17_5_2_audit.stdout" + when: "'Success' not in rule_17_5_2_audit.stdout" when: - - rule_17_5_2 + - win22cis_rule_17_5_2 tags: - level1-domaincontroller - level1-memberserver - rule_17.5.2 - - automated + - patch -- name: "17.5.3 | AUDIT | Ensure Audit Logoff is set to include Success" +- name: "17.5.3 | PATCH | Ensure Audit Logoff is set to include Success" block: - - name: "17.5.3 | AUDIT | Ensure Audit Logoff is set to include Success | Gather existing settings" + - name: "17.5.3 | AUDIT | Ensure Audit Logoff is set to include Success | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_5_3_audit + check_mode: false + register: rule_17_5_3_audit - - name: "17.5.3 | PATCH | Ensure Audit Logoff is set to include Success | Set success if needed" + - name: "17.5.3 | PATCH | Ensure Audit Logoff is set to include Success | Success" ansible.windows.win_shell: AuditPol /set /subcategory:"Logoff" /success:enable - when: "'Success' not in win22cis_17_5_3_audit.stdout" + when: "'Success' not in rule_17_5_3_audit.stdout" when: - - rule_17_5_3 + - win22cis_rule_17_5_3 tags: - level1-domaincontroller - level1-memberserver - rule_17.5.3 - - automated + - patch - name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure" - community.windows.win_audit_policy_system: - subcategory: Logon - audit_type: success, failure + block: + - name: "17.5.4 | AUDIT | Ensure Audit Logon is set to Success and Failure | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_5_4_audit + + - name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure | Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"Logon" /success:enable + when: "'Success' not in rule_17_5_4_audit.stdout" + + - name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"Logon" /failure:enable + when: "'Failure' not in rule_17_5_4_audit.stdout" when: - - rule_17_5_4 + - win22cis_rule_17_5_4 tags: - level1-domaincontroller - level1-memberserver - rule_17.5.4 - - automated + - patch -- name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure" - community.windows.win_audit_policy_system: - subcategory: Other Logon/Logoff Events - audit_type: success, failure +- name: "17.5.5 | PATCH | Ensure Audit Other Logon,Logoff Events is set to Success and Failure" + block: + - name: "17.5.5 | AUDIT | Ensure Audit Other Logon,Logoff Events is set to Success and Failurr | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_5_5_audit + + - name: "17.5.5 | PATCH | Ensure Audit Other Logon,Logoff Events is set to Success and Failure | Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable + when: "'Success' not in rule_17_5_5_audit.stdout" + + - name: "17.5.5 | PATCH | Ensure Audit Other Logon,Logoff Events is set to Success and Failure | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable + when: "'Failure' not in rule_17_5_5_audit.stdout" when: - - rule_17_5_5 + - win22cis_rule_17_5_5 tags: - level1-domaincontroller - level1-memberserver - rule_17.5.5 - - automated + - patch - name: "17.5.6 | PATCH | Ensure Audit Special Logon is set to include Success" block: - - name: "17.5.6 | AUDIT | Ensure Audit Special Logon is set to include Success | Gather existing settings" + - name: "17.5.6 | AUDIT | Ensure Audit Special Logon is set to include Success | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_5_6_audit + check_mode: false + register: rule_17_5_6_audit - - name: "17.5.6 | PATCH | Ensure Audit Special Logon is set to include Success | Set success if needed" + - name: "17.5.6 | PATCH | Ensure Audit Special Logon is set to include Success | Success" ansible.windows.win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable - when: "'Success' not in win22cis_17_5_6_audit.stdout" + when: "'Success' not in rule_17_5_6_audit.stdout" when: - - rule_17_5_6 + - win22cis_rule_17_5_6 tags: - level1-domaincontroller - level1-memberserver - rule_17.5.6 - - automated + - patch - name: "17.6.1 | PATCH | Ensure Audit Detailed File Share is set to include Failure" block: - - name: "17.6.1 | AUDIT | Ensure Audit Detailed File Share is set to include Failure | Gather existing settings" + - name: "17.6.1 | AUDIT | Ensure Audit Detailed File Share is set to include Failure | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_6_1_audit + check_mode: false + register: rule_17_6_1_audit - - name: "17.6.1 | PATCH | Ensure Audit Detailed File Share is set to include Failure | Set failure if needed" + - name: "17.6.1 | PATCH | Ensure Audit Detailed File Share is set to include Failure | Failure" ansible.windows.win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable - when: "'Failure' not in win22cis_17_6_1_audit.stdout" + when: "'Failure' not in rule_17_6_1_audit.stdout" when: - - rule_17_6_1 + - win22cis_rule_17_6_1 tags: - level1-domaincontroller - level1-memberserver - rule_17.6.1 - - automated + - patch - name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure" - community.windows.win_audit_policy_system: - subcategory: File Share - audit_type: success, failure + block: + - name: "17.6.2 | AUDIT | Ensure Audit File Share is set to Success and Failure | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_6_2_audit + + - name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure | Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"File Share" /success:enable + when: "'Success' not in rule_17_6_2_audit.stdout" + + - name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"File Share" /failure:enable + when: "'Failure' not in rule_17_6_2_audit.stdout" when: - - rule_17_6_2 + - win22cis_rule_17_6_2 tags: - level1-domaincontroller - level1-memberserver - rule_17.6.2 - - automated + - patch - name: "17.6.3 | PATCH | Ensure Audit Other Object Access Events is set to Success and Failure" - win_audit_policy_system: + community.windows.win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure when: - - rule_17_6_3 + - win22cis_rule_17_6_3 tags: - level1-domaincontroller - level1-memberserver - rule_17.6.3 - - automated + - patch - name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure" - community.windows.win_audit_policy_system: - subcategory: Removable Storage - audit_type: success, failure + block: + - name: "17.6.4 | AUDIT | Ensure Audit Removable Storage is set to Success and Failure | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_6_4_audit + + - name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure | Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable + when: "'Success' not in rule_17_6_4_audit.stdout" + + - name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable + when: "'Failure' not in rule_17_6_4_audit.stdout" when: - - rule_17_6_4 + - win22cis_rule_17_6_4 tags: - level1-domaincontroller - level1-memberserver - rule_17.6.4 - - automated + - patch - name: "17.7.1 | PATCH | Ensure Audit Audit Policy Change is set to include Success" block: - - name: "17.7.1 | AUDIT | Ensure Audit Audit Policy Change is set to include Success | Gather existing settings" + - name: "17.7.1 | AUDIT | Ensure Audit Audit Policy Change is set to include Success | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_7_1_audit + check_mode: false + register: rule_17_7_1_audit - - name: "17.7.1 | PATCH | Ensure Audit Audit Policy Change is set to include Success | Set success if needed" + - name: "17.7.1 | PATCH | Ensure Audit Audit Policy Change is set to include Success | Success" ansible.windows.win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable - when: "'Success' not in win22cis_17_7_1_audit.stdout" + when: "'Success' not in rule_17_7_1_audit.stdout" when: - - rule_17_7_1 + - win22cis_rule_17_7_1 tags: - level1-domaincontroller - level1-memberserver - rule_17.7.1 - - automated + - patch - name: "17.7.2 | PATCH | Ensure Audit Authentication Policy Change is set to include Success" block: - - name: "17.7.2 | AUDIT | Ensure Audit Authentication Policy Change is set to include Success | Gather existing settings" + - name: "17.7.2 | AUDIT | Ensure Audit Authentication Policy Change is set to include Success | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_7_2_audit + check_mode: false + register: rule_17_7_2_audit - - name: "17.7.2 | PATCH | Ensure Audit Authentication Policy Change is set to include Success | Set success if needed" + - name: "17.7.2 | PATCH | Ensure Audit Authentication Policy Change is set to include Success | Success" ansible.windows.win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable - when: "'Success' not in win22cis_17_7_2_audit.stdout" + when: "'Success' not in rule_17_7_2_audit.stdout" when: - - rule_17_7_2 + - win22cis_rule_17_7_2 tags: - level1-domaincontroller - level1-memberserver - rule_17.7.2 - - automated + - patch - name: "17.7.3 | PATCH | Ensure Audit Authorization Policy Change is set to include Success" block: - - name: "17.7.3 | AUDIT | Ensure Audit Authorization Policy Change is set to include Success | Gather existing settings" + - name: "17.7.3 | AUDIT | Ensure Audit Authorization Policy Change is set to include Success | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_7_3_audit + check_mode: false + register: rule_17_7_3_audit - - name: "17.7.3 | PATCH | Ensure Audit Authorization Policy Change is set to include Success | Set success if needed" + - name: "17.7.3 | PATCH | Ensure Audit Authorization Policy Change is set to include Success | Success" ansible.windows.win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable - when: "'Success' not in win22cis_17_7_3_audit.stdout" + when: "'Success' not in rule_17_7_3_audit.stdout" when: - - rule_17_7_3 + - win22cis_rule_17_7_3 tags: - level1-domaincontroller - level1-memberserver - rule_17.7.3 - - automated + - patch - name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" - community.windows.win_audit_policy_system: - subcategory: MPSSVC Rule-Level Policy Change - audit_type: success, failure + block: + - name: "17.7.4 | AUDIT | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"MPSSVC Rule-Level Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_7_4_audit + + - name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable + when: "'Success' not in rule_17_7_4_audit.stdout" + + - name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable + when: "'Failure' not in rule_17_7_4_audit.stdout" when: - - rule_17_7_4 + - win22cis_rule_17_7_4 tags: - level1-domaincontroller - level1-memberserver - rule_17.7.4 - - automated + - patch - name: "17.7.5 | PATCH | Ensure Audit Other Policy Change Events is set to include Failure" block: - - name: "17.7.5 | AUDIT | Ensure Audit Other Policy Change Events is set to include Failure | Gather existing settings" + - name: "17.7.5 | AUDIT | Ensure Audit Other Policy Change Events is set to include Failure | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_7_5_audit + check_mode: false + register: rule_17_7_5_audit - - name: "17.7.5 | PATCH | Ensure Audit Other Policy Change Events is set to include Failure | Set failure if needed" + - name: "17.7.5 | PATCH | Ensure Audit Other Policy Change Events is set to include Failure | Failure" ansible.windows.win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /failure:enable - when: "'Failure' not in win22cis_17_7_5_audit.stdout" + when: "'Failure' not in rule_17_7_5_audit.stdout" when: - - rule_17_7_5 + - win22cis_rule_17_7_5 tags: - level1-domaincontroller - level1-memberserver - rule_17.7.5 - - automated + - patch - name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure" - community.windows.win_audit_policy_system: - subcategory: Sensitive Privilege Use - audit_type: success, failure + block: + - name: "17.8.1 | AUDIT | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_8_1_audit + + - name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable + when: "'Success' not in rule_17_8_1_audit.stdout" + + - name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable + when: "'Failure' not in rule_17_8_1_audit.stdout" when: - - rule_17_8_1 + - win22cis_rule_17_8_1 tags: - level1-domaincontroller - level1-memberserver - rule_17.8.1 - - automated + - patch - name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure" - community.windows.win_audit_policy_system: - subcategory: IPsec Driver - audit_type: success, failure + block: + - name: "17.9.1 | AUDIT | Ensure Audit IPsec Driver is set to Success and Failure | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_9_1_audit + + - name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure | Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable + when: "'Success' not in rule_17_9_1_audit.stdout" + + - name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable + when: "'Failure' not in rule_17_9_1_audit.stdout" when: - - rule_17_9_1 + - win22cis_rule_17_9_1 tags: - level1-domaincontroller - level1-memberserver - rule_17.9.1 - - automated + - patch - name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure" - community.windows.win_audit_policy_system: - subcategory: Other System Events - audit_type: success, failure + block: + - name: "17.9.2 | AUDIT | Ensure Audit Other System Events is set to Success and Failure | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_9_2_audit + + - name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure | Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable + when: "'Success' not in rule_17_9_2_audit.stdout" + + - name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable + when: "'Failure' not in rule_17_9_2_audit.stdout" when: - - rule_17_9_2 + - win22cis_rule_17_9_2 tags: - level1-domaincontroller - level1-memberserver - rule_17.9.2 - - automated + - patch - name: "17.9.3 | PATCH | Ensure Audit Security State Change is set to include Success" block: - - name: "17.9.3 | AUDIT | Ensure Audit Security State Change is set to include Success | Gather existing settings" + - name: "17.9.3 | AUDIT | Ensure Audit Security State Change is set to include Success | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_9_3_audit + check_mode: false + register: rule_17_9_3_audit - - name: "17.9.3 | PATCH | Ensure Audit Security State Change is set to include Success | Set success if needed" + - name: "17.9.3 | PATCH | Ensure Audit Security State Change is set to include Success | Success" ansible.windows.win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable - when: "'Success' not in win22cis_17_9_3_audit.stdout" + when: "'Success' not in rule_17_9_3_audit.stdout" when: - - rule_17_9_3 + - win22cis_rule_17_9_3 tags: - level1-domaincontroller - level1-memberserver - rule_17.9.3 - - automated + - patch - name: "17.9.4 | PATCH | Ensure Audit Security System Extension is set to include Success" block: - - name: "17.9.4 | AUDIT | Ensure Audit Security System Extension is set to include Success | Gather existing settings" + - name: "17.9.4 | AUDIT | Ensure Audit Security System Extension is set to include Success | Get current audit events." ansible.windows.win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false - register: win22cis_17_9_4_audit + check_mode: false + register: rule_17_9_4_audit - - name: "17.9.4 | PATCH | Ensure Audit Security System Extension is set to include Success | Set success if needed" + - name: "17.9.4 | PATCH | Ensure Audit Security System Extension is set to include Success | Success" ansible.windows.win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable - when: "'Success' not in win22cis_17_9_4_audit.stdout" + when: "'Success' not in rule_17_9_4_audit.stdout" when: - - rule_17_9_4 + - win22cis_rule_17_9_4 tags: - level1-domaincontroller - level1-memberserver - rule_17.9.4 - - automated + - patch - name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure" - community.windows.win_audit_policy_system: - subcategory: System Integrity - audit_type: success, failure + block: + - name: "17.9.5 | AUDIT | Ensure Audit System Integrity is set to Success and Failure | Get current audit events." + ansible.windows.win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: rule_17_9_5_audit + + - name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure | Success" + ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable + changed_when: "'Success' not in rule_17_9_5_audit.stdout" + when: "'Success' not in rule_17_9_5_audit.stdout" + + - name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure | Failure" + ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable + changed_when: "'Failure' not in rule_17_9_5_audit.stdout" + when: "'Failure' not in rule_17_9_5_audit.stdout" when: - - rule_17_9_5 + - win22cis_rule_17_9_5 tags: - level1-domaincontroller - level1-memberserver - rule_17.9.5 - - automated + - patch diff --git a/tasks/section18.yml b/tasks/section18.yml index 3af77cb..41b076a 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -7,12 +7,13 @@ data: 1 type: dword when: - - rule_18_1_1_1 + - win22cis_rule_18_1_1_1 tags: - level1-domaincontroller - level1-memberserver - rule_18.1.1.1 - - automated + - patch + - camera - name: "18.1.1.2 | PATCH | Ensure Prevent enabling lock screen slide show is set to Enabled" ansible.windows.win_regedit: @@ -21,12 +22,13 @@ data: 1 type: dword when: - - rule_18_1_1_2 + - win22cis_rule_18_1_1_2 tags: - level1-domaincontroller - level1-memberserver - rule_18.1.1.2 - - automated + - patch + - lockscreen - name: "18.1.2.2 | PATCH | Ensure Allow users to enable online speech recognition services is set to Disabled" ansible.windows.win_regedit: @@ -35,12 +37,13 @@ data: "0" type: dword when: - - rule_18_1_2_2 + - win22cis_rule_18_1_2_2 tags: - level1-domaincontroller - level1-memberserver - rule_18.1.2.2 - - automated + - patch + - onlinespeech - name: "18.1.3 | PATCH | Ensure Allow Online Tips is set to Disabled" ansible.windows.win_regedit: @@ -49,126 +52,187 @@ data: 0 type: dword when: - - rule_18_1_3 + - win22cis_rule_18_1_3 tags: - level2-domaincontroller - level2-memberserver - rule_18.1.3 - - automated + - patch + - onlinetips -- name: "18.2.1 | PATCH | Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" +- name: "18.3.1 | PATCH | Ensure LAPS AdmPwd GPO Extension / CSE is installed MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} name: DllName data: C:\Program Files\LAPS\CSE\AdmPwd.dll type: string when: - - rule_18_2_1 - - ansible_windows_domain_role == "Member Server" + - win22cis_rule_18_3_1 + - win2022cis_is_domain_member tags: - level1-memberserver - - rule_18.2.1 - - automated + - rule_18.3.1 + - patch + - laps + - gpo -- name: "18.2.2 | PATCH | Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" +- name: "18.3.2 | PATCH | Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PwdExpirationProtectionEnabled data: 1 type: dword when: - - rule_18_2_2 - - ansible_windows_domain_role == "Member Server" + - win22cis_rule_18_3_2 + - win2022cis_is_domain_member tags: - level1-memberserver - - rule_18.2.2 - - automated + - rule_18.3.2 + - patch + - accounts -- name: "18.2.3 | PATCH | Ensure Enable Local Admin Password Management is set to Enabled MS only" +- name: "18.3.3 | PATCH | Ensure Enable Local Admin Password Management is set to Enabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: AdmPwdEnabled data: 1 type: dword when: - - rule_18_2_3 - - ansible_windows_domain_role == "Member Server" + - win22cis_rule_18_3_3 + - win2022cis_is_domain_member tags: - level1-memberserver - - rule_18.2.3 - - automated + - rule_18.3.3 + - patch + - accounts + - admin -- name: "18.2.4 | PATCH | Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" +- name: "18.3.4 | PATCH | Ensure Password Settings: Password Complexity is set to Enabled: Large letters + small letters + numbers + special characters MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd name: PasswordComplexity data: 4 type: dword when: - - rule_18_2_4 - - ansible_windows_domain_role == "Member Server" + - win22cis_rule_18_3_4 + - win2022cis_is_domain_member tags: - level1-memberserver - - rule_18.2.4 - - automated + - rule_18.3.4 + - patch + - accounts -- name: "18.2.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd - name: PasswordLength - data: "{{ win22cis_laps_passwordlength }}" - type: dword +- name: "18.3.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more MS only | Member Server" + block: + - name: "18.3.5 | AUDIT | Ensure Password Settings Password Length is set to Enabled 15 or more MS only | Warning Check For Variable Standards | Member Server" + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid password length set for win22cis_laps_password_length please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_laps_password_length < 15 + + - name: "18.3.5 | AUDIT | Ensure Password Settings Password Length is set to Enabled 15 or more MS only | Warn Count | Member Server" + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.3.5' + when: win22cis_laps_password_length < 15 + + - name: "18.3.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Set Variable | Member Server" + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordLength + data: "{{ win22cis_laps_password_length }}" + type: dword + when: win22cis_laps_password_length >= 15 when: - - rule_18_2_5 - - ansible_windows_domain_role == "Member Server" + - win22cis_rule_18_3_5 + - win2022cis_is_domain_member tags: - level1-memberserver - - rule_18.2.5 - - automated + - rule_18.3.5 + - patch + - accounts -- name: "18.2.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd - name: PasswordAgeDays - data: "{{ win22cis_laps_passwordagedays }}" - type: dword +- name: "18.3.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Member Server" + block: + - name: "18.3.6 | AUDIT | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Warning Check For Variable Standards | Member Server" + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid password length set for win22cis_laps_password_length please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_laps_password_age_days > 30 + + - name: "18.3.6 | AUDIT | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Warn Count | Member Server" + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.3.6' + when: win22cis_laps_password_age_days > 30 + + - name: "18.3.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Set Variable | Member Server" + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordAgeDays + data: "{{ win22cis_laps_password_age_days }}" + type: dword + when: win22cis_laps_password_age_days <= 30 when: - - rule_18_2_6 - - ansible_windows_domain_role == "Memmber Server" + - win22cis_rule_18_3_6 + - win2022cis_is_domain_member tags: - level1-memberserver - - rule_18.2.6 - - automated + - rule_18.3.6 + - patch + - accounts -- name: "18.3.1 | PATCH | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" +- name: "18.4.1 | PATCH | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LocalAccountTokenFilterPolicy data: 0 type: dword when: - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_18_4_1 + - win2022cis_is_domain_member tags: - level1-memberserver - - rule_18.3.1 - - automated + - rule_18.4.1 + - patch + - uac + +- name: "18.4.2 | PATCH | Ensure Configure RPC packet level privacy setting for incoming connections is set to Enabled" + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Print + name: RpcAuthnLevelPrivacyEnabled + data: 1 + type: dword + notify: reboot_windows + when: + - win22cis_rule_18_4_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.4.2 + - patch + - RPC -- name: "18.3.2 | PATCH | Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" +- name: "18.4.3 | PATCH | Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 name: Start data: 4 type: dword when: - - rule_18_3_2 + - win22cis_rule_18_4_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.2 - - automated + - rule_18.4.3 + - patch + - smb -- name: "18.3.3 | PATCH | Ensure Configure SMB v1 server is set to Disabled" +- name: "18.4.4 | PATCH | Ensure Configure SMB v1 server is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters name: SMB1 @@ -177,14 +241,15 @@ state: present notify: reboot_windows when: - - rule_18_3_3 + - win22cis_rule_18_4_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.3 - - automated + - rule_18.4.4 + - patch + - smb -- name: "18.3.4 | PATCH | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" +- name: "18.4.5 | PATCH | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel name: DisableExceptionChainValidation @@ -192,28 +257,15 @@ type: dword state: present when: - - rule_18_3_4 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.4 - - automated - -- name: "18.3.5 | PATCH | Ensure Limits print driver installation to Administrators is set to Enabled" - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint - name: RestrictDriverInstallationtoAdministrators - data: 1 - type: dword - when: - - rule_18_3_5 + - win22cis_rule_18_4_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.5 - - automated + - rule_18.4.5 + - patch + - sehop -- name: "18.3.6 | PATCH | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" +- name: "18.4.6 | PATCH | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters state: present @@ -221,14 +273,15 @@ data: "{{ win22cis_netbt_nodetype }}" datatype: dword when: - - rule_18_3_6 + - win22cis_rule_18_4_6 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.6 - - automated + - rule_18.4.6 + - patch + - netbt -- name: "18.3.7 | PATCH | Ensure WDigest Authentication is set to Disabled" +- name: "18.4.7 | PATCH | Ensure WDigest Authentication is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest state: present @@ -236,14 +289,15 @@ data: 0 datatype: dword when: - - rule_18_3_7 + - win22cis_rule_18_4_7 tags: - level1-domaincontroller - level1-memberserver - - rule_18.3.7 - - automated + - rule_18.4.7 + - patch + - wdigest -- name: "18.4.1 | PATCH | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" +- name: "18.5.1 | PATCH | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon state: present @@ -251,14 +305,16 @@ data: 0 datatype: string when: - - rule_18_4_1 + - win22cis_rule_18_5_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.1 - - automated + - rule_18.5.1 + - patch + - mss + - logon -- name: "18.4.2 | PATCH | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +- name: "18.5.2 | PATCH | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters state: present @@ -266,14 +322,16 @@ data: 2 datatype: dword when: - - rule_18_4_2 + - win22cis_rule_18_5_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.2 - - automated + - rule_18.5.2 + - patch + - mss + - iprouting -- name: "18.4.3 | PATCH | Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +- name: "18.5.3 | PATCH | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -281,14 +339,16 @@ data: 2 datatype: dword when: - - rule_18_4_3 + - win22cis_rule_18_5_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.3 - - automated + - rule_18.5.3 + - patch + - mss + - iprouting -- name: "18.4.4 | PATCH | Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" +- name: "18.5.4 | PATCH | Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -296,14 +356,16 @@ data: 0 datatype: dword when: - - rule_18_4_4 + - win22cis_rule_18_5_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.4 - - automated + - rule_18.5.4 + - patch + - mss + - icmps -- name: "18.4.5 | PATCH | Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" +- name: "18.5.5 | PATCH | Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -311,14 +373,16 @@ data: 300000 datatype: dword when: - - rule_18_4_5 + - win22cis_rule_18_5_5 tags: - level2-domaincontroller - level2-memberserver - - rule_18.4.5 - - automated + - rule_18.5.5 + - patch + - mss + - keepalive -- name: "18.4.6 | PATCH | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" +- name: "18.5.6 | PATCH | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters state: present @@ -326,14 +390,16 @@ data: 1 type: dword when: - - rule_18_4_6 + - win22cis_rule_18_5_6 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.6 - - automated + - rule_18.5.6 + - patch + - mss + - noname -- name: "18.4.7 | PATCH | Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" +- name: "18.5.7 | PATCH | Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters state: present @@ -341,14 +407,15 @@ data: 0 type: dword when: - - rule_18_4_7 + - win22cis_rule_18_5_7 tags: - level2-domaincontroller - level2-memberserver - - rule_18.4.7 - - automated + - rule_18.5.7 + - patch + - mss -- name: "18.4.8 | PATCH | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" +- name: "18.5.8 | PATCH | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager name: SafeDllSearchMode @@ -356,1743 +423,2315 @@ type: dword state: present when: - - rule_18_4_8 + - win22cis_rule_18_5_8 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.8 - - automated + - rule_18.5.8 + - patch + - mss -- name: "18.4.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" - ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ScreenSaverGracePeriod - data: "{{ win22cis_screen_saver_grace }}" - type: string - state: present +- name: "18.5.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" + block: + - name: "18.5.9 | AUDIT | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid time set for win22cis_screen_saver_grace_period please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_screen_saver_grace_period > 5 + + - name: "18.5.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Set Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.5.9' + when: win22cis_screen_saver_grace_period > 5 + + - name: "18.5.9 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ScreenSaverGracePeriod + data: "{{ win22cis_screen_saver_grace_period }}" + type: string + state: present + when: win22cis_screen_saver_grace_period <= 5 when: - - rule_18_4_9 + - win22cis_rule_18_5_9 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.9 - - automated + - rule_18.5.9 + - patch + - mss -- name: "18.4.10 | PATCH | Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" +- name: "18.5.10 | PATCH | Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters name: TcpMaxDataRetransmissions data: 3 type: dword when: - - rule_18_4_10 + - win22cis_rule_18_5_10 tags: - level2-domaincontroller - level2-memberserver - - rule_18.4.10 - - automated + - rule_18.5.10 + - patch + - mss -- name: "18.4.11 | PATCH | Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" +- name: "18.5.11 | PATCH | Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters name: TcpMaxDataRetransmissions data: 3 type: dword when: - - rule_18_4_11 + - win22cis_rule_18_5_11 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.11 - - automated + - level2-domaincontroller + - level2-memberserver + - rule_18.5.11 + - patch + - mss -- name: "18.4.12 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" - ansible.windows.win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security - name: WarningLevel - data: "{{ win22cis_mss_security_warn_thresh }}" - type: dword +- name: "18.5.12 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" + block: + - name: "18.5.12 | AUDIT | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid percentage set for win22cis_log_threshold_audit_event please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_log_threshold_audit_event > 90 + + - name: "18.5.12 | AUDIT | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.5.12' + when: win22cis_log_threshold_audit_event > 90 + + - name: "18.5.12 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security + name: WarningLevel + data: "{{ win22cis_log_threshold_audit_event }}" + type: dword + when: win22cis_log_threshold_audit_event <= 90 when: - - rule_18_4_12 + - win22cis_rule_18_5_12 tags: - level1-domaincontroller - level1-memberserver - - rule_18.4.12 + - rule_18.5.12 + - patch + - mss + +- name: "18.6.4.1 | PATCH | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher" + block: + - name: "18.6.4.1 | AUDIT | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher. | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win22cis_doh_policy. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_doh_policy != 2 + - win22cis_doh_policy != 3 + + - name: "18.6.4.1 | AUDIT | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher. | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.6.4.1' + when: + - win22cis_doh_policy != 2 + - win22cis_doh_policy != 3 + + - name: "18.6.4.1 | AUDIT | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher. | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient + name: DoHPolicy + data: "{{ win22cis_doh_policy }}" + type: dword + when: win22cis_doh_policy == 2 or win22cis_doh_policy == 3 + when: + - win22cis_rule_18_6_4_1 + tags: + - level1-corporate-enterprise-environment + - rule_18.6.4.1 - automated + - patch + - dns-over-https -- name: "18.5.4.1 | PATCH | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled Allow DoH or higher" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient - name: DoHPolicy - data: "{{ win22cis_dns_over_https }}" - type: dword +- name: "18.6.4.2 | PATCH | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'" + block: + - name: "18.6.4.2 | AUDIT | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win22cis_enable_netbios_policy. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_enable_netbios_policy != 2 + - win22cis_enable_netbios_policy != 0 + + - name: "18.6.4.2 | AUDIT | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.6.4.2' + when: + - win22cis_enable_netbios_policy != 2 + - win22cis_enable_netbios_policy != 0 + + - name: "18.6.4.2 | PATCH | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient + name: EnableNetbios + data: "{{ win22cis_enable_netbios_policy }}" + type: dword + when: win22cis_enable_netbios_policy == 2 or win22cis_enable_netbios_policy == 0 when: - - rule_18_5_4_1 + - win22cis_rule_18_6_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.4.1 + - level1-corporate-enterprise-environment + - rule_18.6.4.2 - automated + - patch + - netbios -- name: "18.5.4.2 | PATCH | Ensure Turn off multicast name resolution is set to Enabled" +- name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast - data: 0 + data: 1 type: dword when: - - rule_18_5_4_2 + - win22cis_rule_18_6_4_3 + - win2022cis_is_domain_member tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.4.2 - - automated + - rule_18.6.4.3 + - patch + - dns -- name: "18.5.5.1 | PATCH | Ensure Enable Font Providers is set to Disabled" +- name: "18.6.5.1 | PATCH | Ensure Enable Font Providers is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableFontProviders data: 0 type: dword when: - - rule_18_5_5_1 + - win22cis_rule_18_6_5_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.5.1 - - automated + - rule_18.6.5.1 + - patch + - dns -- name: "18.5.8.1 | PATCH | Ensure Enable insecure guest logons is set to Disabled" +- name: "18.6.8.1 | PATCH | Ensure Enable insecure guest logons is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation name: AllowInsecureGuestAuth data: 0 type: dword when: - - rule_18_5_8_1 + - win22cis_rule_18_6_8_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.8.1 - - automated + - rule_18.6.8.1 + - patch + - fonts -- name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" +- name: "18.6.9.1 | PATCH | Ensure Turn on Mapper I/O LLTDIO driver is set to Disabled" block: - - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" + - name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOndomain data: 0 type: dword - - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" + - name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOnPublicNet data: 0 type: dword - - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" + - name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: EnableLLTDIO data: 0 type: dword - - name: "18.5.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" + - name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: ProhibitLLTDIOOnPrivateNet data: 0 type: dword when: - - rule_18_5_9_1 + - win22cis_rule_18_6_9_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.9.1 - - automated + - rule_18.6.9.1 + - patch + - mapper + - drivers -- name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled" +- name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled" block: - - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" + - name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnDomain data: 0 type: dword - - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" + - name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnPublicNet data: 0 type: dword - - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" + - name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: EnableRspndr data: 0 type: dword - - name: "18.5.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" + - name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: ProhibitRspndrOnPrivateNet data: 0 type: dword when: - - rule_18_5_9_2 + - win22cis_rule_18_6_9_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.9.2 - - automated + - rule_18.6.9.2 + - patch + - rspndr + - driver -- name: "18.5.10.2 | PATCH | Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" +- name: "18.6.10.2 | PATCH | Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Peernet name: Disabled data: 1 type: dword when: - - rule_18_5_10_2 + - win22cis_rule_18_6_10_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.10.2 - - automated + - rule_18.6.10.2 + - patch + - p2p -- name: "18.5.11.2 | PATCH | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" +- name: "18.6.11.2 | PATCH | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections name: NC_AllowNetBridge_NLA data: 0 type: dword when: - - rule_18_5_11_2 + - win22cis_rule_18_6_11_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.11.2 - - automated + - rule_18.6.11.2 + - patch + - networkconnections -- name: "18.5.11.3 | PATCH | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" +- name: "18.6.11.3 | PATCH | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections name: NC_ShowSharedAccessUI data: 0 type: dword when: - - rule_18_5_11_3 + - win22cis_rule_18_5_11_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.11.3 - - automated + - rule_18.6.11.3 + - patch + - networkconnections -- name: "18.5.11.4 | PATCH | Ensure Require domain users to elevate when setting a networks location is set to Enabled" +- name: "18.6.11.4 | PATCH | Ensure Require domain users to elevate when setting a networks location is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections name: NC_StdDomainUserSetLocation data: 1 type: dword when: - - rule_18_5_11_4 + - win22cis_rule_18_6_11_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.11.4 - - automated + - rule_18.6.11.4 + - patch + - networkconnections -- name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" +- name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" block: - - name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" + - name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\NETLOGON" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string - - name: "18.5.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" + - name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\SYSVOL" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string when: - - rule_18_5_14_1 + - win22cis_rule_18_6_14_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.14.1 - - automated + - rule_18.6.14.1 + - patch + - paths + - unc -- name: "18.5.19.2.1 | PATCH | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" +- name: "18.6.19.2.1 | PATCH | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" ansible.windows.win_regedit: path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters name: DisabledComponents data: 255 type: dword - notify: reboot_windows when: - - rule_18_5_19_2_1 + - win22cis_rule_18_6_19_2_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.19.2.1 - - automated + - rule_18.6.19.2.1 + - patch + - ipv6 -- name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" +- name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" block: - - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" + - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: EnableRegistrars data: 0 type: dword - - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" + - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableUPnPRegistrar data: 0 type: dword - - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" + - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableInBand802DOT11Registrar data: 0 type: dword - - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" + - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableFlashConfigRegistrar data: 0 type: dword - - name: "18.5.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" + - name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableWPDRegistrar data: 0 type: dword when: - - rule_18_5_20_1 + - win22cis_rule_18_6_20_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.20.1 - - automated + - rule_18.6.20.1 + - patch + - wireless -- name: "18.5.20.2 | PATCH | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" +- name: "18.6.20.2 | PATCH | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui name: DisableWcnUi data: 1 type: dword when: - - rule_18_5_20_2 + - win22cis_rule_18_6_20_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.5.20.2 - - automated + - rule_18.6.20.2 + - patch + - connectnow -- name: "18.5.21.1 | PATCH | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled:3 = Prevent Wi-Fi when on Ethernet" +- name: "18.6.21.1 | PATCH | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fMinimizeConnections data: 3 type: dword when: - - rule_18_5_21_1 + - win22cis_rule_18_6_21_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.5.21.1 - - automated + - rule_18.6.21.1 + - patch + - gpo -- name: "18.5.21.2 | PATCH | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" +- name: "18.6.21.2 | PATCH | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fBlockNonDomain data: 1 type: dword when: - - rule_18_5_21_2 - - not ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_18_6_21_2 + - win2022cis_is_domain_member tags: - level2-memberserver - - rule_18.5.21.2 - - automated + - rule_18.6.21.2 + - patch + - gpo -- name: "18.6.1 | PATCH | Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'" +- name: "18.7.1 | PATCH | Ensure Allow Print Spooler to accept client connections is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers name: RegisterSpoolerRemoteRpcEndPoint data: 2 type: dword - notify: restart print spooler when: - - rule_18_6_1 + - win22cis_rule_18_7_1 tags: - level1-domaincontroller - level2-memberserver - - rule_18.6.1 - - automated + - rule_18.7.1 + - patch + - printers -- name: "18.6.2 | PATCH | Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'" +- name: "18.7.2 | PATCH | Ensure Configure Redirection Guard is set to Enabled Redirection Guard Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint - name: NoWarningNoElevationOnInstall + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers + name: RedirectionguardPolicy + data: 2 + type: dword + when: + - win22cis_rule_18_7_2 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.7.2 + - patch + - printers + +- name: "18.7.3 | PATCH | Ensure Configure RPC connection settings Protocol to use for outgoing RPC connections is set to Enabled RPC over TCP" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + name: RpcUseNamedPipeProtocol + data: 0 + type: dword + when: + - win22cis_rule_18_7_3 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.7.3 + - patch + - printers + +- name: "18.7.4 | PATCH | Ensure Configure RPC connection settings Use authentication for outgoing RPC connections is set to Enabled: Default" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + name: RpcAuthentication + data: 0 + type: dword + when: + - win22cis_rule_18_7_4 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.7.4 + - patch + - printers + +- name: "18.7.5 | PATCH | Ensure Configure RPC connection settings Use authentication for outgoing RPC connections is set to Enabled: Default" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + name: RpcProtocols + data: 5 + type: dword + when: + - win22cis_rule_18_7_5 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.7.5 + - patch + - printers + +- name: "18.7.6 | PATCH | Ensure Configure RPC listener settings Authentication protocol to use for incoming RPC connections is set to Enabled Negotiate or higher" + block: + - name: "18.7.6 | AUDIT | Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher. | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win22cis_force_kerberos_for_rpc. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_force_kerberos_for_rpc != 0 + - win22cis_force_kerberos_for_rpc != 1 + + - name: "18.7.6 | AUDIT | Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher. | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.7.6' + when: + - win22cis_force_kerberos_for_rpc != 0 + - win22cis_force_kerberos_for_rpc != 1 + + - name: "18.7.6 | PATCH | Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher. | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + name: ForceKerberosForRpc + data: "{{ win22cis_force_kerberos_for_rpc }}" + type: dword + when: + - win22cis_force_kerberos_for_rpc == 0 or win22cis_force_kerberos_for_rpc == 1 + when: + - win22cis_rule_18_7_6 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.7.6 + - patch + - printers + +- name: "18.7.7 | PATCH | Ensure Configure RPC over TCP port is set to Enabled: 0" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC + name: RpcTcpPort data: 0 type: dword when: - - rule_18_6_2 + - win22cis_rule_18_7_7 + tags: + - level1-domaincontroller + - level2-memberserver + - rule_18.7.7 + - patch + - printers + +- name: "18.7.8 | PATCH | Ensure Limits print driver installation to Administrators is set to Enabled" + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint + name: RestrictDriverInstallationToAdministrators + data: 1 + type: dword + when: + - win22cis_rule_18_7_8 tags: + - level1-domaincontroller - level1-memberserver + - rule_18.7.8 + - patch + - printers + - drivers + +- name: "18.7.9 | PATCH | Ensure Manage processing of Queue-specific files is set to Enabled: Limit Queue-specific files to Color profiles" + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers + name: CopyFilesPolicy + data: 1 + type: dword + when: + - win22cis_rule_18_7_9 + tags: - level1-domaincontroller - - rule_18.6.2 - - automated + - level1-memberserver + - rule_18.7.9 + - patch + - printers + - drivers -- name: "18.6.3 | PATCH | (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'" +- name: "18.7.10 | PATCH | Ensure Point and Print Restrictions When installing drivers for a new connection is set to Enabled Show warning and elevation prompt" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint - name: UpdatePromptSettings - data: 0 + name: NoWarningNoElevationOnInstall + data: 1 type: dword when: - - rule_18_6_3 + - win22cis_rule_18_7_10 tags: + - level1-domaincontroller - level1-memberserver + - rule_18.7.10 + - patch + - printers + +- name: "18.7.11 | PATCH | Ensure Point and Print Restrictions: When updating drivers for an existing connection is set to Enabled: Show warning and elevation prompt" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint + name: UpdatePromptSettings + data: 1 + type: dword + when: + - win22cis_rule_18_7_11 + tags: - level1-domaincontroller - - rule_18.6.3 - - automated + - level1-memberserver + - rule_18.7.11 + - patch + - printers -- name: "18.7.1.1 | PATCH | Ensure Turn off notifications network usage is set to Enabled" +- name: "18.8.1.1 | PATCH | Ensure Turn off notifications network usage is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications name: NoCloudApplicationNotification data: 1 type: dword when: - - rule_18_7_1_1 + - win22cis_rule_18_8_1_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.7.1.1 - - automated + - rule_18.8.1.1 + - patch + - notifications -- name: "18.8.3.1 | PATCH | Ensure Include command line in process creation events is set to Enabled" +- name: "18.9.3.1 | PATCH | Ensure Include command line in process creation events is set to Enabled." ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit name: ProcessCreationIncludeCmdLine_Enabled data: 1 type: dword when: - - rule_18_8_3_1 + - win22cis_rule_18_9_3_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.3.1 - - automated + - rule_18.9.3.1 + - patch -- name: "18.8.4.1 | PATCH | Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients" +- name: "18.9.4.1 | PATCH | Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters name: AllowEncryptionOracle data: 0 type: dword when: - - rule_18_8_4_1 + - win22cis_rule_18_9_4_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.4.1 - - automated + - rule_18.9.4.1 + - patch + - encryption_oracle -- name: "18.8.4.2 | PATCH | Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" +- name: "18.9.4.2 | PATCH | Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation name: AllowProtectedCreds data: 1 type: dword when: - - rule_18_8_4_2 + - win22cis_rule_18_9_4_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.4.2 - - automated + - rule_18.9.4.2 + - patch + - credentialsdelecation -- name: "18.8.5.1 | PATCH | Ensure Turn On Virtualization Based Security is set to Enabled" +- name: "18.9.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: EnableVirtualizationBasedSecurity data: 1 type: dword when: - - rule_18_8_5_1 + - win22cis_rule_18_9_5_1 tags: - ngws-domaincontroller - ngws-memberserver - - rule_18.8.5.1 - - automated + - rule_18.9.5.1 + - patch + - vbs -- name: "18.8.5.2 | PATCH | Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection" +- name: "18.9.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: RequirePlatformSecurityFeatures data: 3 type: dword when: - - rule_18_8_5_2 + - win22cis_rule_18_9_5_2 tags: - ngws-domaincontroller - ngws-memberserver - - rule_18.8.5.2 - - automated + - rule_18.9.5.2 + - patch + - vbs -- name: "18.8.5.3 | PATCH | Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock" +- name: "18.9.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: HypervisorEnforcedCodeIntegrity data: 1 type: dword when: - - rule_18_8_5_3 + - win22cis_rule_18_9_5_3 tags: - ngws-domaincontroller - ngws-memberserver - - rule_18.8.5.3 - - automated + - rule_18.9.5.3 + - patch + - vbs -- name: "18.8.5.4 | PATCH | Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked" +- name: "18.9.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: HVCIMATRequired data: 1 type: dword when: - - rule_18_8_5_4 + - win22cis_rule_18_9_5_4 tags: - ngws-domaincontroller - ngws-memberserver - - rule_18.8.5.4 - - automated + - rule_18.9.5.4 + - patch + - vbs -- name: "18.8.5.5 | PATCH | Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" +- name: "18.9.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only | Member Server" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: LsaCfgFlags data: 1 type: dword when: - - rule_18_8_5_5 - - not ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_18_9_5_5 + - win2022cis_is_domain_member tags: - ngws-memberserver - - rule_18.8.5.5 - - automated + - rule_18.9.5.5 + - patch + - vbs -- name: "18.8.5.6 | PATCH | Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Disabled DC Only" +- name: "18.9.5.6 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Disabled DC Only | Domain Controller" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: LsaCfgFlags data: 0 type: dword when: - - rule_18_8_5_6 - - ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_18_9_5_6 + - win2022cis_is_domain_controller tags: - ngws-domaincontroller - - rule_18.8.5.6 - - automated + - rule_18.9.5.6 + - patch + - vbs -- name: "18.8.5.7 | PATCH | Ensure Turn On Virtualization Based Security Secure Launch Configuration is set to Enabled" +- name: "18.9.5.7 | PATCH | NG Ensure Turn On Virtualization Based Security Secure Launch Configuration is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: ConfigureSystemGuardLaunch data: 1 type: dword when: - - rule_18_8_5_7 + - win22cis_rule_18_9_5_7 tags: - ngws-domaincontroller - ngws-memberserver - - rule_18.8.5.7 - - automated + - rule_18.9.5.7 + - patch + - vbs -- name: "18.8.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled'" +- name: "18.8.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata name: PreventDeviceMetadataFromNetwork data: 1 type: dword when: - - rule_18_8_7_2 + - win22cis_rule_18_8_7_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.7_2 - - automated + - rule_18.8.7.2 + - patch + - metadata -- name: "18.8.14.1 | PATCH | Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" +- name: "18.9.13.1 | PATCH | Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" ansible.windows.win_regedit: path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch name: DriverLoadPolicy data: 3 type: dword when: - - rule_18_8_14_1 + - win22cis_rule_18_9_13_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.14.1 - - automated + - rule_18.9.13.1 + - patch + - drivers -- name: "18.8.21.2 | PATCH | Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" +- name: "18.9.19.2 | PATCH | Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoBackgroundPolicy data: 0 type: dword when: - - rule_18_8_21_2 + - win22cis_rule_18_9_19_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.21.2 - - automated + - rule_18.9.19.2 + - patch + - gpo -- name: "18.8.21.3 | PATCH | Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" +- name: "18.9.19.3 | PATCH | Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoGPOListChanges data: 0 type: dword when: - - rule_18_8_21_3 + - win22cis_rule_18_9_19_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.21.3 - - automated + - rule_18.9.19.3 + - patch + - gpo -- name: "18.8.21.4 | PATCH | Ensure Continue experiences on this device is set to Disabled" +- name: "18.9.19.4 | PATCH | Ensure Continue experiences on this device is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableCdp data: 0 type: dword when: - - rule_18_8_21_4 + - win22cis_rule_18_9_19_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.21.4 - - automated + - rule_18.9.19.4 + - patch -- name: "18.8.21.5 | PATCH | Ensure Turn off background refresh of Group Policy is set to Disabled" +- name: "18.9.19.5 | PATCH | Ensure Turn off background refresh of Group Policy is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy - state: absent - delete_key: true + name: DisableBkGndGroupPolicy + data: 1 + type: dword when: - - rule_18_8_21_5 + - win22cis_rule_18_9_19_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.21.5 - - automated + - rule_18.9.19.5 + - patch + - gpo -- name: "18.8.22.1.1 | PATCH | Ensure Turn off downloading of print drivers over HTTP is set to Enabled" +- name: "18.9.20.1.1 | PATCH | Ensure Turn off downloading of print drivers over HTTP is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers name: DisableWebPnPDownload data: 1 type: dword when: - - rule_18_8_22_1_1 + - win22cis_rule_18_9_20_1_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.22.1.1 - - automated + - rule_18.9.20.1.1 + - patch + - drivers + - printers -- name: "18.8.22.1.2 | PATCH | Ensure Turn off handwriting personalization data sharing is set to Enabled" +- name: "18.9.20.1.2 | PATCH | Ensure Turn off handwriting personalization data sharing is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc name: PreventHandwritingDataSharing data: 1 type: dword when: - - rule_18_8_22_1_2 + - win22cis_rule_18_9_20_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.22.1.2 - - automated + - level2-domaincontroller + - level2-memberserver + - rule_18.9.20.1.2 + - patch + - handwriting -- name: "18.8.22.1.3 | PATCH | Ensure Turn off handwriting recognition error reporting is set to Enabled" +- name: "18.9.20.1.3 | PATCH | Ensure Turn off handwriting recognition error reporting is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports name: PreventHandwritingErrorReports data: 1 type: dword when: - - rule_18_8_22_1_3 + - win22cis_rule_18_9_20_1_3 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.3 - - automated + - rule_18.9.20.1.3 + - patch + - handwriting -- name: "18.8.22.1.4 | PATCH | Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" +- name: "18.9.20.1.4 | PATCH | Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard name: ExitOnMSICW data: 1 type: dword when: - - rule_18_8_22_1_4 + - win22cis_rule_18_9_20_1_4 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.4 - - automated + - rule_18.9.20.1.4 + - patch + - wizard + - internetconnectionwizard -- name: "18.8.22.1.5 | PATCH | Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" +- name: "18.9.20.1.5 | PATCH | Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoWebServices data: 1 type: dword when: - - rule_18_8_22_1_5 + - win22cis_rule_18_9_20_1_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.22.1.5 - - automated + - rule_18.9.20.1.5 + - patch + - wizard + - internetdownloadwizard -- name: "18.8.22.1.6 | PATCH | Ensure Turn off printing over HTTP is set to Enabled" +- name: "18.9.20.1.6 | PATCH | Ensure Turn off printing over HTTP is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers name: DisableHTTPPrinting data: 1 type: dword when: - - rule_18_8_22_1_6 + - win22cis_rule_18_9_20_1_6 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.6 - - automated + - rule_18.9.20.1.6 + - patch + - printers -- name: "18.8.22.1.7 | PATCH | Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" +- name: "18.9.20.1.7 | PATCH | Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control name: NoRegistration data: 1 type: dword when: - - rule_18_8_22_1_7 + - win22cis_rule_18_9_20_1_7 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.7 - - automated + - rule_18.9.20.1.7 + - patch + - wizard + - registration -- name: "18.8.22.1.8 | PATCH | Ensure Turn off Search Companion content file updates is set to Enabled" +- name: "18.9.20.1.8 | PATCH | Ensure Turn off Search Companion content file updates is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Searchcompanion name: DisableContentFileUpdates data: 1 type: dword when: - - rule_18_8_22_1_8 + - win22cis_rule_18_9_20_1_8 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.8 - - automated + - rule_18.9.20.1.8 + - patch + - search -- name: "18.8.22.1.9 | PATCH | Ensure Turn off the Order Prints picture task is set to Enabled" +- name: "18.9.20.1.9 | PATCH | Ensure Turn off the Order Prints picture task is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoOnlinePrintsWizard data: 1 type: dword when: - - rule_18_8_22_1_9 + - win22cis_rule_18_9_20_1_9 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.9 - - automated + - rule_18.9.20.1.9 + - patch + - printers -- name: "18.8.22.1.10 | PATCH | Ensure Turn off the Publish to Web task for files and folders is set to Enabled" +- name: "18.9.20.1.10 | PATCH | Ensure Turn off the Publish to Web task for files and folders is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoPublishingWizard data: 1 type: dword when: - - rule_18_8_22_1_10 + - win22cis_rule_18_9_20_1_10 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.10 - - automated + - rule_18.8.20.1.10 + - patch + - wizard -- name: "18.8.22.1.11 | PATCH | Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" +- name: "18.9.20.1.11 | PATCH | Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Messenger\Client name: CEIP data: 2 type: dword when: - - rule_18_8_22_1_11 + - win22cis_rule_18_9_20_1_11 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.11 - - automated + - rule_18.9.20.1.11 + - patch + - wmcei -- name: "18.8.22.1.12 | PATCH | Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" +- name: "18.9.20.1.12 | PATCH | Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows name: CEIPEnable data: 0 type: dword when: - - rule_18_8_22_1_12 + - win22cis_rule_18_9_20_1_12 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.12 - - automated + - rule_18.9.20.1.12 + - patch + - wmcei -- name: "18.8.22.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled" +- name: "18.9.20.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled" block: - - name: "18.8.22.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" + - name: "18.9.20.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting name: Disabled data: 1 type: dword - - name: "18.8.22.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" + - name: "18.9.20.1.13 | PATCH | Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting name: DoReport data: 0 type: dword when: - - rule_18_8_22_1_13 + - win22cis_rule_18_9_20_1_13 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.22.1.13 - - automated + - rule_18.9.20.1.13 + - patch + - errorreporting -- name: "18.8.25.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic" +- name: "18.9.23.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic" block: - - name: "18.8.25.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" + - name: "18.9.23.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitBehavior data: 0 type: dword - - name: "18.8.25.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" + - name: "18.9.23.1 | PATCH | Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitEnabled data: 1 type: dword when: - - rule_18_8_25_1 + - win22cis_rule_18_9_23_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.25.1 - - automated + - rule_18.9.23.1 + - patch + - certifcates -- name: "18.8.26.1 | PATCH | Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" +- name: "18.9.24.1 | PATCH | Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Kernel DMA Protection name: DeviceEnumerationPolicy data: 0 type: dword when: - - rule_18_8_26_1 + - win22cis_rule_18_9_24_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.26.1 - - automated + - rule_18.9.24.1 + - patch + - dma + +- name: "18.9.25.1 | PATCH | Ensure Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled" + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: AllowCustomSSPsAPs + data: 0 + type: dword + when: + - win22cis_rule_18_9_25_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.25.1 + - patch + - lsass + +- name: "18.9.25.2 | PATCH | Ensure Configures LSASS to run as a protected process is set to Enabled: Enabled with UEFI Lock" + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + name: RunAsPPL + data: 1 + type: dword + when: + - win22cis_rule_18_9_25_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.25.2 + - patch + - lsa -- name: "18.8.27.1 | PATCH | Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" +- name: "18.9.26.1 | PATCH | Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Control Panel\International name: BlockUserInputMethodsForSignIn data: 1 type: dword when: - - rule_18_8_27_1 + - win22cis_rule_18_9_26_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.27.1 - - automated + - rule_18.9.26.1 + - patch -- name: "18.8.28.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled" +- name: "18.9.17.1 | PATCH | Ensure Block user from showing account details on sign-in is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockUserFromShowingAccountDetailsOnSignin data: 1 type: dword when: - - rule_18_8_28_1 + - win22cis_rule_18_9_27_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.28.1 - - automated + - rule_18.9.27.1 + - patch + - accounts -- name: "18.8.28.2 | PATCH | Ensure Do not display network selection UI is set to Enabled" +- name: "18.9.27.2 | PATCH | Ensure Do not display network selection UI is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DontDisplayNetworkSelectionUI data: 1 type: dword when: - - rule_18_8_28_2 + - win22cis_rule_18_9_27_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.28.2 - - automated + - rule_18.9.27.2 + - patch -- name: "18.8.28.3 | PATCH | Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" +- name: "18.9.27.3 | PATCH | Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DontEnumerateConnectedUsers data: 1 type: dword when: - - rule_18_8_28_3 + - win22cis_rule_18_9_27_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.28.3 - - automated + - rule_18.9.27.3 + - patch + - enumerate -- name: "18.8.28.4 | PATCH | Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" +- name: "18.9.27.4 | PATCH | Ensure Enumerate local users on domain-joined computers is set to Disabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: EnumerateLocalUsers data: 0 type: dword when: - - rule_18_8_28_4 - - ansible_windows_domain_role == "Member server" + - win22cis_rule_18_9_27_4 + - win2022cis_is_domain_member tags: - level1-memberserver - - rule_18.8.28.4 - - automated + - rule_18.9.27.4 + - patch + - enumerate -- name: "18.8.28.5 | PATCH | Ensure Turn off app notifications on the lock screen is set to Enabled" +- name: "18.9.27.5 | PATCH | Ensure Turn off app notifications on the lock screen is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DisableLockScreenAppNotifications data: 1 type: dword when: - - rule_18_8_28_5 + - win22cis_rule_18_9_27_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.28.5 - - automated + - rule_18.9.27.5 + - patch + - notifications -- name: "18.8.28.6 | PATCH | Ensure Turn off picture password sign-in is set to Enabled" +- name: "18.9.27.6 | PATCH | Ensure Turn off picture password sign-in is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockDomainPicturePassword data: 1 type: dword when: - - rule_18_8_28_6 + - win22cis_rule_18_9_27_6 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.28.6 - - automated + - rule_18.9.27.6 + - patch + - logon -- name: "18.8.28.7 | PATCH | Ensure Turn on convenience PIN sign-in is set to Disabled" +- name: "18.9.27.7 | PATCH | Ensure Turn on convenience PIN sign-in is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: AllowDomainPINLogon data: 0 type: dword when: - - rule_18_8_28_7 + - win22cis_rule_18_9_27_7 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.28.7 - - automated + - rule_18.9.27.7 + - patch + - pin -- name: "18.8.31.1 | PATCH | Ensure Allow Clipboard synchronization across devices is set to Disabled" +- name: "18.9.30.1 | PATCH | Ensure Allow Clipboard synchronization across devices is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: AllowCrossDeviceClipboard data: 0 type: dword when: - - rule_18_8_31_1 + - win22cis_rule_18_9_30_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.31.1 - - automated + - rule_18.9.30.1 + - patch + - clipboard -- name: "18.8.31.2 | PATCH | Ensure Allow upload of User Activities is set to Disabled" +- name: "18.9.30.2 | PATCH | Ensure Allow upload of User Activities is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: UploadUserActivities data: 0 type: dword when: - - rule_18_8_31_2 + - win22cis_rule_18_9_30_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.31.2 - - automated + - rule_18.9.30.2 + - patch -- name: "18.8.34.6.1 | PATCH | Ensure Allow network connectivity during connected-standby on battery is set to Disabled" +- name: "18.9.32.6.1 | PATCH | Ensure Allow network connectivity during connected-standby on battery is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 name: DCSettingIndex data: 0 type: dword when: - - rule_18_8_34_6_1 + - win22cis_rule_18_9_32_6_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.34.6.1 - - automated + - rule_18.9.32.6.1 + - patch + - power -- name: "18.8.34.6.2 | PATCH | Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" +- name: "18.9.32.6.2 | PATCH | Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 name: ACSettingIndex data: 0 type: dword when: - - rule_18_8_34_6_2 + - win22cis_rule_18_3_32_6_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.34.6.2 - - automated + - rule_18.9.32.6.2 + - patch + - power -- name: "18.8.34.6.3 | PATCH | Ensure Require a password when a computer wakes on battery is set to Enabled" +- name: "18.9.32.6.3 | PATCH | Ensure Require a password when a computer wakes on battery is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 name: DCSettingIndex data: 1 type: dword when: - - rule_18_8_34_6_3 + - win22cis_rule_18_9_32_6_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.34.6.3 - - automated + - rule_18.9.32.6.3 + - patch + - power + - logon -- name: "18.8.34.6.4 | PATCH | Ensure Require a password when a computer wakes plugged in is set to Enabled" +- name: "18.9.32.6.4 | PATCH | Ensure Require a password when a computer wakes plugged in is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 name: ACSettingIndex data: 1 type: dword when: - - rule_18_8_34_6_4 + - win22cis_rule_18_9_32_6_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.34.6.4 - - automated + - rule_18.9.32.6.4 + - patch + - logon -- name: "18.8.36.1 | PATCH | Ensure Configure Offer Remote Assistance is set to Disabled" +- name: "18.9.34.1 | PATCH | Ensure Configure Offer Remote Assistance is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowUnsolicited data: 0 type: dword when: - - rule_18_8_36_1 + - win22cis_rule_18_9_34_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.36.1 - - automated + - rule_18.9.34.1 + - patch + - cora -- name: "18.8.36.2 | PATCH | Ensure Configure Solicited Remote Assistance is set to Disabled" +- name: "18.9.34.2 | PATCH | Ensure Configure Solicited Remote Assistance is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowToGetHelp data: 0 type: dword when: - - rule_18_8_36_2 + - win22cis_rule_18_9_34_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.36.2 - - automated + - rule_18.9.34.2 + - patch + - csra -- name: "18.8.37.1 | PATCH | Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" +- name: "18.9.35.1 | PATCH | Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc name: EnableAuthEpResolution data: 1 type: dword when: - - rule_18_8_37_1 - - not ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_18_9_35_1 + - win2022cis_is_domain_member tags: - level1-memberserver - - rule_18.8.37.1 - - automated + - rule_18.9.35.1 + - patch + - rpc -- name: "18.8.37.2 | PATCH | Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" +- name: "18.9.35.2 | PATCH | Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc name: RestrictRemoteClients data: 1 type: dword when: - - rule_18_8_37_2 - - not ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_18_9_35_2 + - win2022cis_is_domain_member tags: - level2-memberserver - - rule_18.8.37.2 - - automated + - rule_18.9.35.2 + - patch + - rpc -- name: "18.8.40.1 | PATCH | Ensure Configure validation of ROCA-vulnerable WHfB keys during authentication is set to Enabled Audit or higher (DC only)" +- name: "18.9.38.1 | PATCH | Ensure Configure validation of ROCA-vulnerable WHfB keys during authentication is set to Enabled: Audit or higher" ansible.windows.win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\SAM + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SAM name: SamNGCKeyROCAValidation - data: "{{ win22cis_sam_ng_key_roc }}" + data: 1 type: dword when: - - rule_18_8_40_1 + - win22cis_rule_18_9_38_1 - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.8.40.1 - - automated + - level1-domaincontroller + - rule_18.9.38.1 + - patch + - sam -- name: "18.8.48.5.1 | PATCH | Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" +- name: "18.9.46.5.1 | PATCH | Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy name: DisableQueryRemoteServer data: 0 type: dword when: - - rule_18_8_48_5_1 + - win22cis_rule_18_9_46_5_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.48.5.1 - - automated + - rule_18.9.46.5.1 + - patch + - msdt -- name: "18.8.48.11.1 | PATCH | Ensure EnableDisable PerfTrack is set to Disabled" +- name: "18.9.46.11.1 | PATCH | Ensure EnableDisable PerfTrack is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} name: ScenarioExecutionEnabled data: 0 type: dword when: - - rule_18_8_48_11_1 + - win22cis_rule_18_9_46_11_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.48.11.1 - - automated + - rule_18.9.46.11.1 + - patch + - pertrack -- name: "18.8.50.1 | PATCH | Ensure Turn off the advertising ID is set to Enabled" +- name: "18.9.48.1 | PATCH | Ensure Turn off the advertising ID is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo name: DisabledByGroupPolicy data: 1 type: dword when: - - rule_18_8_50_1 + - win22cis_rule_18_9_48_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.50.1 - - automated + - rule_18.9.48.1 + - patch + - advertising -- name: "18.8.53.1.1 | PATCH | Ensure Enable Windows NTP Client is set to Enabled" +- name: "18.9.50.1.1 | PATCH | Ensure Enable Windows NTP Client is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient name: Enabled data: 1 type: dword when: - - rule_18_8_53_1_1 + - win22cis_rule_18_9_50_1_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.8.53.1.1 - - automated + - rule_18.9.50.1.1 + - patch + - ntp -- name: "18.8.53.1.2 | PATCH | Ensure Enable Windows NTP Server is set to Disabled MS only" +- name: "18.9.50.1.2 | PATCH | Ensure Enable Windows NTP Server is set to Disabled MS only | Member Server" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver name: Enabled data: 1 type: dword when: - - rule_18_8_53_1_2 - - not ansible_windows_domain_role == "Primary domain controller" + - win22cis_rule_18_9_50_1_2 + - win2022cis_is_domain_member tags: - level2-memberserver - - rule_18.8.53.1.2 - - automated + - rule_18.9.50.1.2 + - patch + - ntp -- name: "18.9.4.1 | PATCH | Ensure Allow a Windows app to share application data between users is set to Disabled" +- name: "18.10.3.1 | PATCH | Ensure Allow a Windows app to share application data between users is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager name: AllowSharedLocalAppData data: 0 type: dword when: - - rule_18_9_4_1 + - win22cis_rule_18_10_3_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.4.1 - - automated + - rule_18.10.3.1 + - patch + - data -- name: "18.9.6.1 | PATCH | Ensure Allow Microsoft accounts to be optional is set to Enabled" +- name: "18.10.5.1 | PATCH | Ensure Allow Microsoft accounts to be optional is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: MSAOptional data: 1 type: dword when: - - rule_18_9_6_1 + - win22cis_rule_18_10_5_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.6.1 - - automated + - rule_18.10.5.1 + - patch + - accounts -- name: "18.9.8.1 | PATCH | Ensure Disallow Autoplay for non-volume devices is set to Enabled" +- name: "18.10.7.1 | PATCH | Ensure Disallow Autoplay for non-volume devices is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoAutoplayfornonVolume data: 1 type: dword when: - - rule_18_9_8_1 + - win22cis_rule_18_10_7_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.8.1 - - automated + - rule_18.10.7.1 + - patch + - autoplay -- name: "18.9.8.2 | PATCH | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" +- name: "18.10.7.2 | PATCH | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoAutorun data: 1 type: dword when: - - rule_18_9_8_2 + - win22cis_rule_18_10_7_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.8.2 - - automated + - rule_18.10.7.2 + - patch + - autorun -- name: "18.9.8.3 | PATCH | Ensure Turn off Autoplay is set to Enabled All drives" +- name: "18.10.7.3 | PATCH | Ensure Turn off Autoplay is set to Enabled All drives" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoDriveTypeAutoRun data: 255 type: dword when: - - rule_18_9_8_3 + - win22cis_rule_18_10_7_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.8.3 - - automated + - rule_18.10.7.3 + - patch + - autoplay -- name: "18.9.10.1.1 | PATCH | Ensure Configure enhanced anti-spoofing is set to Enabled" +- name: "18.10.8.1.1 | PATCH | Ensure Configure enhanced anti-spoofing is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures name: EnhancedAntiSpoofing data: 1 type: dword when: - - rule_18_9_10_1_1 + - win22cis_rule_18_10_8_1_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.10.1.1 - - automated + - rule_18.10.8.1.1 + - patch + - antispoofing -- name: "18.9.12.1 | PATCH | Ensure Allow Use of Camera is set to Disabled" +- name: "18.10.10.1 | PATCH | Ensure Allow Use of Camera is set to Disabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Camera name: AllowCamera - data: 1 + data: 0 type: dword when: - - rule_18_9_12_1 + - win22cis_rule_18_10_10_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.12.1 - - automated + - rule_18.10.10.1 + - patch + - camera -- name: "18.9.14.1 | PATCH | Ensure Turn off cloud consumer account state content is set to Enabled" +- name: "18.10.12.1 | PATCH | Ensure Turn off cloud consumer account state content is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent name: DisableConsumerAccountStateContent data: 1 type: dword when: - - rule_18_9_14_1 + - win22cis_rule_18_10_12_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.14.1 - - manual + - rule_18.10.12.1 + - patch + - cloud -- name: "18.9.14.2 | PATCH | Ensure Turn off Microsoft consumer experiences is set to Enabled" +- name: "18.10.12.2 | PATCH | Ensure Turn off cloud optimized content is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent - name: DisableWindowsConsumerFeatures + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent + name: DisableCloudOptimizedContent data: 1 type: dword when: - - rule_18_9_14_2 + - win22cis_rule_18_10_12_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.14.2 - - automated + - rule_18.10.12.2 + - patch + - cloud -- name: "18.9.15.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" +- name: "18.10.12.3 | PATCH | Ensure Turn off Microsoft consumer experiences is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect - name: RequirePinForPairing - data: "{{ win22cis_require_pin_pairing }}" + path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent + name: DisableWindowsConsumerFeatures + data: 1 type: dword when: - - rule_18_9_15_1 + - win22cis_rule_18_10_12_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.15.1 + - rule_18.10.12.3 + - patch + - cloud + +- name: "18.10.13.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" + block: + - name: "18.10.13.1 | AUDIT | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win22cis_require_pin_for_pairing. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_require_pin_for_pairing != 1 + - win22cis_require_pin_for_pairing != 2 + + - name: "18.10.13.1 | AUDIT | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.13.1' + when: + - win22cis_require_pin_for_pairing != 1 + - win22cis_require_pin_for_pairing != 2 + + - name: "18.10.13.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect + name: RequirePinForPairing + data: "{{ win22cis_require_pin_for_pairing }}" + type: dword + when: + - win22cis_require_pin_for_pairing == 1 or win22cis_require_pin_for_pairing == 2 + when: + - win22cis_rule_18_10_13_1 + tags: + - level1-corporate-enterprise-environment + - rule_18.10.13.1 - automated + - patch + - pin -- name: "18.9.16.1 | PATCH | Ensure Do not display the password reveal button is set to Enabled" +- name: "18.10.14.1 | PATCH | Ensure Do not display the password reveal button is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Credui name: DisablePasswordReveal data: 1 type: dword when: - - rule_18_9_16_1 + - win22cis_rule_18_10_14_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.16.1 - - automated + - rule_18.10.14.1 + - patch + - gui -- name: "18.9.16.2 | PATCH | Ensure Enumerate administrator accounts on elevation is set to Disabled" +- name: "18.10.14.2 | PATCH | Ensure Enumerate administrator accounts on elevation is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui name: EnumerateAdministrators data: 0 type: dword when: - - rule_18_9_16_2 + - win22cis_rule_18_10_14_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.16.2 - - automated + - rule_18.10.14.2 + - patch + - accounts -- name: "18.9.17.1 | PATCH | Ensure Allow Diagnostic Data is set to Enabled Diagnostic data off (not recommended) or Enabled Send required diagnostic data" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: AllowTelemetry - data: "{{ win22cis_diag_data }}" - type: dword +- name: "18.10.15.1 | PATCH | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data" + block: + - name: "18.10.15.1 | AUDIT | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win22cis_allow_telemetry. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_allow_telemetry != 0 + - win22cis_allow_telemetry != 1 + + - name: "18.10.15.1 | AUDIT | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.15.1' + when: + - win22cis_allow_telemetry != 0 + - win22cis_allow_telemetry != 1 + + - name: "18.10.15.1 | AUDIT | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + name: AllowTelemetry + data: "{{ win22cis_allow_telemetry }}" + type: dword + when: + - win22cis_allow_telemetry == 0 or win22cis_allow_telemetry == 1 when: - - rule_18_9_17_1 + - win22cis_rule_18_10_15_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.17.1 + - level1-corporate-enterprise-environment + - rule_18.10.15.1 - automated + - patch + - diagnostics -- name: "18.9.17.2 | PATCH | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" +- name: "18.10.15.2 | PATCH | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + path: HKLM:\Software\Policies\Microsoft\Windows\DataCollection name: DisableEnterpriseAuthProxy - data: 0 + data: 1 type: dword when: - - rule_18_9_17_2 + - win22cis_rule_18_10_15_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.17.2 - - automated + - rule_18.10.15.2 + - patch + - datacollection -- name: "18.9.17.3 | PATCH | Ensure Disable OneSettings Downloads is set to Enabled" +- name: "18.10.15.3 | PATCH | Ensure Disable OneSettings Downloads is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection name: DisableOneSettingsDownloads data: 1 type: dword when: - - rule_18_9_17_3 + - win22cis_rule_18_10_15_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.17.3 - - automated + - rule_18.10.15.3 + - patch + - onesettings -- name: "18.9.17.4 | PATCH | Ensure Do not show feedback notifications is set to Enabled" +- name: "18.10.15.4 | PATCH | Ensure Do not show feedback notifications is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection name: DoNotShowFeedbackNotifications data: 1 type: dword when: - - rule_18_9_17_4 + - win22cis_rule_18_10_15_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.17.4 - - automated + - rule_18.10.15.4 + - patch + - datacollection -- name: "18.9.17.5 | PATCH | Ensure Enable OneSettings Auditing is set to Enabled" +- name: "18.10.15.5 | PATCH | Ensure Enable OneSettings Auditing' is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection name: EnableOneSettingsAuditing data: 1 type: dword when: - - rule_18_9_17_5 + - win22cis_rule_18_10_15_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.17.5 - - automated + - rule_18.10.15.5 + - patch + - datacollection -- name: "18.9.17.6 | PATCH | Ensure Limit Diagnostic Log Collection is set to Enabled" +- name: "18.10.15.6 | PATCH | Ensure Limit Diagnostic Log Collection is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection name: LimitDiagnosticLogCollection data: 1 type: dword when: - - rule_18_9_17_6 + - win22cis_rule_18_10_15_6 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.17.6 - - automated + - rule_18.10.15.6 + - patch + - datacollection -- name: "18.9.17.7 | PATCH | Ensure Limit Dump Collection is set to Enabled" +- name: "18.10.15.7 | PATCH | Ensure Limit Dump Collection is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection name: LimitDumpCollection data: 1 type: dword when: - - rule_18_9_17_6 + - win22cis_rule_18_10_15_7 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.17.6 - - automated + - rule_18.10.15.7 + - patch + - datacollection -- name: "18.9.17.8 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled" +- name: "18.10.15.8 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds name: AllowBuildPreview data: 0 type: dword when: - - rule_18_9_17_8 + - win22cis_rule_18_10_15_8 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.17.8 - - automated + - rule_18.10.15.8 + - patch + - previewbuilds -- name: "18.9.27.1.1 | PATCH | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.10.17.1 | PATCH | Ensure Enable App Installer is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application - name: Retention + path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller + name: EnableAppInstaller data: 0 - type: string + type: dword when: - - rule_18_9_27_1_1 + - win22cis_rule_18_10_17_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.1.1 - - automated + - rule_18.10.17.1 + - patch + - appinstaller -- name: "18.9.27.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "18.10.17.2 | PATCH | Ensure Enable App Installer Experimental Features is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application - name: MaxSize - data: "{{ win22cis_elm_applog_max_size }}" + path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller + name: EnableExperimentalFeatures + data: 0 type: dword when: - - rule_18_9_27_1_2 + - win22cis_rule_18_10_17_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.1.2 - - automated + - rule_18.10.17.2 + - patch + - appinstaller -- name: "18.9.27.2.1 | PATCH | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.10.17.3 | PATCH | Ensure Enable App Installer Hash Override is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller + name: EnableHashOverride + data: 0 + type: dword + when: + - win22cis_rule_18_10_17_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.17.3 + - patch + - appinstaller + +- name: "18.10.17.4 | PATCH | Ensure Enable App Installer ms-appinstaller protocol is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller + name: EnableMSAppInstallerProtocol + data: 0 + type: dword + when: + - win22cis_rule_18_10_17_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.17.4 + - patch + - appinstaller + +- name: "18.10.26.1.1 | PATCH | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application name: Retention data: 0 type: string when: - - rule_18_9_27_2_1 + - win22cis_rule_18_10_26_1_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.2.1 - - automated + - rule_18.10.26.1.1 + - patch + - eventlog + +- name: "18.10.26.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" + block: + - name: "18.10.26.1.2 | AUDIT | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid file size set for win22cis_application_max_log_file_size please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_application_max_log_file_size < 32768 + + - name: "18.10.26.1.2 | AUDIT | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.26.1.2' + when: win22cis_application_max_log_file_size < 32768 + + - name: "18.10.26.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Set File Size." + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application + name: MaxSize + data: "{{ win22cis_application_max_log_file_size }}" + type: dword + when: win22cis_application_max_log_file_size >= 32768 + when: + - win22cis_rule_18_10_26_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.26.1.2 + - patch + - eventlog -- name: "18.9.27.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" +- name: "18.10.26.2.1 | PATCH | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: MaxSize - data: "{{ win22cis_elm_seclog_max_size }}" - type: dword + name: Retention + data: 0 + type: string when: - - rule_18_9_27_2_2 + - win22cis_rule_18_10_26_2_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.2.2 - - automated + - rule_18.10.26.2.1 + - patch + - eventlog + +- name: "18.10.26.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" + block: + - name: "18.10.26.2.2 | AUDIT | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid file size set for win22cis_security_max_log_file_size please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_security_max_log_file_size < 196608 + + - name: "18.10.26.2.2 | AUDIT | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.26.2.2' + when: win22cis_security_max_log_file_size < 196608 + + - name: "18.10.26.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: MaxSize + data: "{{ win22cis_security_max_log_file_size }}" + type: dword + when: win22cis_security_max_log_file_size >= 196608 + when: + - win22cis_rule_18_10_26_2_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.26.2.2 + - patch + - eventlog -- name: "18.9.27.3.1 | PATCH | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.10.26.3.1 | PATCH | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup name: Retention data: 0 type: string when: - - rule_18_9_27_3_1 + - win22cis_rule_18_10_26_3_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.3.1 - - automated + - rule_18.10.26.3.1 + - patch + - eventlog -- name: "18.9.27.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup - name: MaxSize - data: "{{ win22cis_elm_setup_max_size }}" - type: dword +- name: "18.10.26.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" + block: + - name: "18.10.26.3.2 | AUDIT | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid file size set for win22cis_setup_max_log_file_size please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_setup_max_log_file_size < 32768 + + - name: "18.10.26.3.2 | AUDIT | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.26.3.2' + when: win22cis_setup_max_log_file_size < 32768 + + - name: "18.10.26.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup + name: MaxSize + data: "{{ win22cis_setup_max_log_file_size }}" + type: dword + when: win22cis_setup_max_log_file_size >= 32768 when: - - rule_18_9_27_3_2 + - win22cis_rule_18_10_26_3_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.3.2 - - automated + - rule_18.10.26.3.2 + - patch + - eventlog -- name: "18.9.27.4.1 | PATCH | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "18.10.26.4.1 | PATCH | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System name: Retention data: 0 type: string when: - - rule_18_9_27_4_1 + - win22cis_rule_18_10_26_4_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.4.1 - - automated + - rule_18.10.26.4.1 + - patch + - eventlog -- name: "18.9.27.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: MaxSize - data: "{{ win22cis_elm_syslog_max_size }}" - type: dword +- name: "18.10.26.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" + block: + - name: "18.10.26.4.2 | AUDIT | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid file size set for win22cis_system_max_log_file_size please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_system_max_log_file_size < 32768 + + - name: "18.10.26.4.2 | AUDIT | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.26.4.2' + when: win22cis_system_max_log_file_size < 32768 + + - name: "18.10.26.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: MaxSize + data: "{{ win22cis_system_max_log_file_size }}" + type: dword + when: win22cis_system_max_log_file_size >= 32768 when: - - rule_18_9_27_4_2 + - win22cis_rule_18_10_26_4_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.27.4.2 - - automated + - rule_18.10.26.4.2 + - patch + - eventlog -- name: "18.9.31.2 | PATCH | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" +- name: "18.10.29.2 | PATCH | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoDataExecutionPrevention data: 0 type: dword when: - - rule_18_9_31_2 + - win22cis_rule_18_10_29_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.31.2 - - automated + - rule_18.10.29.2 + - patch + - dep -- name: "18.9.31.3 | PATCH | Ensure Turn off heap termination on corruption is set to Disabled" +- name: "18.10.29.3 | PATCH | Ensure Turn off heap termination on corruption is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoHeapTerminationOnCorruption data: 0 type: dword when: - - rule_18_9_31_3 + - win22cis_rule_18_10_29_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.31.3 - - automated + - rule_18.10.29.3 + - patch + - heap -- name: "18.9.31.4 | PATCH | Ensure Turn off shell protocol protected mode is set to Disabled" +- name: "18.10.29.4 | PATCH | Ensure Turn off shell protocol protected mode is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: PreXPSP2ShellProtocolBehavior data: 0 type: dword when: - - rule_18_9_31_4 + - win22cis_rule_18_10_29_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.31.4 - - automated + - rule_18.10.29.4 + - patch + - shell -- name: "18.9.41.1| PATCH | Ensure Turn off location is set to Enabled" +- name: "18.10.37.1 | PATCH | Ensure Turn off location is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors name: DisableLocation data: 1 type: dword when: - - rule_18_9_41_1 + - win22cis_rule_18_10_37_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.41.1 - - automated + - rule_18.10.37.1 + - patch + - location -- name: "18.9.45.1 | PATCH | Ensure Allow Message Service Cloud Sync is set to Disabled" +- name: "18.10.41.1 | PATCH | Ensure Allow Message Service Cloud Sync is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Messaging name: AllowMessageSync data: 0 type: dword when: - - rule_18_9_45_1 + - win22cis_rule_18_10_41_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.45.1 - - automated + - rule_18.10.41.1 + - patch + - msc -- name: "18.9.46.1 | PATCH | Ensure Block all consumer Microsoft account user authentication is set to Enabled" +- name: "18.10.42.1 | PATCH | Ensure Block all consumer Microsoft account user authentication is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount name: DisableUserAuth data: 1 type: dword when: - - rule_18_9_46_1 + - win22cis_rule_18_10_42_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.46.1 - - automated + - rule_18.10.42.1 + - patch + - account -- name: "18.9.47.4.1 | PATCH | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" +- name: "18.10.43.5.1 | PATCH | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet name: LocalSettingOverrideSpynetReporting data: 0 type: dword when: - - rule_18_9_47_4_1 + - win22cis_rule_18_10_43_5_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.4.1 - - automated + - rule_18.10.43.5.1 + - patch + - maps -- name: "18.9.47.4.2 | PATCH | Ensure Join Microsoft MAPS is set to Disabled" +- name: "18.10.43.5.2 | PATCH | Ensure Join Microsoft MAPS is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet name: SpynetReporting data: 0 type: dword when: - - rule_18_9_47_4_2 + - win22cis_rule_18_10_43_5_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.47.4.2 - - automated + - rule_18.10.43.5.2 + - patch + - maps -- name: "18.9.47.5.1.1 | PATCH | Ensure Configure Attack Surface Reduction rules is set to Enabled" +- name: "18.10.43.6.1.1 | PATCH | Ensure Configure Attack Surface Reduction rules is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR name: ExploitGuard_ASR_Rules data: 1 type: dword when: - - rule_18_9_47_5_1_1 + - win22cis_rule_18_10_43_6_1_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.5.1.1 - - automated + - rule_18.10.43.6.1.1 + - patch + - defender -- name: "18.9.47.5.1.2 | PATCH | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" +- name: "18.10.43.6.1.2 | PATCH | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules name: "{{ item }}" @@ -2110,856 +2749,1038 @@ - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - d3e037e1-3eb8-44c8-a917-57927947596d - d4f940ab-401b-4efc-aadc-ad5f3c50688a + - e6db77e5-3df2-4cf1-b95a-636979351e5b when: - - rule_18_9_47_5_1_2 + - win22cis_rule_18_10_43_6_1_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.5.1.2 - - automated + - rule_18.10.43.6.1.2 + - patch + - defender -- name: "18.9.47.5.3.1 | PATCH | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" +- name: "18.10.43.6.3.1 | PATCH | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection name: EnableNetworkProtection data: 1 type: dword when: - - rule_18_9_47_5_3_1 + - win22cis_rule_18_10_43_6_3_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.5.3.1 - - automated + - rule_18.10.43.6.3.1 + - patch + - defender -- name: "18.9.47.6.1 | PATCH | Ensure Enable file hash computation feature is set to Enabled" +- name: "18.10.43.7.1 | PATCH | (L2) Ensure Enable file hash computation feature is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\MpEngine + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine name: EnableFileHashComputation data: 1 type: dword when: - - rule_18_9_47_6_1 + - win22cis_rule_18_10_43_7_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.47.6.1 - - automated + - rule_18.10.43.7.1 + - patch + - defender -- name: "18.9.47.9.1 | PATCH | Ensure Scan all downloaded files and attachments is set to Enabled'" +- name: "18.10.43.10.1 | PATCH | Ensure Scan all downloaded files and attachments is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableIOAVProtection data: 0 type: dword when: - - rule_18_9_47_9_1 + - win22cis_rule_18_10_43_10_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.9.1 - - automated + - rule_18.10.43.10.1 + - patch + - defender + - real_time_protection -- name: "18.9.47.9.2 | PATCH | Ensure Scan Turn off real-time protection is set to is set to Disabled" +- name: "18.10.43.10.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableRealtimeMonitoring data: 1 - type: dword + datatype: dword when: - - rule_18_9_47_9_2 + - win22cis_rule_18_10_43_10_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.9.2 - - automated + - rule_18.10.43.10.2 + - patch + - defender + - real_time_protection -- name: "18.9.47.9.3 | PATCH | Ensure Scan Turn on behavior monitoring is set to is set to Enabled" +- name: "18.10.43.10.3 | PATCH | Ensure Turn on behavior monitoring is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableBehaviorMonitoring - data: 1 + data: 0 type: dword when: - - rule_18_9_47_9_3 + - win22cis_rule_18_10_43_10_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.9.3 - - automated + - rule_18.10.43.10.3 + - patch + - defender + - real_time_protection -- name: "18.9.47.9.4 | PATCH | Ensure Scan Turn on script scanning is set to is set to Enabled" +- name: "18.10.43.10.4 | PATCH | Ensure 'Turn on script scanning' is set to 'Enabled'" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableScriptScanning - data: 1 + data: 0 type: dword when: - - rule_18_9_47_9_4 + - win22cis_rule_18_10_43_10_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.9.4 - - automated + - rule_18.10.43.10.4 + - patch + - defender + - real_time_protection -- name: "18.9.47.11.1 | PATCH | Ensure Configure Watson events is set to Disabled" +- name: "18.10.43.12.1 | PATCH | Ensure Configure Watson events is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting name: DisableGenericRePorts data: 1 type: dword when: - - rule_18_9_47_11_1 + - win22cis_rule_18_10_43_12_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.47.11.1 - - automated + - rule_18.10.43.12.1 + - patch + - defender -- name: "18.9.47.12.1 | PATCH | Ensure Scan removable drives is set to Enabled" +- name: "18.10.43.13.1 | PATCH | Ensure Scan removable drives is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan name: DisableRemovableDriveScanning data: 0 type: dword when: - - rule_18_9_47_12_1 + - win22cis_rule_18_10_43_13_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.12.1 - - automated + - rule_18.10.43.13.1 + - patch + - defender -- name: "18.9.47.12.2 | PATCH | Ensure Turn on e-mail scanning is set to Enabled" +- name: "18.10.43.13.2 | PATCH | Ensure Turn on e-mail scanning is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan name: DisableEmailScanning data: 0 type: dword when: - - rule_18_9_47_12_2 + - win22cis_rule_18_10_43_13_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.12.2 - - automated + - rule_18.10.43.13.2 + - patch + - defender -- name: "18.9.47.15 | PATCH | Ensure Configure detection for potentially unwanted applications is set to Enabled Block" +- name: "18.10.43.16 | PATCH | Ensure Configure detection for potentially unwanted applications is set to Enabled Block" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender name: PUAProtection data: 1 type: dword when: - - rule_18_9_47_15 + - win22cis_rule_18_10_43_16 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.15 - - automated + - rule_18.10.43.16 + - patch + - defender -- name: "18.9.47.16 | PATCH | Ensure Turn off Windows Defender AntiVirus is set to Disabled" +- name: "18.10.43.17 | PATCH | Ensure Turn off Windows Defender AntiVirus is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender name: DisableAntiSpyware data: 0 type: dword when: - - rule_18_9_47_16 + - win22cis_rule_18_10_43_17 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.47.16 - - automated + - rule_18.10.43.17 + - patch + - defender -- name: "18.9.58.1 | PATCH | Ensure Prevent the usage of OneDrive for file storage is set to Enabled" +- name: "18.10.51.1 | PATCH | Ensure Prevent the usage of OneDrive for file storage is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive name: DisableFileSyncNGSC data: 1 type: dword when: - - rule_18_9_58_1 + - win22cis_rule_18_10_51_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.58.1 - - automated + - rule_18.10.51.1 + - patch + - onedrive -- name: "18.9.64.1 | PATCH | Ensure Turn off Push To Install service is set to Enabled" +- name: "18.10.56.1 | PATCH | (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\PushToInstall + path: HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall name: DisablePushToInstall data: 1 type: dword when: - - rule_18_9_64_1 + - win22cis_rule_18_10_56_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.64.1 - - automated + - rule_18.10.56.1 + - patch + - pushtoinstall -- name: "18.9.65.2.2 | PATCH | Ensure Do not allow passwords to be saved is set to Enabled" +- name: "18.10.57.2.2 | PATCH | Ensure Do not allow passwords to be saved is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: DisablePasswordSaving data: 1 type: dword when: - - rule_18_9_65_2_2 + - win22cis_rule_18_10_57_2_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.2.2 - - automated + - rule_18.10.57.2.2 + - patch + - terminalservices -- name: "18.9.65.3.2.1 | PATCH | Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" +- name: "18.10.57.3.2.1 | PATCH | Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fSingleSessionPerUser data: 1 type: dword when: - - rule_18_9_65_3_2_1 + - win22cis_rule_18_10_57_3_2_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.2.1 - - automated + - rule_18.10.57.3.2.1 + - patch + - terminalservices -- name: "18.9.65.3.3.1 | PATCH | Ensure Allow UI Automation redirection is set to Disabled" +- name: "18.10.57.3.3.1 | PATCH | Ensure Allow UI Automation redirection is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: EnableUiaRedirection - data: 1 + data: 0 type: dword when: - - rule_18_9_65_3_3_1 + - win22cis_rule_18_10_57_3_3_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.3.1 - - automated + - rule_18.10.57.3.3.1 + - patch + - terminalservices -- name: "18.9.65.3.3.2 | PATCH | Ensure Do not allow COM port redirection is set to Enabled" +- name: "18.10.57.3.3.2 | PATCH | Ensure Do not allow COM port redirection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableCcm data: 1 type: dword when: - - rule_18_9_65_3_3_2 + - win22cis_rule_18_10_57_3_3_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.3.2 - - automated + - rule_18.10.57.3.3.2 + - patch + - terminalservices -- name: "18.9.65.3.3.3 | PATCH | Ensure Do not allow drive redirection is set to Enabled" +- name: "18.10.57.3.3.3 | PATCH | Ensure Do not allow drive redirection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableCdm data: 1 type: dword when: - - rule_18_9_65_3_3_3 + - win22cis_rule_18_10_57_3_3_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.3.3 - - automated + - rule_18.10.57.3.3.3 + - patch + - terminalservices -- name: "18.9.65.3.3.4 | PATCH | Ensure Do not allow location redirection is set to Enabled" +- name: "18.10.57.3.3.4 | PATCH | Ensure Do not allow location redirection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableLocationRedir data: 1 type: dword when: - - rule_18_9_65_3_3_4 + - win22cis_rule_18_10_57_3_3_4 tags: - - level2-hssde - - rule_18.9.59.3.3.4 - - automated + - level1-domaincontroller + - level1-memberserver + - rule_18.10.57.3.3.4 + - patch + - terminalservices -- name: "18.9.65.3.3.5 | PATCH | Ensure Do not allow LPT port redirection is set to Enabled" +- name: "18.10.57.3.3.5 | PATCH | Ensure Do not allow LPT port redirection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableLPT data: 1 type: dword when: - - rule_18_9_65_3_3_5 + - win22cis_rule_18_10_57_3_3_5 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.3.5 - - automated + - rule_18.10.57.3.3.5 + - patch + - terminalservices -- name: "18.9.65.3.3.6 | PATCH | Ensure Do not allow supported Plug and Play device redirection is set to Enabled" +- name: "18.10.57.3.3.6 | PATCH | Ensure Do not allow supported Plug and Play device redirection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisablePNPRedir data: 1 type: dword when: - - rule_18_9_65_3_3_6 + - win22cis_rule_18_10_57_3_3_6 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.3.6 - - automated + - rule_18.10.57.3.3.6 + - patch + - terminalservicess + +- name: "18.10.57.3.3.7 | PATCH | Ensure Do not allow WebAuthn redirection is set to Enabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableWebAuthn + data: 1 + type: dword + when: + - win22cis_rule_18_10_57_3_3_6 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.10.57.3.3.7 + - patch + - terminalservicess -- name: "18.9.65.3.9.1 | PATCH | Ensure Always prompt for password upon connection is set to Enabled" +- name: "18.10.57.3.9.1 | PATCH | Ensure Always prompt for password upon connection is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fPromptForPassword data: 1 type: dword when: - - rule_18_9_65_3_9_1 + - win22cis_rule_18_10_57_3_9_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.9.1 - - automated + - rule_18.10.57.3.9.1 + - patch + - terminalservices -- name: "18.9.65.3.9.2 | PATCH | Ensure Require secure RPC communication is set to Enabled" +- name: "18.10.57.3.9.2 | PATCH | Ensure Require secure RPC communication is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fEncryptRPCTraffic data: 1 type: dword when: - - rule_18_9_65_3_9_2 + - win22cis_rule_18_10_57_3_9_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.9.2 - - automated + - rule_18.10.57.3.9.2 + - patch + - terminalservices -- name: "18.9.65.3.9.3 | PATCH | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" +- name: "18.10.57.3.9.3 | PATCH | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: SecurityLayer data: 2 type: dword when: - - rule_18_9_65_3_9_3 + - win22cis_rule_18_10_57_3_9_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.9.3 - - automated + - rule_18.10.57.3.9.3 + - patch + - terminalservices -- name: "18.9.65.3.9.4 | PATCH | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" +- name: "18.10.57.3.9.4 | PATCH | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: UserAuthentication data: 1 type: dword when: - - rule_18_9_65_3_9_4 + - win22cis_rule_18_10_57_3_9_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.9.4 - - automated + - rule_18.10.57.3.9.4 + - patch + - terminalservices -- name: "18.9.65.3.9.5 | PATCH | Ensure Set client connection encryption level is set to Enabled High Level" +- name: "18.10.57.3.9.5 | PATCH | Ensure Set client connection encryption level is set to Enabled High Level" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MinEncryptionLevel data: 3 type: dword when: - - rule_18_9_65_3_9_5 + - win22cis_rule_18_10_57_3_9_5 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.9.5 - - automated + - rule_18.10.57.3.9.5 + - patch + - terminalservices -- name: "18.9.65.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxIdleTime - data: "{{ win22cis_terminal_max_idle_time }}" - type: dword +- name: "18.10.57.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" + block: + - name: "18.10.57.3.10.1 | AUDIT | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid time set for win22cis_idle_rdp_session_disconnect_time please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_idle_rdp_session_disconnect_time == 0 or + win22cis_idle_rdp_session_disconnect_time > 900000 + + - name: "18.10.57.3.10.1 | AUDIT | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.57.3.10.1' + when: + - win22cis_idle_rdp_session_disconnect_time == 0 or + win22cis_idle_rdp_session_disconnect_time > 900000 + + - name: "18.10.57.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxIdleTime + data: "{{ win22cis_idle_rdp_session_disconnect_time }}" + type: dword + when: + - win22cis_idle_rdp_session_disconnect_time == 60000 or + win22cis_idle_rdp_session_disconnect_time == 300000 or + win22cis_idle_rdp_session_disconnect_time == 600000 or + win22cis_idle_rdp_session_disconnect_time == 900000 when: - - rule_18_9_65_3_10_1 + - win22cis_rule_18_10_57_3_10_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.10.1 - - automated + - rule_18.10.57.3.10.1 + - patch + - terminalservices -- name: "18.9.65.3.10.2 | PATCH | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" +- name: "18.10.57.3.10.2 | PATCH | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MaxDisconnectionTime data: 60000 type: dword when: - - rule_18_9_65_3_10_2 + - win22cis_rule_18_10_57_3_10_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.65.3.10.2 - - automated + - rule_18.10.57.3.10.2 + - patch + - terminalservices -- name: "18.9.65.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled" +- name: "18.10.57.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: DeleteTempDirsOnExit data: 1 type: dword when: - - rule_18_9_65_3_11_1 + - win22cis_rule_18_10_57_3_11_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.11.1 - - automated + - rule_18.10.57.3.11.1 + - patch + - terminalservices -- name: "18.9.65.3.11.2 | PATCH | Ensure Do not use temporary folders per session is set to Disabled" +- name: "18.10.57.3.11.2 | PATCH | Ensure Do not use temporary folders per session is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: PerSessionTempDir data: 1 type: dword when: - - rule_18_9_65_3_11_2 + - win22cis_rule_18_10_57_3_11_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.65.3.11.2 - - automated + - rule_18.10.57.3.11.2 + - patch + - terminalservices -- name: "18.9.66.1 | PATCH | Ensure Prevent downloading of enclosures is set to Enabled" +- name: "18.10.58.1 | PATCH | Ensure Prevent downloading of enclosures is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds name: DisableEnclosureDownload data: 1 type: dword when: - - rule_18_9_66_1 + - win22cis_rule_18_10_58_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.66.1 - - automated + - rule_18.10.58.1 + - patch + - enclosure -- name: "18.9.67.2 | PATCH | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" +- name: "18.10.59.2 | PATCH | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search name: AllowCloudSearch data: 0 type: dword when: - - rule_18_9_67_2 + - win22cis_rule_18_10_59_2 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.67.2 - - automated + - rule_18.10.59.2 + - patch + - search + - cloud -- name: "18.9.67.3 | PATCH | Ensure Allow indexing of encrypted files is set to Disabled" +- name: "18.10.59.3 | PATCH | Ensure Allow indexing of encrypted files is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search name: AllowIndexingEncryptedStoresOrItems data: 0 type: dword when: - - rule_18_9_67_3 + - win22cis_rule_18_10_59_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.67.3 - - automated + - rule_18.10.59.3 + - patch + - search + - encrypted + +- name: "18.10.59.4 | PATCH | Ensure Allow search highlights is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: EnableDynamicContentInWSB + data: 0 + type: dword + when: + - win22cis_rule_18_10_59_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.59.4 + - patch + - search -- name: "18.9.72.1 | PATCH | Ensure Turn off KMS Client Online AVS Validation is set to Enabled" +- name: "18.10.63.1 | PATCH | Ensure Turn off KMS Client Online AVS Validation is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform name: NoGenTicket data: 1 type: dword when: - - rule_18_9_72_1 + - win22cis_rule_18_10_63_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.72.1 - - automated + - rule_18.10.63.1 + - patch + - kms -- name: "18.9.85.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" +- name: "18.10.76.2.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" block: - - name: "18.9.85.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" + - name: "18.10.76.2.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: EnableSmartScreen data: 1 type: dword - - name: "18.9.85.1.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" + - name: "18.10.76.2.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: ShellSmartScreenLevel data: Block type: string when: - - rule_18_9_85_1_1 + - win22cis_rule_18_10_76_2_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.85.1.1 - - automated + - rule_18.10.76.2.1 + - patch + - defender -- name: "18.9.89.1 | PATCH | Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" +- name: "18.10.80.1 | PATCH | Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace name: AllowSuggestedAppsInWindowsInkWorkspace data: 0 type: dword when: - - rule_18_9_89_1 + - win22cis_rule_18_10_80_1 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.89.1 - - automated + - rule_18.10.80.1 + - patch + - wik -- name: "18.9.89.2 | PATCH | Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" +- name: "18.10.80.2 | PATCH | Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace name: AllowWindowsInkWorkspace - data: "{{ win22cis_allow_ink_workspace }}" + data: 1 type: dword when: - - rule_18_9_89_2 + - win22cis_rule_18_10_80_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.89.2 - - automated + - rule_18.10.80.2 + - patch + - wik -- name: "18.9.90.1 | PATCH | Ensure Allow user control over installs is set to Disabled" +- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: EnableUserControl data: 0 type: dword when: - - rule_18_9_90_1 + - win22cis_rule_18_10_81_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.90.1 - - automated + - rule_18.10.81.1 + - patch -- name: "18.9.90.2 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword +- name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + block: + - name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid setting for win22cis_allow_windows_ink_workspace. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_allow_windows_ink_workspace != 0 + - win22cis_allow_windows_ink_workspace != 1 + + - name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warn Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.80.2' + when: + - win22cis_allow_windows_ink_workspace != 0 + - win22cis_allow_windows_ink_workspace != 1 + + - name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Set Variable." + ansible.windows.win_regedit: + path: HKLM:\Software\Microsoft\Policies\Microsoft\WindowsInkWorkspace + name: AllowWindowsInkWorkspace + data: "{{ win22cis_allow_windows_ink_workspace }}" + type: dword + when: + - win22cis_allow_windows_ink_workspace == 0 or win22cis_allow_windows_ink_workspace == 1 when: - - rule_18_9_90_2 + - win22cis_rule_18_10_80_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.90.2 + - level1-corporate-enterprise-environment + - rule_18.10.80.2 - automated + - patch -- name: "18.9.90.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" +- name: "18.10.81.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: SafeForScripting data: 0 type: dword when: - - rule_18_9_90_3 + - win22cis_rule_18_10_81_3 tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.90.3 - - automated + - rule_18.10.81.3 + - patch + - ie + +- name: "18.10.82.1 | PATCH | Ensure Enable MPR notifications for the system is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableMPR + data: 1 + type: dword + when: + - win22cis_rule_18_10_82_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.82.1 + - patch + - logon -- name: "18.9.91.1 | PATCH | Ensure Sign-in last interactive user automatically after a restart is set to Disabled" +- name: "18.10.82.2 | PATCH | Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DisableAutomaticRestartSignOn data: 1 type: dword when: - - rule_18_9_91_1 + - win22cis_rule_18_10_82_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.91.1 - - automated + - rule_18.10.82.2 + - patch + - logon -- name: "18.9.100.1 | PATCH | Ensure Turn on PowerShell Script Block Logging is set to Enabled" +- name: "18.10.87.1 | PATCH | Ensure Turn on PowerShell Script Block Logging is set to Enabled" ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging name: EnableScriptBlockLogging data: 1 type: dword when: - - rule_18_9_100_1 + - win22cis_rule_18_10_87_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.100.1 - - automated + - rule_18.10.87.1 + - patch + - powershell -- name: "18.9.100.2 | PATCH | Ensure Turn on PowerShell Transcription is set to Disabled" +- name: "18.10.87.2 | PATCH | Ensure Turn on PowerShell Transcription is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription name: EnableTranscripting - data: 0 + data: 1 type: dword when: - - rule_18_9_100_2 + - win22cis_rule_18_10_87_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.100.2 - - automated + - rule_18.10.87.2 + - patch + - powershell -- name: "18.9.102.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" +- name: "18.10.89.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowBasic data: 0 type: dword when: - - rule_18_9_102_1_1 + - win22cis_rule_18_10_89_1_1 - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.1.1 - - automated + - rule_18.10.89.1.1 + - patch + - winrm -- name: "18.9.102.1.2 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" +- name: "18.10.89.1.2 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowUnencryptedTraffic data: 0 type: dword when: - - rule_18_9_102_1_2 + - win22cis_rule_18_10_89_1_2 - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.1.2 - - automated + - rule_18.10.89.1.2 + - patch + - winrm -- name: "18.9.102.1.3 | PATCH | Ensure Disallow Digest authentication is set to Enabled" +- name: "18.10.89.1.3 | PATCH | Ensure Disallow Digest authentication is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowDigest data: 0 type: dword when: - - rule_18_9_102_1_3 + - win22cis_rule_18_10_89_1_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.1.3 - - automated + - rule_18.10.89.1.3 + - patch + - winrm -- name: "18.9.102.2.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" +- name: "18.10.89.2.1 | PATCH | Ensure Allow Basic authentication is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowBasic data: 0 type: dword when: - - rule_18_9_102_2_1 + - win22cis_rule_18_10_89_2_1 - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.2.1 - - automated + - rule_18.10.89.2.1 + - patch + - winrm # This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "18.9.102.2.2 | PATCH | Ensure Allow remote server management through WinRM is set to Disabled" +- name: "18.10.89.2.2 | PATCH | Ensure Allow remote server management through WinRM is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowAutoConfig data: 1 type: dword when: - - rule_18_9_102_2_2 + - win22cis_rule_18_10_89_2_2 - not win_skip_for_test tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.102.2.2 - - automated + - rule_18.10.89.2.2 + - patch + - winrm -- name: "18.9.102.2.3 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" +- name: "18.10.89.2.3 | PATCH | Ensure Allow unencrypted traffic is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowUnencryptedTraffic data: 0 type: dword when: - - rule_18_9_102_2_3 + - win22cis_rule_18_10_89_2_3 - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.2.3 - - automated + - rule_18.10.89.2.3 + - patch + - winrm + - encryption -- name: "18.9.102.2.4 | PATCH | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" +- name: "18.10.89.2.4 | PATCH | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: DisableRunAs data: 1 type: dword when: - - rule_18_9_102_2_4 + - win22cis_rule_18_10_89_2_4 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.102.2.4 - - automated + - rule_18.10.89.2.4 + - patch + - winrm -# This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "18.9.103.1 | PATCH | Ensure Allow Remote Shell Access is set to Disabled" +- name: "18.10.90.1 | PATCH | Ensure Allow Remote Shell Access is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs name: AllowRemoteShellAccess - data: 1 + data: 0 type: dword when: - - rule_18_9_103_1 + - win22cis_rule_18_10_90_1 - not win_skip_for_test tags: - level2-domaincontroller - level2-memberserver - - rule_18.9.102.1 - - automated + - rule_18.10.90.1 + - patch + - winrm -- name: "18.9.105.2.1 | PATCH | Ensure Prevent users from modifying settings is set to Enabled" +- name: "18.10.92.2.1 | PATCH | Ensure Prevent users from modifying settings is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection name: DisallowExploitProtectionOverride data: 1 type: dword when: - - rule_18_9_105_2_1 + - win22cis_rule_18_10_92_2_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.105.2.1 - - automated + - rule_18.10.92.2.1 + - patch + - accounts -- name: "18.9.108.1.1 | PATCH | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" +- name: "18.10.93.1.1 | PATCH | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: NoAutoRebootWithLoggedOnUsers data: 0 type: dword when: - - rule_18_9_108_1_1 + - win22cis_rule_18_10_93_1_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.108_1_1 - - automated + - rule_18.10.93.1.1 + - patch + - winupdate -- name: "18.9.108.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled" +- name: "18.10.93.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: NoAutoUpdate data: 0 type: dword when: - - rule_18_9_108_2_1 + - win22cis_rule_18_10_93_2_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.108.2.1 - - automated + - rule_18.10.93.2.1 + - patch + - winupdate -- name: "18.9.108.2.2 | PATCH | Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" +- name: "18.10.93.2.2 | PATCH | Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: ScheduledInstallDay data: 0 type: dword when: - - rule_18_9_108_2_2 + - win22cis_rule_18_10_93_2_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.108.2.2 - - automated + - rule_18.10.93.2.2 + - patch + - winupdate -- name: "18.9.108.4.1 | PATCH | Ensure Manage preview builds is set to Disabled" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuildsPolicyValue - data: 1 - type: dword +- name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds" + block: + - name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuilds + data: 1 + type: dword + + - name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuildsPolicyValue + data: 0 + type: dword when: - - rule_18_9_108_4_1 + - win22cis_rule_18_10_93_4_1 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.108.4.1 - - automated + - rule_18.10.93.4.1 + - patch + - winupdate -- name: "18.9.108.4.2 | PATCH | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled 180 or more days" +- name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'" block: - - name: "18.9.108.4.2 | PATCH | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled 180 or more days | DeferFeatureUpdates" + - name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdates" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdates data: 1 type: dword - - name: "18.9.108.4.2 | PATCH | Ensure Select when Preview Builds and Feature Updates are received is set to Enabled 180 or more days | DeferFeatureUpdatesPeriodInDays" + - name: "18.10.93.4.2 | AUDIT | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | Variable Warning." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number of days for win22cis_defer_feature_updates_period_in_days. Please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: win22cis_defer_feature_updates_period_in_days < 180 + + - name: "18.10.93.4.2 | AUDIT | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | Warning Count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '18.10.93.4.2' + when: win22cis_defer_feature_updates_period_in_days < 180 + + - name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdatesPeriodInDays" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdatesPeriodInDays - data: "{{ win22cis_defer_feature_update_period }}" + data: "{{ win22cis_defer_feature_updates_period_in_days }}" type: dword + when: win22cis_defer_feature_updates_period_in_days >= 180 when: - - rule_18_9_108_4_2 + - win22cis_rule_18_10_93_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.108.4.2 + - level1-corporate-enterprise-environment + - rule_18.10.93.4.2 - automated + - patch + - manage-updates-offered-from-windows-update + - preview -- name: "18.9.108.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days" +- name: "18.10.93.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days" block: - - name: "18.9.108.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" + - name: "18.10.93.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdates data: 1 type: dword - - name: "18.9.108.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" + - name: "18.10.93.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdatesPeriodInDays data: 0 type: dword when: - - rule_18_9_108_4_3 + - win22cis_rule_18_10_93_4_3 tags: - level1-domaincontroller - level1-memberserver - - rule_18.9.108.4.3 - - automated + - rule_18.10.93.4.3 + - patch + - winupdate diff --git a/tasks/section19.yml b/tasks/section19.yml index 66e1729..1138a71 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -16,12 +16,13 @@ data: 1 type: string when: - - rule_19_1_3_1 + - win22cis_rule_19_1_3_1 tags: - level1-domaincontroller - level1-memberserver - rule_19.1.3.1 - - automated + - patch + - screensaver - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" block: @@ -39,21 +40,43 @@ data: 1 type: string when: - - rule_19_1_3_2 + - win22cis_rule_19_1_3_2 tags: - level1-domaincontroller - level1-memberserver - rule_19.1.3.2 - - automated + - patch + - screensaver - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" block: + - name: Warning Check For Variable Standards." + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid time set for win22cis_screen_saver_timeout please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - win22cis_screen_saver_timeout == 0 or + win22cis_screen_saver_timeout > 900 + + - name: Set warning count." + ansible.builtin.import_tasks: + file: warning_facts.yml + vars: + warn_control_id: '19.1.3.3' + when: + - win22cis_screen_saver_timeout == 0 or + win22cis_screen_saver_timeout > 900 + - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut data: "{{ win22cis_screen_saver_timeout }}" type: string + when: + - win22cis_screen_saver_timeout > 0 + - win22cis_screen_saver_timeout <= 900 - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" ansible.windows.win_regedit: @@ -61,13 +84,17 @@ name: ScreenSaveTimeOut data: "{{ win22cis_screen_saver_timeout }}" type: string + when: + - win22cis_screen_saver_timeout > 0 + - win22cis_screen_saver_timeout <= 900 when: - - rule_19_1_3_3 + - win22cis_rule_19_1_3_3 tags: - level1-domaincontroller - level1-memberserver - rule_19.1.3.3 - - automated + - patch + - screensaver - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" block: @@ -85,12 +112,13 @@ data: 1 type: dword when: - - rule_19_5_1_1 + - win22cis_rule_19_5_1_1 tags: - level1-domaincontroller - level1-memberserver - rule_19.5.1.1 - - automated + - patch + - toast - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" block: @@ -108,12 +136,13 @@ data: 1 type: dword when: - - rule_19_6_6_1_1 + - win22cis_rule_19_6_6_1_1 tags: - level2-domaincontroller - level2-memberserver - rule_19.6.6.1.1 - - automated + - patch + - help - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" block: @@ -131,12 +160,13 @@ data: 2 type: dword when: - - rule_19_7_4_1 + - win22cis_rule_19_7_4_1 tags: - level1-domaincontroller - level1-memberserver - rule_19.7.4.1 - - automated + - patch + - attachments - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" block: @@ -154,193 +184,203 @@ data: 3 type: dword when: - - rule_19_7_4_2 + - win22cis_rule_19_7_4_2 tags: - level1-domaincontroller - level1-memberserver - rule_19.7.4.2 - - automated + - patch + - antivirus -- name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" +- name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" block: - - name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" + - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword - - name: "19.7.8.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" + - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword when: - - rule_19_7_8_1 + - win22cis_rule_19_7_7_1 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.8.1 - - automated + - rule_19.7.7.1 + - patch + - cloudcontent -- name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" +- name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" block: - - name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword - - name: "19.7.8.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword when: - - rule_19_7_8_2 + - win22cis_rule_19_7_7_2 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.8.2 - - automated + - rule_19.7.7.2 + - patch + - cloudcontent -- name: "19.7.8.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" +- name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" block: - - name: "19.7.8.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword - - name: "19.7.8.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword when: - - rule_19_7_8_3 + - win22cis_rule_19_7_7_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.8.3 - - automated + - level1-domaincontroller + - level1-memberserver + - rule_19.7.7.3 + - patch + - cloudcontent -- name: "19.7.8.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" +- name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" block: - - name: "19.7.8.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" + - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword - - name: "19.7.8.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" + - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword when: - - rule_19_7_8_4 + - win22cis_rule_19_7_7_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.8.4 - - automated + - level1-domaincontroller + - level1-memberserver + - rule_19.7.7.4 + - patch + - cloudcontent -- name: "19.7.8.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" +- name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" block: - - name: "19.7.8.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" + - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableSpotlightCollectionOnDesktop data: 1 type: dword - - name: "19.7.8.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" + - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableSpotlightCollectionOnDesktop data: 1 type: dword when: - - rule_19_7_8_5 + - win22cis_rule_19_7_7_5 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.8.5 - - manual + - level1-domaincontroller + - level1-memberserver + - rule_19.7.7.5 + - patch + - cloudcontent -- name: "19.7.28.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" +- name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" block: - - name: "19.7.28.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" + - name: "19.7.25.1| PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword - - name: "19.7.28.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" + - name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" ansible.windows.win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword when: - - rule_19_7_28_1 + - win22cis_rule_19_7_25_1 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.28.1 - - automated + - rule_19.7.25.1 + - patch + - profiles + - sharing -- name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" +- name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" block: - - name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" + - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword - - name: "19.7.43.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" + - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword when: - - rule_19_7_43_1 + - win22cis_rule_19_7_40_1 tags: - level1-domaincontroller - level1-memberserver - - rule_19.7.43.1 - - automated + - rule_19.7.40.1 + - patch + - permissions -- name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" +- name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" block: - - name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" + - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" ansible.windows.win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword - - name: "19.7.47.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" + - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" ansible.windows.win_regedit: path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword when: - - rule_19_7_47_2_1 + - win22cis_rule_19_7_42_2_1 tags: - level2-domaincontroller - level2-memberserver - - rule_19.7.47.2.1 - - automated + - rule_19.7.42.2.1 + - patch + - codec diff --git a/tasks/setup_audit.yml b/tasks/setup_audit.yml deleted file mode 100644 index ebc722b..0000000 --- a/tasks/setup_audit.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- - -- name: Create directory for goss - ansible.windows.win_file: - path: "{{ audit_capture_path }}" - state: directory - -- name: download goss binary - ansible.windows.win_get_url: - url: "{{ goss_download_url }}" - dest: "{{ audit_capture_path }}{{ goss_exe }}" - checksum: "{{ goss_dl_sha }}" - checksum_algorithm: sha256 - when: - - download_audit_exe - -- name: copy goss binary - ansible.windows.win_copy: - src: "{{ goss_copy_src }}" - dest: "{{ audit_capture_path }}{{ goss_exe }}" - when: - - copy_audit_exe - -- name: download goss config - ansible.windows.win_get_url: - url: "{{ goss_conf_url }}" - dest: "{{ audit_capture_path }}goss_conf.zip" - when: - - download_goss_config - -- name: Unzip goss config - community.windows.win_unzip: - src: "{{ audit_capture_path }}goss_conf.zip" - dest: "{{ audit_capture_path }}" - when: - - download_goss_config - -- name: set goss alpha environment - ansible.windows.win_environment: - state: present - name: GOSS_USE_ALPHA - value: 1 - level: user - register: goss_env diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml new file mode 100644 index 0000000..a98e642 --- /dev/null +++ b/tasks/warning_facts.yml @@ -0,0 +1,20 @@ +--- + +# This task is used to create variables used in giving a warning summary for manual tasks +# that need attention +# +# The warn_control_list and warn_count vars start life in vars/main.yml but get updated +# as the tasks that have a warning complete +# +# Those two variables are used in the tasks/main.yml to display a list of warnings +# +# warn_control_id is set within the task itself and has the control ID as the value +# +# warn_control_list is the main variable to be used and is a list made up of the warn_control_id’s +# +# warn_count is the main variable for the number of warnings and each time a warn_control_id is added +# the count increases by a value of 1 +- name: "NO CONTROL ID | AUDIT | Set fact for manual task warning." + ansible.builtin.set_fact: + warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" + warn_count: "{{ warn_count | int + 1 }}" diff --git a/templates/ansible_vars_goss.yml.j2 b/templates/ansible_vars_goss.yml.j2 deleted file mode 100644 index a4ba046..0000000 --- a/templates/ansible_vars_goss.yml.j2 +++ /dev/null @@ -1,917 +0,0 @@ -## Variables file This is populated from remediation discovery -## metadata for benchmark -win2022cis_benchmark: -- "type: {{ benchmark }}" -- "version: '{{ benchmark_version }}'" -- "os: Win2022" -- "epoch: {{ ansible_date_time.epoch }}" -- "hostname: {{ ansible_hostname }}" -- "server_type: {% if win2022cis_is_domain_controller is defined %}Domain Controller{% elif win2022cis_is_standalone is defined %}Standalone Server{% else %}Domain Member Server{% endif %}" - -win2022_os_distribution: {{ win2022_os_distribution }} - -###################### -## Server Variables ## -###################### -{% if win2022cis_is_domain_controller is defined %} -is_domain_controller: true -{% else %} -is_domain_controller: false -{% endif %} -{% if win2022cis_is_standalone is defined %} -is_standalone: true -{% else %} -is_standalone: false -{% endif %} -reboot_required: false -win2022cis_use_iis: false -exchange_server_group: false - -################### -# Reference files # -################### -gpresult_file: {{ audit_capture_path }}gpresults_{{ audit_time }}.txt -auditresult_file: {{ audit_capture_path }}auditpol_{{ audit_time }}.txt -secedit_file: {{ audit_capture_path }}secedit_{{ audit_time }}.txt - -######### -## CIS ## -######### - -############## -# CIS Levels # -############## -win2022cis_level_1: true -win2022cis_level_2: true -win2022cis_NG: {% if nextgen_memberserver is sameas true %}true{% elif nextgen_domainserver is sameas true %}true {% else %}false{% endif %} # Note this needs UEFI and virtualization enabled systems - rollback is very manual - -################ -# Server Roles # -################ -# If a Server uses the following set to true -# certification Authority role -win2022cis_cert_auth_role: false -# WINS server Feature Installed -win2022cis_WINS_server: false -win2022_use_domain_firewall: false -win2022_use_private_firewall: false -win2022_use_public_firewall: false - - - -################ -# CIS Sections # -################ -win2022cis_section_1: {{ section01_patch }} -win2022cis_section_2: {{ section02_patch }} -win2022cis_section_9: {{ section09_patch }} -win2022cis_section_17: {{ section17_patch }} -win2022cis_section_18: {{ section18_patch }} -win2022cis_section_19: {{ section19_patch }} - -######################## -## Section_1_Controls ## -######################## -# 1.1 Password Policy -win2022cis_1_1_1: {{ rule_1_1_1 }} -win2022cis_1_1_2: {{ rule_1_1_2 }} -win2022cis_1_1_3: {{ rule_1_1_3 }} -win2022cis_1_1_4: {{ rule_1_1_4 }} -win2022cis_1_1_5: {{ rule_1_1_5 }} -win2022cis_1_1_6: {{ rule_1_1_6 }} -# 1.2 Account Lockout Policy -win2022cis_1_2_1: {{ rule_1_2_1 }} -win2022cis_1_2_2: {{ rule_1_2_2 }} -win2022cis_1_2_3: {{ rule_1_2_3 }} - -######################## -## Section_2_Controls ## -######################## -# 2.2 User Rights Assignment -win2022cis_2_2_1: {{ rule_2_2_1 }} -win2022cis_2_2_2: {{ rule_2_2_2 }} # DC_ONLY -win2022cis_2_2_3: {{ rule_2_2_3 }} # MS_ONLY -win2022cis_2_2_4: {{ rule_2_2_4 }} -win2022cis_2_2_5: {{ rule_2_2_5 }} # DC_ONLY -win2022cis_2_2_6: {{ rule_2_2_6 }} -win2022cis_2_2_7: {{ rule_2_2_7 }} # DC & MS separate controls (see Section_2_Vars) -win2022cis_2_2_8: {{ rule_2_2_8 }} # DC_ONLY -win2022cis_2_2_9: {{ rule_2_2_9 }} # MS_ONLY -win2022cis_2_2_10: {{ rule_2_2_10 }} -win2022cis_2_2_11: {{ rule_2_2_11 }} -win2022cis_2_2_12: {{ rule_2_2_12 }} -win2022cis_2_2_13: {{ rule_2_2_13 }} -win2022cis_2_2_14: {{ rule_2_2_14 }} -win2022cis_2_2_15: {{ rule_2_2_15 }} -win2022cis_2_2_16: {{ rule_2_2_16 }} -win2022cis_2_2_17: {{ rule_2_2_17 }} # DC ONLY -win2022cis_2_2_18: {{ rule_2_2_18 }} # MS ONLY -win2022cis_2_2_19: {{ rule_2_2_19 }} -win2022cis_2_2_20: {{ rule_2_2_20 }} # DC ONLY -win2022cis_2_2_21: {{ rule_2_2_21 }} -win2022cis_2_2_22: {{ rule_2_2_22 }} -win2022cis_2_2_23: {{ rule_2_2_23 }} -win2022cis_2_2_24: {{ rule_2_2_24 }} -win2022cis_2_2_25: {{ rule_2_2_25 }} # DC ONLY -win2022cis_2_2_26: {{ rule_2_2_26 }} # MS ONLY -win2022cis_2_2_27: {{ rule_2_2_27 }} # DC ONLY -win2022cis_2_2_28: {{ rule_2_2_28 }} # MS ONLY -win2022cis_2_2_29: {{ rule_2_2_29 }} -win2022cis_2_2_30: {{ rule_2_2_30 }} -win2022cis_2_2_31: {{ rule_2_2_31 }} # DC ONLY -win2022cis_2_2_32: {{ rule_2_2_32 }} # MS ONLY -win2022cis_2_2_33: {{ rule_2_2_33 }} -win2022cis_2_2_34: {{ rule_2_2_34 }} -win2022cis_2_2_35: {{ rule_2_2_35 }} -win2022cis_2_2_36: {{ rule_2_2_36 }} # DC ONLY -win2022cis_2_2_37: {{ rule_2_2_37 }} # DC ONLY -win2022cis_2_2_38: {{ rule_2_2_38 }} # MS ONLY -win2022cis_2_2_39: {{ rule_2_2_39 }} -win2022cis_2_2_40: {{ rule_2_2_40 }} -win2022cis_2_2_41: {{ rule_2_2_41 }} -win2022cis_2_2_42: {{ rule_2_2_42 }} -win2022cis_2_2_43: {{ rule_2_2_43 }} -win2022cis_2_2_44: {{ rule_2_2_44 }} -win2022cis_2_2_45: {{ rule_2_2_45 }} -win2022cis_2_2_46: {{ rule_2_2_46 }} -win2022cis_2_2_47: {{ rule_2_2_47 }} # DC ONLY -win2022cis_2_2_48: {{ rule_2_2_48 }} -# 2.3.1 Accounts -win2022cis_2_3_1_1: {{ rule_2_3_1_1 }} # MS Only -win2022cis_2_3_1_2: {{ rule_2_3_1_2 }} -win2022cis_2_3_1_3: {{ rule_2_3_1_3 }} # MS Only -win2022cis_2_3_1_4: {{ rule_2_3_1_4 }} -win2022cis_2_3_1_5: {{ rule_2_3_1_5 }} -win2022cis_2_3_1_6: {{ rule_2_3_1_6 }} -#A 2.3.2 udit -win2022cis_2_3_2_1: {{ rule_2_3_2_1 }} -win2022cis_2_3_2_2: {{ rule_2_3_2_2 }} -# 2.3.3 DCOM -# 2.3.4 Devices -win2022cis_2_3_4_1: {{ rule_2_3_4_1 }} -win2022cis_2_3_4_2: {{ rule_2_3_4_2 }} -# 2.3.5 Domain Controller -win2022cis_2_3_5_1: {{ rule_2_3_5_1 }} -win2022cis_2_3_5_2: {{ rule_2_3_5_2 }} -win2022cis_2_3_5_3: {{ rule_2_3_5_3 }} -# 2.3.6 Domain Member -win2022cis_2_3_6_1: {{ rule_2_3_6_1 }} -win2022cis_2_3_6_2: {{ rule_2_3_6_2 }} -win2022cis_2_3_6_3: {{ rule_2_3_6_3 }} -win2022cis_2_3_6_4: {{ rule_2_3_6_4 }} -win2022cis_2_3_6_5: {{ rule_2_3_6_5 }} -win2022cis_2_3_6_6: {{ rule_2_3_6_6 }} -# 2.3.7 Interactive Login -win2022cis_2_3_7_1: {{ rule_2_3_7_1 }} -win2022cis_2_3_7_2: {{ rule_2_3_7_2 }} -win2022cis_2_3_7_3: {{ rule_2_3_7_3 }} -win2022cis_2_3_7_4: {{ rule_2_3_7_4 }} -win2022cis_2_3_7_5: {{ rule_2_3_7_5 }} -win2022cis_2_3_7_6: {{ rule_2_3_7_6 }} # MS Only -win2022cis_2_3_7_7: {{ rule_2_3_7_7 }} -win2022cis_2_3_7_8: {{ rule_2_3_7_8 }} # MS Only -win2022cis_2_3_7_9: {{ rule_2_3_7_9 }} -# 2.3.8 Microsoft network client SMB -win2022cis_2_3_8_1: {{ rule_2_3_8_1 }} -win2022cis_2_3_8_2: {{ rule_2_3_8_2 }} -win2022cis_2_3_8_3: {{ rule_2_3_8_3 }} -# 2.3.9 Microsoft network server SMB -win2022cis_2_3_9_1: {{ rule_2_3_9_1 }} -win2022cis_2_3_9_2: {{ rule_2_3_9_2 }} -win2022cis_2_3_9_3: {{ rule_2_3_9_3 }} -win2022cis_2_3_9_4: {{ rule_2_3_9_4 }} -win2022cis_2_3_9_5: {{ rule_2_3_9_5 }} -# 2.3.10 Network Access -win2022cis_2_3_10_1: {{ rule_2_3_10_1 }} -win2022cis_2_3_10_2: {{ rule_2_3_10_2 }} -win2022cis_2_3_10_3: {{ rule_2_3_10_3 }} -win2022cis_2_3_10_4: {{ rule_2_3_10_4 }} -win2022cis_2_3_10_5: {{ rule_2_3_10_5 }} -win2022cis_2_3_10_6: {{ rule_2_3_10_6 }} -win2022cis_2_3_10_7: {{ rule_2_3_10_7 }} -win2022cis_2_3_10_8: {{ rule_2_3_10_8 }} -win2022cis_2_3_10_9: {{ rule_2_3_10_9 }} -win2022cis_2_3_10_10: {{ rule_2_3_10_10 }} -win2022cis_2_3_10_11: {{ rule_2_3_10_11 }} -win2022cis_2_3_10_12: {{ rule_2_3_10_12 }} -win2022cis_2_3_10_13: {{ rule_2_3_10_13 }} -# 2.3.11 Network Security -win2022cis_2_3_11_1: {{ rule_2_3_11_1 }} -win2022cis_2_3_11_2: {{ rule_2_3_11_2 }} -win2022cis_2_3_11_3: {{ rule_2_3_11_3 }} -win2022cis_2_3_11_4: {{ rule_2_3_11_4 }} -win2022cis_2_3_11_5: {{ rule_2_3_11_5 }} -win2022cis_2_3_11_6: {{ rule_2_3_11_6 }} -win2022cis_2_3_11_7: {{ rule_2_3_11_7 }} -win2022cis_2_3_11_8: {{ rule_2_3_11_8 }} -win2022cis_2_3_11_9: {{ rule_2_3_11_9 }} -win2022cis_2_3_11_10: {{ rule_2_3_11_10 }} -# 2.2.12 Recovery Console -# 2.3.13 Shutdown -win2022cis_2_3_13_1: {{ rule_2_3_13_1 }} -#2.3.14 Cryptography -# 2.3.15 System Objects -win2022cis_2_3_15_1: {{ rule_2_3_15_1 }} -win2022cis_2_3_15_2: {{ rule_2_3_15_2 }} -# 2.3.16 System Settings -# 2.3.17 User Account Control -win2022cis_2_3_17_1: {{ rule_2_3_17_1 }} -win2022cis_2_3_17_2: {{ rule_2_3_17_2 }} -win2022cis_2_3_17_3: {{ rule_2_3_17_3 }} -win2022cis_2_3_17_4: {{ rule_2_3_17_4 }} -win2022cis_2_3_17_5: {{ rule_2_3_17_5 }} -win2022cis_2_3_17_6: {{ rule_2_3_17_6 }} -win2022cis_2_3_17_7: {{ rule_2_3_17_7 }} -win2022cis_2_3_17_8: {{ rule_2_3_17_8 }} - -################## -# Section_2_Vars # -################## -win2022cis_DC_access_from_network: Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS -win2022cis_MS_access_from_network: Administrators Authenticated Users -win2022cis_DC_allow_logon_local_users: Administrators -win2022cis_MS_allow_logon_local_users: Administrators -win2022cis_DC_allow_logon_RDP_users: Administrators -win2022cis_MS_allow_logon_RDP_users: Administrators Remote Desktop Users -win2022_admin_renamed_as: {{ win16cis_admin_username }} -win2022_guest_renamed_as: {{ win16cis_guest_username }} -win2022cis_logon_text: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.' -win2022cis_logon_title: {{ legalnoticecaption }} - -######################## -## Section_9_Controls ## -######################## -# 9.1 Domain Profile Firewall -win2022cis_9_1_1: {{ rule_9_1_1 }} -win2022cis_9_1_2: {{ rule_9_1_2 }} -win2022cis_9_1_3: {{ rule_9_1_3 }} -win2022cis_9_1_4: {{ rule_9_1_4 }} -win2022cis_9_1_5: {{ rule_9_1_5 }} -win2022cis_9_1_6: {{ rule_9_1_6 }} -win2022cis_9_1_7: {{ rule_9_1_7 }} -win2022cis_9_1_8: {{ rule_9_1_8 }} -# 9.2 Private Profile Firewall -win2022cis_9_2_1: {{ rule_9_2_1 }} -win2022cis_9_2_2: {{ rule_9_2_2 }} -win2022cis_9_2_3: {{ rule_9_2_3 }} -win2022cis_9_2_4: {{ rule_9_2_4 }} -win2022cis_9_2_5: {{ rule_9_2_5 }} -win2022cis_9_2_6: {{ rule_9_2_6 }} -win2022cis_9_2_7: {{ rule_9_2_7 }} -win2022cis_9_2_8: {{ rule_9_2_8 }} -# 9.3 Public Profile Firewall -win2022cis_9_3_1: {{ rule_9_3_1 }} -win2022cis_9_3_2: {{ rule_9_3_2 }} -win2022cis_9_3_3: {{ rule_9_3_3 }} -win2022cis_9_3_4: {{ rule_9_3_4 }} -win2022cis_9_3_5: {{ rule_9_3_5 }} -win2022cis_9_3_6: {{ rule_9_3_6 }} -win2022cis_9_3_7: {{ rule_9_3_7 }} -win2022cis_9_3_8: {{ rule_9_3_8 }} -win2022cis_9_3_9: {{ rule_9_3_9 }} -win2022cis_9_3_10: {{ rule_9_3_10 }} - -################## -# Section_9_Vars # -################## - -######################### -## Section_17_Controls ## -######################### -# Advanced Audit Policy Configuration -# 17.1 Account Logon -win2022cis_17_1_1: {{ rule_17_1_1 }} -win2022cis_17_1_2: {{ rule_17_1_2 }} -win2022cis_17_1_3: {{ rule_17_1_3 }} # DC_Only -# 17.2 Account Management -win2022cis_17_2_1: {{ rule_17_2_1 }} -win2022cis_17_2_2: {{ rule_17_2_2 }} # DC_Only -win2022cis_17_2_3: {{ rule_17_2_3 }} # DC_Only -win2022cis_17_2_4: {{ rule_17_2_4 }} # DC_Only -win2022cis_17_2_5: {{ rule_17_2_5 }} -win2022cis_17_2_6: {{ rule_17_2_6 }} -# 17.3 Detailed Tracking -win2022cis_17_3_1: {{ rule_17_3_1 }} -win2022cis_17_3_2: {{ rule_17_3_2 }} -# 17.4 DS Access -win2022cis_17_4_1: {{ rule_17_4_1 }} # DC Only -win2022cis_17_4_2: {{ rule_17_4_2 }} # DC Only -# 17.5 logon/off -win2022cis_17_5_1: {{ rule_17_5_1 }} -win2022cis_17_5_2: {{ rule_17_5_2 }} -win2022cis_17_5_3: {{ rule_17_5_3 }} -win2022cis_17_5_4: {{ rule_17_5_4 }} -win2022cis_17_5_5: {{ rule_17_5_5 }} -win2022cis_17_5_6: {{ rule_17_5_6 }} -# 17.6 Object Access -win2022cis_17_6_1: {{ rule_17_6_1 }} -win2022cis_17_6_2: {{ rule_17_6_2 }} -win2022cis_17_6_3: {{ rule_17_6_3 }} -win2022cis_17_6_4: {{ rule_17_6_4 }} -# 17.7 Policy Change -win2022cis_17_7_1: {{ rule_17_7_1 }} -win2022cis_17_7_2: {{ rule_17_7_2 }} -win2022cis_17_7_3: {{ rule_17_7_3 }} -win2022cis_17_7_4: {{ rule_17_7_4 }} -win2022cis_17_7_5: {{ rule_17_7_5 }} -# 17.8 Privilege Use -win2022cis_17_8_1: {{ rule_17_8_1 }} -# 17.9 System -win2022cis_17_9_1: {{ rule_17_9_1 }} -win2022cis_17_9_2: {{ rule_17_9_2 }} -win2022cis_17_9_3: {{ rule_17_9_3 }} -win2022cis_17_9_4: {{ rule_17_9_4 }} -win2022cis_17_9_5: {{ rule_17_9_5 }} - -################### -# Section_17_Vars # -################### - -######################### -## Section_18_Controls ## -######################### -# 18 Administrative Templates -# 18.1 Control Panel -# 18.1.1 Personalization -win2022cis_18_1_1_1: {{ rule_18_1_1_1 }} -win2022cis_18_1_1_2: {{ rule_18_1_1_2 }} -# 18.1.2 Regional and Language Options -# 18.1.2.1 Handwriting Personalization -win2022cis_18_1_2_2: {{ rule_18_1_2_2 }} -win2022cis_18_1_3: {{ rule_18_1_3 }} -# 18.2 LAPS - Needs LAPS installed per host -win2022cis_18_2_1: {{ rule_18_2_1 }} -win2022cis_18_2_2: {{ rule_18_2_2 }} -win2022cis_18_2_3: {{ rule_18_2_3 }} -win2022cis_18_2_4: {{ rule_18_2_4 }} -win2022cis_18_2_5: {{ rule_18_2_5 }} -win2022cis_18_2_6: {{ rule_18_2_6 }} -# 18.3 MS Security -win2022cis_18_3_1: {{ rule_18_3_1 }} -win2022cis_18_3_2: {{ rule_18_3_2 }} -win2022cis_18_3_3: {{ rule_18_3_3 }} -win2022cis_18_3_4: {{ rule_18_3_4 }} -win2022cis_18_3_5: {{ rule_18_3_5 }} -win2022cis_18_3_6: {{ rule_18_3_6 }} -win2022cis_18_3_7: {{ rule_18_3_7 }} -# 18.4 MSS Legacy -win2022cis_18_4_1: {{ rule_18_4_1 }} -win2022cis_18_4_2: {{ rule_18_4_2 }} -win2022cis_18_4_3: {{ rule_18_4_3 }} -win2022cis_18_4_4: {{ rule_18_4_4 }} -win2022cis_18_4_5: {{ rule_18_4_5 }} -win2022cis_18_4_6: {{ rule_18_4_6 }} -win2022cis_18_4_7: {{ rule_18_4_7 }} -win2022cis_18_4_8: {{ rule_18_4_8 }} -win2022cis_18_4_9: {{ rule_18_4_9 }} -win2022cis_18_4_10: {{ rule_18_4_10 }} -win2022cis_18_4_11: {{ rule_18_4_11 }} -win2022cis_18_4_12: {{ rule_18_4_12 }} -# 18.5 Network -# 18.5.1 Background Intelligent Transfer -# 18.5.2 Branch Cache -# 18.5.3 DirectAccess Client Experience Settings -# 18 5.4 DNS Client -win2022cis_18_5_4_1: {{ rule_18_5_4_1 }} -# 18.5.5 Fonts -win2022cis_18_5_5_1: {{ rule_18_5_5_1 }} -# 18.5.6 Hotspot Authentication -# 18.5.7 lanwamn Server -# 18.5.8 Lanman WorkStation -win2022cis_18_5_8_1: {{ rule_18_5_8_1 }} -# 18.5.9 Link-Layer Topology Discovery -win2022cis_18_5_9_1: {{ rule_18_5_9_1 }} -win2022cis_18_5_9_2: {{ rule_18_5_9_2 }} -# 18.5.10 Microsoft Peer-To-Peer Networking Services -# 18.5.10.1 Peer Name Resolution Protocol -win2022cis_18_5_10_2: {{ rule_18_5_10_2 }} -# 18.5.11 Network Connections -# 18.5.11.1 Windows Defender Firewall (formally Windows Firewall) -win2022cis_18_5_11_2: {{ rule_18_5_11_2 }} -win2022cis_18_5_11_3: {{ rule_18_5_11_3 }} -win2022cis_18_5_11_4: {{ rule_18_5_11_4 }} -# 18.5.12 Network Connectivity Status Indicator -# 18.5.13 Network Isolation -# 18.5.14 Network Provider -win2022cis_18_5_14_1: {{ rule_18_5_14_1 }} # NOte Network Paths will need to ne configured for this to pass -# 18.5.15 Offline Files -# 18.5.16 QoS Packet Scheduler -# 18.5.17 SNMP -# 18.5.18 SSL Configuration Settings -# 18.15.9 TCPIP Settings -# 18.5.19.1 IPv6 Transitoin Technologies -# 18.5.19.2 Paranters -win2022cis_18_5_19_2_1: {{ rule_18_5_19_2_1 }} -# 18.5 20 Windows Connect Now -win2022cis_18_5_20_1: {{ rule_18_5_20_1 }} -win2022cis_18_5_20_2: {{ rule_18_5_20_2 }} -# 18.5.21 Windows Connection Manager -win2022cis_18_5_21_1: {{ rule_18_5_21_1 }} -win2022cis_18_5_21_2: {{ rule_18_5_21_2 }} -# 18.5.6 Printers -# 18.7.Start Menu and Taskbar -# 18.7.1 Notifications -win2022cis_18_7_1_1: {{ rule_18_7_1_1 }} -# 18.8 System -# 18.8.1 Access-Denied Assistance -# 18.8.2 App-V -# 18.8.3 Audit Process Creation -win2022cis_18_8_3_1: {{ rule_18_8_3_1 }} -# 18.8.4 Credential Delegation -win2022cis_18_8_4_1: {{ rule_18_8_4_1 }} -win2022cis_18_8_4_2: {{ rule_18_8_4_2 }} -# 18.8.5 Device Guard -win2022cis_18_8_5_1: {{ rule_18_8_5_1 }} -win2022cis_18_8_5_2: {{ rule_18_8_5_2 }} -win2022cis_18_8_5_3: {{ rule_18_8_5_3 }} -win2022cis_18_8_5_4: {{ rule_18_8_5_4 }} -win2022cis_18_8_5_5: {{ rule_18_8_5_5 }} -win2022cis_18_8_5_6: {{ rule_18_8_5_6 }} -win2022cis_18_8_5_7: {{ rule_18_8_5_7 }} -# 18.8.6 Device Health Attenstation Servic -# 18.8.7 Device Installation -# 18.8.8 Device Redirection -# 18.8.9 Disk NV Cache -# 18.8.10 Disk Quotas -# 18.8.11 Display -# 18.8.12 Distributed COM -# 18.8.13 Driver Installation -# 18.8.14 Early Launch AntiMalware -win2022cis_18_8_14_1: {{ rule_18_8_14_1 }} -# 18.8.15 Enhanced Storage Access -# 18.8.16 DFile Classification Infrastructure -# 18.7.17 File Share Shadow Copy Agent -# 18.8.18 File Share Shadow Copy Provider -# 18.8.19 FileSystems (Formerly NTFS FileSystem) -# 18.8.20 Folder Redirecion -# 18.8.21 Group Policy -# 18.8.21.1 Logging and Tracing -win2022cis_18_8_21_2: {{ rule_18_8_21_2 }} -win2022cis_18_8_21_3: {{ rule_18_8_21_3 }} -win2022cis_18_8_21_4: {{ rule_18_8_21_4 }} -win2022cis_18_8_21_5: {{ rule_18_8_21_5 }} -# 18.8.22 Internet Communication Managemnet -# 18.8.22.1 Internet Communication Settings -win2022cis_18_8_22_1_1: {{ rule_18_8_22_1_1 }} -win2022cis_18_8_22_1_2: {{ rule_18_8_22_1_2 }} -win2022cis_18_8_22_1_3: {{ rule_18_8_22_1_3 }} -win2022cis_18_8_22_1_4: {{ rule_18_8_22_1_4 }} -win2022cis_18_8_22_1_5: {{ rule_18_8_22_1_5 }} -win2022cis_18_8_22_1_6: {{ rule_18_8_22_1_6 }} -win2022cis_18_8_22_1_7: {{ rule_18_8_22_1_7 }} -win2022cis_18_8_22_1_8: {{ rule_18_8_22_1_8 }} -win2022cis_18_8_22_1_9: {{ rule_18_8_22_1_9 }} -win2022cis_18_8_22_1_10: {{ rule_18_8_22_1_10 }} -win2022cis_18_8_22_1_11: {{ rule_18_8_22_1_11 }} -win2022cis_18_8_22_1_12: {{ rule_18_8_22_1_12 }} -win2022cis_18_8_22_1_13: {{ rule_18_8_22_1_13 }} -# 18.8.23 iSCSI -# 18.8.24 KDC -# 18.8.25 Kerberos -win2022cis_18_8_25_1: {{ rule_18_8_25_1 }} -# 18.8.26 Kernel DMA Protection -# 18.8.27 Locale Services -win2022cis_18_8_27_1: {{ rule_18_8_27_1 }} -# 18.8.28 Login -win2022cis_18_8_28_1: {{ rule_18_8_28_1 }} -win2022cis_18_8_28_2: {{ rule_18_8_28_2 }} -win2022cis_18_8_28_3: {{ rule_18_8_28_3 }} -win2022cis_18_8_28_4: {{ rule_18_8_28_4 }} -win2022cis_18_8_28_5: {{ rule_18_8_28_5 }} -win2022cis_18_8_28_6: {{ rule_18_8_28_6 }} -win2022cis_18_8_28_7: {{ rule_18_8_28_7 }} -# 18.8.29 Mitigation Options -# 18.8.30 Net Logon -# 18.8.31 OS Policies -# 18.8.32 Performance Control Panel -# 18.8.33 PIN Complexity -# 18.8.34 Power Management -# 18.8.34.1 Button Settings -# 18.8.34.2 Energy Saver Settings -# 18.8.34.3 Hard Disk Settings -# 18.8.34.4 Notification Settings -# 18.8.34.5 Power Throttling Settings -# 18.8.34.6 Sleep Settings -win2022cis_18_8_34_6_1: {{ rule_18_8_34_6_1 }} -win2022cis_18_8_34_6_2: {{ rule_18_8_34_6_2 }} -win2022cis_18_8_34_6_3: {{ rule_18_8_34_6_3 }} -win2022cis_18_8_34_6_4: {{ rule_18_8_34_6_4 }} -# 18.8.35 Recovery -# 18.8.36 Remote Assistance -win2022cis_18_8_36_1: {{ rule_18_8_36_1 }} -win2022cis_18_8_36_2: {{ rule_18_8_36_2 }} -# 18.8.37 Remote Procedure Call -win2022cis_18_8_37_1: {{ rule_18_8_37_1 }} -win2022cis_18_8_37_2: {{ rule_18_8_37_2 }} -# 18.8.38 Removable Storage Access -# 18.8.39 Scripts -# 18.8.40 Server Manager -# 18.8.41 Service Control Manager Settings -# 18.8.42 Shutdown -# 18.8.43 Shutdown Options -# 18.8.44 Storage Health -# 18.8.45 Storage Sense -# 18.8.46 System Restore -# 18.8.47 Troubleshooting and Diagnostics -# 18.8.47.1 Application Compatibility Diagnostics -# 18.8.47.2 Corrupted File Recovery -# 18.8.47.3 Disk Diagnostic -# 18.8.47.4 Fault Tolerant Heap -# 18.8.47.5 Microsoft Support Diagnostic Tool -win2022cis_18_8_47_5_1: {{ rule_18_8_47_5_1 }} -# 18.8.47.6 MSI Corrupted File Recovery -# 18.8.47.7 Scheduled Maintenance -# 18.8.47.8 Scripted Diagnostics -# 18.8.47.9 Windows Boot Performance Diagnostics -# 18.8.47.10 Windows Memory Leak Diagnosis -# 18.8.47.11 Windows Performance PerfTrack -win2022cis_18_8_47_11_1: {{ rule_18_8_47_11_1 }} -# 18.8.48 Trusted Platform Module Services -# 18.8.49 User Profiles -win2022cis_18_8_49_1: {{ rule_18_8_49_1 }} -# 18.8.50 Windows File Protection -# 18.8.51 Windows HotStart -# 18.8.52 Windows Time Service -# 18.8.52.1 Time Providers -win2022cis_18_8_52_1_1: {{ rule_18_8_52_1_1 }} -win2022cis_18_8_52_1_2: {{ rule_18_8_52_1_2 }} -# 18.9 Windows Components -# 18.9.1 Active Directory Federation Services -# 18.9.2 ActiveX Installer Service -# 18.9.3 Add features to Windows 8 / 8.1 / 10 (formerly Windows Anytime Upgrade) -# 18.9.4 App Package Deployment -win2022cis_18_9_4_1: {{ rule_18_9_4_1 }} -# 18.9.5 App Privacy -# 18.9.6 App runtime -win2022cis_18_9_6_1: {{ rule_18_9_6_1 }} -# 18.9.7 Application Compatibility -# 18.9.8 AutoPlay Policies -win2022cis_18_9_8_1: {{ rule_18_9_8_1 }} -win2022cis_18_9_8_2: {{ rule_18_9_8_2 }} -win2022cis_18_9_8_3: {{ rule_18_9_8_3 }} -# 18.9.9 Backup -# 18.9.10 Biometrics -# 18.9.10.1 Facial Features -win2022cis_18_9_10_1_1: {{ rule_18_9_10_1_1 }} -# 18.9.11 BitLocker Drive Encryption -# 18.9.12 Camera -win2022cis_18_9_12_1: {{ rule_18_9_12_1 }} -# 18.9.13 Cloud Content -# 18.9.14 Connect -win2022cis_18_9_14_1: {{ rule_18_9_14_1 }} -# 18.9.15 Credential User Interface -win2022cis_18_9_15_1: {{ rule_18_9_15_1 }} -win2022cis_18_9_15_2: {{ rule_18_9_15_2 }} -# 18.9.16 Data Collection and Preview Builds -win2022cis_18_9_16_1: {{ rule_18_9_16_1 }} -win2022cis_18_9_16_2: {{ rule_18_9_16_2 }} -win2022cis_18_9_16_3: {{ rule_18_9_16_3 }} -win2022cis_18_9_16_4: {{ rule_18_9_16_4 }} -# 18.9.17 Delivery Optimization -# 18.9.18 Desktop Gadgets -# 18.9.19 Desktop Window Manager -# 18.9.20 Device and Driver Compatibility -# 18.9.21 Device Registration (formerly Workplace Join) -# 18.9.22 Digital Locker -# 18.9.23 Edge UI -# 18.9.24 EMET -# 18.9.25 Event Forwarding -# 18.9.26 Event Log Service -# 18.9.26.1 Application -win2022cis_18_9_26_1_1: {{ rule_18_9_26_1_1 }} -win2022cis_18_9_26_1_2: {{ rule_18_9_26_1_2 }} -# 18.9.26.2 Security -win2022cis_18_9_26_2_1: {{ rule_18_9_26_2_1 }} -win2022cis_18_9_26_2_2: {{ rule_18_9_26_2_2 }} -# 18.9.26.3 Setup -win2022cis_18_9_26_3_1: {{ rule_18_9_26_3_1 }} -win2022cis_18_9_26_3_2: {{ rule_18_9_26_3_2 }} -# 18.9.26.4 System -win2022cis_18_9_26_4_1: {{ rule_18_9_26_4_1 }} -win2022cis_18_9_26_4_2: {{ rule_18_9_26_4_2 }} -# 18.9.27 Event Logging -# 18.9.28 Event Viewer -# 18.9.29 Family Safety (formerly Parental Controls) -# 18.9.30 File Explorer (formerly Windows Explorer) -# 18.9.30.1 Previous Versions -win2022cis_18_9_30_2: {{ rule_18_9_30_2 }} -win2022cis_18_9_30_3: {{ rule_18_9_30_3 }} -win2022cis_18_9_30_4: {{ rule_18_9_30_4 }} -# 18.9.31 File History -# 18.9.32 Find My Device -# 18.9.33 Game Explorer -# 18.9.34 Handwriting -# 18.9.35 HomeGroup -# 18.9.36 Import Video -# 18.9.37 Internet Explorer -# 18.9.38 Internet Information Services -# 18.9.39 Location and Sensors -win2022cis_18_9_39_1: {{ rule_18_9_39_1 }} -# 18.9.40 Maintenance Scheduler -# 18.9.41 Maps -# 18.9.42 MDM -# 18.9.43 Messaging -win2022cis_18_9_43_1: {{ rule_18_9_43_1 }} -# 18.9.44 Microsoft account -win2022cis_18_9_44_1: {{ rule_18_9_44_1 }} -# 18.9.45 Microsoft Edge -# 18.9.46 Microsoft FIDO Authentication -# 18.9.47 Microsoft Secondary Authentication Factor -# 18.9.48 Microsoft User Experience Virtualization -# 18.9.49 NetMeeting -# 18.9.50 Network Access Protection -# 18.9.51 Network Projector -# 18.9.52 OneDrive (formerly SkyDrive) -win2022cis_18_9_52_1: {{ rule_18_9_52_1 }} -# 18.9.53 Online Assistance -# 18.9.54 OOBE -# 18.9.55 Password Synchronization -# 18.9.56 Portable Operating System -# 18.9.57 Presentation Settings -# 18.9.58 Push To Install -# 18.9.59 Remote Desktop Services (formerly Terminal Services) -# 18.9.59.1 RD Licensing (formerly TS Licensing) -# 18.9.59.2 Remote Desktop Connection Client -# 18.9.59.2.1 RemoteFX USB Device Redirection -win2022cis_18_9_59_2_2: {{ rule_18_9_59_2_2 }} -# 18.9.59.3 Remote Desktop Session Host (formerly Terminal Server) -# 18.9.59.3.1 Application Compatibility -# 18.9.59.3.2 Connections -win2022cis_18_9_59_3_2_1: {{ rule_18_9_59_3_2_1 }} -# 18.9.59.3.3 Device and Resource Redirection -win2022cis_18_9_59_3_3_1: {{ rule_18_9_59_3_2_1 }} -win2022cis_18_9_59_3_3_2: {{ rule_18_9_59_3_3_2 }} -win2022cis_18_9_59_3_3_3: {{ rule_18_9_59_3_3_3 }} -win2022cis_18_9_59_3_3_4: {{ rule_18_9_59_3_3_4 }} -# 18.9.59.3.4 Licensing -# 18.9.59.3.5 Printer Redirection -# 18.9.59.3.6 Profiles -# 18.9.59.3.7 RD Connection Broker (formerly TS Connection Broker) -# 18.9.59.3.8 Remote Session Environment -# 18.9.59.3.9 Security -win2022cis_18_9_59_3_9_1: {{ rule_18_9_59_3_9_1 }} -win2022cis_18_9_59_3_9_2: {{ rule_18_9_59_3_9_2 }} -win2022cis_18_9_59_3_9_3: {{ rule_18_9_59_3_9_3 }} -win2022cis_18_9_59_3_9_4: {{ rule_18_9_59_3_9_4 }} -win2022cis_18_9_59_3_9_5: {{ rule_18_9_59_3_9_5 }} -# 18.9.59.3.10 Session Time Limits -win2022cis_18_9_59_3_10_1: {{ rule_18_9_59_3_10_1 }} -win2022cis_18_9_59_3_10_2: {{ rule_18_9_59_3_10_2 }} -# 18.9.59.3.11 Temporary Folders -win2022cis_18_9_59_3_11_1: {{ rule_18_9_59_3_11_1 }} -win2022cis_18_9_59_3_11_2: {{ rule_18_9_59_3_11_2 }} -# 18.9.60 RSS Feeds -win2022cis_18_9_60_1: {{ rule_18_9_60_1 }} -# 18.9.61 Search -# 18.9.61.1 OCR -win2022cis_18_9_61_2: {{ rule_18_9_61_2 }} -win2022cis_18_9_61_3: {{ rule_18_9_61_3 }} -# 18.9.62 Security Center -# 18.9.63 Server for NIS -# 18.9.64 Shutdown Options -# 18.9.65 Smart Card -# 18.9.66 Software Protection Platform -win2022cis_18_9_66_1: {{ rule_18_9_66_1 }} -# 18.9.67 Sound Recorder -# 18.9.68 Speech -# 18.9.69 Store -# 18.9.70 Sync Your Tablet -# 18.9.71 Tablet PC -# 18.9.72 Task Scheduler -# 18.9.73 Text Input -# 18.9.74 Windows Calendar -# 18.9.75 Windows Color System -# 18.9.76 Windows Customer Experience Program -# 18.9.77 Windows Defender AntiVirus (formally Windows Defender) -# 18.9.77.1 Client Interface -# 18.9.77.2 Exclusions -# 18.9.77.3 MAPS -win2022cis_18_9_77_3_1: {{ rule_18_9_77_3_1 }} -win2022cis_18_9_77_3_2: {{ rule_18_9_77_3_2 }} -# 18.9.77.4 MpEngine -# 18.9.77.5 Network Inspection System -# 18.9.77.6 Quarantine -win2022cis_18_9_77_7_1: {{ rule_18_9_77_7_1 }} -# 18.9.77.8 Remediation -# 18.9.77.9 Reporting -win2022cis_18_9_77_9_1: {{ rule_18_9_77_9_1 }} -win2022cis_18_9_77_10_1: {{ rule_18_9_77_10_1 }} -win2022cis_18_9_77_10_2: {{ rule_18_9_77_10_2 }} -# 18.9.77.11 Security Intelligence Updates (formerly Signature Updates) -# 18.9.77.12 Threats -# 18.9.77.13 Windows Defender Exploit Guard -# 18.9.77.13.1 Attack Surface Reduction -# 18.9.77.13.2 Controlled Folder Access -# 18.9.77.13.3 Network Protection -win2022cis_18_9_77_13_3_1: {{ rule_18_9_77_13_3_1 }} -win2022cis_18_9_77_14: {{ rule_18_9_77_14 }} -win2022cis_18_9_77_15: {{ rule_18_9_77_15 }} -# 18.9.78 Windows Defender Application Guard -# 18.9.79 Windows Defender Exploit Guard -# 18.9.80 Windows Defender SmartScreen -# 18.9.80.1 Explorer -win2022cis_18_9_80_1_1: {{ rule_18_9_80_1_1 }} -# 18.9.81 Windows Error Reporting -# 18.9.82 Windows Game Recording and Broadcasting -# 18.9.83 Windows Hello for Business (formerly Microsoft Passport for Work) -# 18.9.84 Windows Ink Workspace -win2022cis_18_9_84_1: {{ rule_18_9_84_1 }} -win2022cis_18_9_84_2: {{ rule_18_9_84_2 }} -# 18.9.85 Windows Installer -win2022cis_18_9_85_1: {{ rule_18_9_85_1 }} -win2022cis_18_9_85_2: {{ rule_18_9_85_2 }} -win2022cis_18_9_85_3: {{ rule_18_9_85_3 }} -# 18.9.86 Windows Logon Options -win2022cis_18_9_86_1: {{ rule_18_9_86_1 }} -# 18.9.87 Windows Mail -# 18.9.88 Windows Media Center -# 18.9.89 Windows Media Digital Rights Management -# 18.9.90 Windows Media Player -# 18.9.91 Windows Meeting Space -# 18.9.92 Windows Messenger -# 18.9.93 Windows Mobility Center -# 18.9.94 Windows Movie Maker -# 18.9.95 Windows PowerShell -win2022cis_18_9_95_1: {{ rule_18_9_95_1 }} -win2022cis_18_9_95_2: {{ rule_18_9_95_2 }} -# 18.9.96 Windows Reliability Analysis -# 18.9.97 Windows Remote Management (WinRM) -# 18.9.97.1 WinRM Client -win2022cis_18_9_97_1_1: {{ rule_18_9_97_1_1 }} -win2022cis_18_9_97_1_2: {{ rule_18_9_97_1_2 }} -win2022cis_18_9_97_1_3: {{ rule_18_9_97_1_3 }} -# 18.9.97.2 WinRM Service -win2022cis_18_9_97_2_1: {{ rule_18_9_97_2_1 }} -win2022cis_18_9_97_2_2: {{ rule_18_9_97_2_2 }} -win2022cis_18_9_97_2_3: {{ rule_18_9_97_2_3 }} -win2022cis_18_9_97_2_4: {{ rule_18_9_97_2_4 }} -# 18.9.98 Windows Remote Shell -win2022cis_18_9_98_1: {{ rule_18_9_98_1 }} -# 18.9.99 Windows Security (formerly Windows Defender Security Center) -# 18.9.99.1 Account protection -# 18.9.99.2 App and browser protection -win2022cis_18_9_99_2_1: {{ rule_18_9_99_2_1 }} -# 18.9.100 Windows SideShow -# 18.9.101 Windows System Resource Manager -# 18.9.102 Windows Update -# 18.9.102.1 Windows Update for Business (formerly Defer Windows Updates) -win2022cis_18_9_102_1_1: {{ rule_18_9_102_1_1 }} -win2022cis_18_9_102_1_2: {{ rule_18_9_102_1_2 }} -win2022cis_18_9_102_1_3: {{ rule_18_9_102_1_3 }} -win2022cis_18_9_102_2: {{ rule_18_9_102_2 }} -win2022cis_18_9_102_3: {{ rule_18_9_102_3 }} -win2022cis_18_9_102_4: {{ rule_18_9_102_4 }} - -################### -# Section_18_Vars # -################### -win2022_eventlog_app_max_size: {{ app_maxsize }} -win2022_eventlog_sec_max_size: {{ sec_maxsize }} -win2022_eventlog_setup_max_size: 32768 -win2022_eventlog_sys_max_size: {{ sys_maxsize }} -win2022cis_autoupdate_enabled: '0' -win2022cis_autoupdate_option: {{ win16cis_wupdate_options }} # 2 - Notify for download and auto install # 3 -Auto download and notify for instal # 4 - Auto download and schedule the install -win2022cis_autoupdate_day: 0 # 0 - everyday - -############## -# Section_19 # -############## -# 19 Administrative Templates (User) -# 19.1 Control Panel -# 19.1.1 Add or Remove Programs -# 19.1.2 Display -# 19.1.3 Personalization (formerly Desktop Themes) -win2022cis_19_1_3_1: {{ rule_19_1_3_1 }} -win2022cis_19_1_3_2: {{ rule_19_1_3_2 }} -win2022cis_19_1_3_3: {{ rule_19_1_3_3 }} -win2022cis_19_1_3_4: {{ rule_19_1_3_4 }} -# 19.2 Desktop -# 19.3 Network -# 19.4 Shared Folders -# 19.5 Start Menu and Taskbar -# 19.5.1 Notifications -win2022cis_19_5_1_1: {{ rule_19_5_1_1 }} -# 19.6 System -# 19.6.1 Ctrl+Alt+Del Options -# 19.6.2 Display -# 19.6.3 Driver Installation -# 19.6.4 Folder Redirection -# 19.6.5 Group Policy -# 19.6.6 Internet Communication Management -# 19.6.6.1 Internet Communication settings -win2022cis_19_6_6_1_1: {{ rule_19_6_6_1_1 }} -# 19.7 Windows Components -# 19.7.1 Add features to Windows 8 / 8.1 / 10 (formerly Windows Anytime Upgrade) -# 19.7.2 App runtime -# 19.7.3 Application Compatibility -# 19.7.4 Attachment Manager -win2022cis_19_7_4_1: {{ rule_19_7_4_1 }} -win2022cis_19_7_4_2: {{ rule_19_7_4_2 }} -# 19.7.5 AutoPlay Policies -# 19.7.6 Backup -# 19.7.7 Cloud Content -win2022cis_19_7_7_1: {{ rule_19_7_7_1 }} -win2022cis_19_7_7_2: {{ rule_19_7_7_2 }} -win2022cis_19_7_7_3: {{ rule_19_7_7_3 }} -win2022cis_19_7_7_4: {{ rule_19_7_7_4 }} -# 19.7.8 Credential User Interface -# 19.7.9 Data Collection and Preview Builds -# 19.7.10 Desktop Gadgets -# 19.7.11 Desktop Window Manager -# 19.7.12 Digital Locker -# 19.7.13 Edge UI -# 19.7.14 File Explorer (formerly Windows Explorer) -# 19.7.15 File Revocation -# 19.7.16 IME -# 19.7.17 Import Video -# 19.7.18 Instant Search -# 19.7.19 Internet Explorer -# 19.7.20 Location and Sensors -# 19.7.21 Microsoft Edge -# 19.7.22 Microsoft Management Console -# 19.7.23 Microsoft User Experience Virtualization -# 19.7.24 NetMeeting -# 19.7.25 Network Projector -# 19.7.26 Network Sharing -win2022cis_19_7_26_1: {{ rule_19_7_26_1 }} -# 19.7.27 OOBE -# 19.7.28 Presentation Settings -# 19.7.29 Remote Desktop Services (formerly Terminal Services) -# 19.7.30 RSS Feeds -# 19.7.31 Search -# 19.7.32 Sound Recorder -# 19.7.33 Store -# 19.7.34 Tablet PC -# 19.7.35 Task Scheduler -# 19.7.36 Windows Calendar -# 19.7.37 Windows Color System -# 19.7.38 Windows Defender SmartScreen -# 19.7.39 Windows Error Reporting -# 19.7.40 Windows Hello for Business (formerly Microsoft Passport for Work) -# 19.7.41 Windows Installer -win2022cis_19_7_41_1: {{ rule_19_7_41_1 }} -# 19.7.42 Windows Logon Options -# 19.7.43 Windows Mail -# 19.7.44 Windows Media Center -# 19.7.45 Windows Media Player -# 19.7.45.1 Networking -# 19.7.45.2 Playback -win2022cis_19_7_45_2_1: {{ rule_19_7_45_2_1 }} - - -################### -# Section_19_Vars # -################### -win2022cis_screensaver_file: scrnsave.scr -win2022cis_screensaver_timeout: '900' -############################## -## Global command Variables ## -############################## -# powershell commands -audit_scripts_dir: {{ audit_scripts_dir }} -reboot_check: 'powershell -c ({{ audit_scripts_dir }}/scripts/pending_reboot.ps1 localhost).IsPendingReboot' -ps_regcheck: 'powershell -noprofile -noninteractive -command' -gpo_regex_script: 'powershell {{ audit_scripts_dir }}/scripts/gpo_regex.ps1' -standalone_script: 'powershell {{ audit_scripts_dir }}/scripts/standalone.ps1' -audit_ps_cmd: Select-String -Path -# Registry_paths -# CurrentControlSet/Lsa - -# Get Parameter -HKLM_CCS_LANWORK: get-itempropertyValue -path 'HKLM:/SYSTEM/CurrentControlSet/Services/LanmanWorkStation/Parameters' -HKLM_CCS_LANSERVER: get-itempropertyValue -path 'HKLM:/SYSTEM/CurrentControlSet/Services/LanmanServer/Parameters' -HKLM_CCS_LDAP: get-itempropertyValue -path 'HKLM:/SYSTEM/CurrentControlSet/Services/LDAP/' -HKLM_CCS_LSA: get-itempropertyValue -path 'HKLM:/SYSTEM/CurrentControlSet/Control/Lsa/' -HKLM_CCS_NETLOGON: 'HKLM:/SYSTEM/CurrentControlSet/Services/Netlogon/Parameters' -HKLM_CV_SYSTEM: get-itempropertyValue -path 'HKLM:/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/' -HKLM_KERB: get-itempropertyValue -path 'HKLM:/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System/Kerberos/Parameters' -HKLM_NT_WINLOGON: get-itempropertyValue -path 'HKLM:/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Winlogon' -HKLM_WIN_PERSON: get-itempropertyValue -path 'HKLM:/SOFTWARE/Policies/Microsoft/Windows/Personalization' -HKLM_MS_SVCS: get-itempropertyValue -path 'HKLM:/SOFTWARE/Policies/Microsoft Services/AdmPwd' -HKLM_TCPIP4: get-itempropertyValue -path 'HKLM:/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters' -HKLM_TCPIP6: get-itempropertyValue -path 'HKLM:/SYSTEM/CurrentControlSet/Services/Tcpip6/Parameters' -HKLM_DEV_GUARD: get-ItempropertyValue -path 'HKLM:/SOFTWARE/Policies/Microsoft/Windows/DeviceGuard' -HKLM_WIN_SYSTEM: get-ItempropertyValue -path 'HKLM:/SOFTWARE/Policies/Microsoft/Windows/System' -HKLM_EXPLORER: get-itempropertyValue -path 'HKLM:/SOFTWARE/Policies/Microsoft/Windows/Explorer' -HKLM_CV_EXPLORER: get-itempropertyValue -path 'HKLM:/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/Explorer' -HKLM_TERM_SVCS: get-itempropertyValue -path 'HKLM:/SOFTWARE/Policies/Microsoft/Windows NT/Terminal Services' -HKLM_WINRM_CLT: get-itempropertyValue -path 'HKLM:/SOFTWARE/Policies/Microsoft/Windows/WinRM/Client' -HKLM_WINRM_SVC: get-itempropertyValue -path 'HKLM:/SOFTWARE/Policies/Microsoft/Windows/WinRM/Service' -HKLM_WIN_UPDATE: get-itempropertyValue -path 'HKLM:/SOFTWARE/Policies/Microsoft/Windows/WindowsUpdate' -HKCU_CP_PERSONAL: get-itempropertyvalue -path 'HKCU:/SOFTWARE/Policies/Microsoft/Windows/Personalization/' -HKCU_CP_DESKTOP: get-itempropertyvalue -path 'HKCU:/SOFTWARE/Policies/Microsoft/Windows/Control Panel/Desktop' -HKLM_POL_FW_DOM: get-itempropertyvalue -path 'HKLM:/SOFTWARE/Policies/Microsoft/WindowsFirewall/DomainProfile' -HKLM_POL_FW_PRV: get-itempropertyvalue -path 'HKLM:/SOFTWARE/Policies/Microsoft/WindowsFirewall/PrivateProfile' -HKLM_POL_FW_PUB: get-itempropertyvalue -path 'HKLM:/SOFTWARE/Policies/Microsoft/WindowsFirewall/PublicProfile' -# Known Security identified names -## https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows -everyone_sid: '*S-1-1-0' -auth_users_sid: '*S-1-5-11' -local_svc_sid: '*S-1-5-19' -local_net_sid: '*S-1-5-20' -admin_sid: '*S-1-5-32-544' -user_sid: '*S-1-5-32-545' -guest_sid: '*S-1-5-32-546' -backup_sid: '*S-1-5-32-551' -remote_desktop_sid: '*S-1-5-32-555' -nt_svc_sid: '*S-1-5-80-' diff --git a/templates/banner.txt b/templates/banner.txt new file mode 100644 index 0000000..971be87 --- /dev/null +++ b/templates/banner.txt @@ -0,0 +1,15 @@ +░█████╗░███╗░░██╗░██████╗██╗██████╗░██╗░░░░░███████╗ +██╔══██╗████╗░██║██╔════╝██║██╔══██╗██║░░░░░██╔════╝ +███████║██╔██╗██║╚█████╗░██║██████╦╝██║░░░░░█████╗░░ +██╔══██║██║╚████║░╚═══██╗██║██╔══██╗██║░░░░░██╔══╝░░ +██║░░██║██║░╚███║██████╔╝██║██████╦╝███████╗███████╗ +╚═╝░░╚═╝╚═╝░░╚══╝╚═════╝░╚═╝╚═════╝░╚══════╝╚══════╝ + ██╗░░░░░░█████╗░░█████╗░██╗░░██╗██████╗░░█████╗░░██╗░░░░░░░██╗███╗░░██╗ + ██║░░░░░██╔══██╗██╔══██╗██║░██╔╝██╔══██╗██╔══██╗░██║░░██╗░░██║████╗░██║ + ██║░░░░░██║░░██║██║░░╚═╝█████═╝░██║░░██║██║░░██║░╚██╗████╗██╔╝██╔██╗██║ + ██║░░░░░██║░░██║██║░░██╗██╔═██╗░██║░░██║██║░░██║░░████╔═████║░██║╚████║ + ███████╗╚█████╔╝╚█████╔╝██║░╚██╗██████╔╝╚█████╔╝░░╚██╔╝░╚██╔╝░██║░╚███║ + ╚══════╝░╚════╝░░╚════╝░╚═╝░░╚═╝╚═════╝░░╚════╝░░░░╚═╝░░░╚═╝░░╚═╝░░╚══╝ + .------------------------------. + | SUPPORTED BY MINDPOINT GROUP | + '------------------------------' diff --git a/vars/main.yml b/vars/main.yml index e84169b..51f62e8 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,35 +1,19 @@ --- -# These are variables that shouldn't be edited by the end user +# vars file for Windows-2022-CIS -# 2.3.7.4 -# win22cis_legalnoticetext is the text that makes the logon legal notice -# This value should stay as the default becuase scanners look for this exact text -win22cis_legalnoticetext: | - You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. +# Used to control warning summary +warn_control_list: "" +warn_count: 0 - By using this IS (which includes any device attached to this IS), you consent to the following conditions: +# lockdown_banner sets the variable that is created for the banner. +lockdown_banner: "{{lookup('file', './templates/banner.txt')}}" - -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. +# win22cis_cloud_based_system will be changed to true if discovered. +win22cis_cloud_based_system: false - -At any time, the USG may inspect and seize data stored on this IS. - - -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. - - -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. - - -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. - -# 2.3.7.6 -# win22cis_legalnoticecaption is the caption for the logon legal notice -# This value should stay as the default because scanners look for htis exact text -win22cis_legalnoticecaption: "DoD Notice and Consent Banner" - -# This SID is the same for standalone, member, domain controller for 'Administrators' group -sedebugprivilege: "*S-1-5-32-544" - -# 2.2.33 -# Window Manager\Window Manager Group only exists on non Core installations -# windows_installation_type should be 'Server Core' for Core installations -# This is a variable to determine if Windows Manager should be included in this step -win22cis_increase_scheduling_priority_users: '{{ ["Administrators"] if (windows_installation_type=="Server Core") else (["Administrators","Window Manager\Window Manager Group"]) }}' +# These are default values that will be changed when the prelim +# runs and finds the correct setting. +win2022cis_is_standalone: false +win2022cis_is_domain_controller: false +win2022cis_is_domain_member: false