From cb0ec52e38eb25924e8f8560a8cb0ff3bb4aa4d0 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 26 Jan 2023 14:18:00 -0500 Subject: [PATCH 01/95] initial commit Signed-off-by: George Nalen --- CONTRIBUTING.rst | 66 +++++++++++++++++++++++++++++++++++++++++++ LICENSE | 2 +- README.md | 72 ++++++++++++++++++++++++++++++++++++++++++++++- defaults/main.yml | 2 ++ handlers/main.yml | 2 ++ meta/main.yml | 52 ++++++++++++++++++++++++++++++++++ site.yml | 6 ++++ tasks/main.yml | 2 ++ tests/inventory | 2 ++ tests/test.yml | 5 ++++ vars/main.yml | 2 ++ 11 files changed, 211 insertions(+), 2 deletions(-) create mode 100644 CONTRIBUTING.rst create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 site.yml create mode 100644 tasks/main.yml create mode 100644 tests/inventory create mode 100644 tests/test.yml create mode 100644 vars/main.yml diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst new file mode 100644 index 0000000..a5c4e03 --- /dev/null +++ b/CONTRIBUTING.rst @@ -0,0 +1,66 @@ +Contributing to MindPoint Group Projects +======================================== + +Rules +----- +1) All commits must be GPG signed (details in Signing section) +2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) +3) All work is done in your own branch +4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) +5) Be open and nice to eachother + +Workflow +-------- +- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge +- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release +Signing your contribution +------------------------- + +We've chosen to use the Developer's Certificate of Origin (DCO) method +that is employed by the Linux Kernel Project, which provides a simple +way to contribute to MindPoint Group projects. + +The process is to certify the below DCO 1.1 text +:: + + Developer's Certificate of Origin 1.1 + + By making a contribution to this project, I certify that: + + (a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + + (b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + + (c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + + (d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +:: + +Then, when it comes time to submit a contribution, include the +following text in your contribution commit message: + +:: + + Signed-off-by: Joan Doe + +:: + + +This message can be entered manually, or if you have configured git +with the correct `user.name` and `user.email`, you can use the `-s` +option to `git commit` to automatically include the signoff message. \ No newline at end of file diff --git a/LICENSE b/LICENSE index 927b87d..39810af 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2022 Ansible Lockdown +Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index 8473ad6..2d1b764 100644 --- a/README.md +++ b/README.md @@ -1 +1,71 @@ -# Windows-2022-STIG \ No newline at end of file +Windows Server 2022 DISA STIG +========= + +![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2022-STIG?style=plastic) + +Configure a Windows Server 2019 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. + +This role is based on Windows Server 2022 DISA STIG: [Version 1, Rel 1 released on September 9, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R1_STIG.zip). + +Caution(s) +------- +This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. + +This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. + +To use release version please point to main branch +Based on [Windows Server 2022 DISA STIG](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R1_STIG.zipp). + +Documentation +------------- +[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
+[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
+[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
+[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
+[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2022-STIG/)
+ +Requirements +------------ +**General:** +- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible + - [Main Ansible documentation page](https://docs.ansible.com) + - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) + - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) + - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) +- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. + +**Technical Dependencies:** +- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer) + +The following packages must be installed on the controlling host/host where ansible is executed: + +- passlib (or python2-passlib, if using python2) +- python-lxml +- python-xmltodict +- python-jmespath +- pywinrm + +Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. + +Role Variables +-------------- +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. All variables have comments to describe variable details in defaults/main.yml + +Branches +-------- +- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch +- **main** - This is the release branch +- **reports** - This is a protected branch for our scoring reports, no code should ever go here +- **gh-pages** - This is the github pages branch +- **all other branches** - Individual community member branches + +Community Contribution +---------------------- + +We encourage you (the community) to contribute to this role. Please read the rules below. + +- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. +- All community Pull Requests are pulled into the devel branch +- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..5a35176 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for Windows-2022-STIG diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..023c9eb --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for Windows-2022-STIG diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..2161d3d --- /dev/null +++ b/site.yml @@ -0,0 +1,6 @@ +--- + +- hosts: all # noqa: name[play] + + roles: + - role: "{{ playbook_dir }}" diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..abbce55 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for Windows-2022-STIG diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..451da48 --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - Windows-2022-STIG diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..b87d046 --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for Windows-2022-STIG From 0c4a5dab83cb5a4fb17b03f12520267d2b176aef Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 16 Jun 2023 15:39:55 -0400 Subject: [PATCH 02/95] update readme 1 Signed-off-by: Frederick Witty --- CONTRIBUTING.rst | 2 +- README.md | 13 ++++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index a5c4e03..c8fa576 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -63,4 +63,4 @@ following text in your contribution commit message: This message can be entered manually, or if you have configured git with the correct `user.name` and `user.email`, you can use the `-s` -option to `git commit` to automatically include the signoff message. \ No newline at end of file +option to `git commit` to automatically include the signoff message. diff --git a/README.md b/README.md index 2d1b764..dc413da 100644 --- a/README.md +++ b/README.md @@ -3,12 +3,13 @@ Windows Server 2022 DISA STIG ![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2022-STIG?style=plastic) -Configure a Windows Server 2019 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. +Configure a Windows Server 2022 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. -This role is based on Windows Server 2022 DISA STIG: [Version 1, Rel 1 released on September 9, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R1_STIG.zip). +This role is based on Windows Server 2022 DISA STIG: [Version 1, Rel 3 released on May 17, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R3_STIG.zip). Caution(s) ------- + This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. @@ -18,6 +19,7 @@ Based on [Windows Server 2022 DISA STIG](https://dl.dod.cyber.mil/wp-content/upl Documentation ------------- + [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
@@ -26,16 +28,19 @@ Documentation Requirements ------------ + **General:** + - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible - [Main Ansible documentation page](https://docs.ansible.com) - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) -- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. +- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. - Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. **Technical Dependencies:** + - Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer) The following packages must be installed on the controlling host/host where ansible is executed: @@ -50,10 +55,12 @@ Package 'python-xmltodict' is required if you enable the OpenSCAP tool installat Role Variables -------------- + This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. All variables have comments to describe variable details in defaults/main.yml Branches -------- + - **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch - **main** - This is the release branch - **reports** - This is a protected branch for our scoring reports, no code should ever go here From 39543be93646dd5b9ce83f6dcf9a0f628bcc8f98 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 20 Jun 2023 15:40:24 -0400 Subject: [PATCH 03/95] update prelim, task, and linting ignore1 Signed-off-by: Frederick Witty --- .ansible-lint | 24 ++++++++++++ .gitignore | 45 ++++++++++++++++++++++ .yamllint | 34 ++++++++++++++++ CONTRIBUTING.rst | 3 +- README.md | 4 +- collections/requirements.yml | 8 ++++ handlers/main.yml | 4 ++ meta/main.yml | 75 ++++++++++++++---------------------- tasks/main.yml | 36 +++++++++++++++++ tasks/prelim.yml | 41 ++++++++++++++++++++ tests/inventory | 2 - tests/test.yml | 5 --- 12 files changed, 224 insertions(+), 57 deletions(-) create mode 100644 .ansible-lint create mode 100644 .gitignore create mode 100644 .yamllint create mode 100644 collections/requirements.yml create mode 100644 tasks/prelim.yml delete mode 100644 tests/inventory delete mode 100644 tests/test.yml diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..39c4d62 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,24 @@ +--- + +parseable: true +quiet: true +skip_list: + - 'schema' + - 'no-changed-when' + - 'fqcn-builtins' + - 'experimental' + - 'fqcn[action-core]' + - 'fqcn[action]' + - 'name[casing]' + - 'name[template]' + - 'jinja[spacing]' + - 'var-naming' # Older playbook no new release + - '204' + - '208' + - '305' + - '303' + - '403' + - '306' + - '602' +use_default_rules: true +verbosity: 0 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4e3ce79 --- /dev/null +++ b/.gitignore @@ -0,0 +1,45 @@ +.env +*.log +*.retry +.vagrant +tests/*redhat-subscription +tests/Dockerfile +*.iso +*.box +packer_cache +delete* +ignore* +# VSCode +.vscode +vagrant + +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# DS_Store +.DS_Store +._* + +# Linux Editors +*~ +\#*\# +/.emacs.desktop +/.emacs.desktop.lock +.elc +auto-save-list +tramp +.\#* +*.swp +*.swo +rh-creds.env +travis.env + +# Lockdown-specific +benchparse/ +*xccdf.xml +*.retry + +# GitHub Action/Workflow files +.github/ diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..a49f497 --- /dev/null +++ b/.yamllint @@ -0,0 +1,34 @@ +--- + +extends: default + +ignore: | + tests/ + molecule/ + .github/ + .gitlab-ci.yml + *molecule.yml + +rules: + indentation: + # Requiring 4 space indentation + spaces: 4 + # Requiring consistent indentation within a file, either indented or not + indent-sequences: consistent + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + empty-lines: + max: 1 + line-length: disable + key-duplicates: enable + new-line-at-end-of-file: enable + new-lines: + type: unix + trailing-spaces: enable + truthy: + allowed-values: ['true', 'false'] + check-keys: false diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index c8fa576..dda5127 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -7,13 +7,14 @@ Rules 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) 3) All work is done in your own branch 4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) -5) Be open and nice to eachother +5) Be open and nice to each other Workflow -------- - Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge - All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release + Signing your contribution ------------------------- diff --git a/README.md b/README.md index dc413da..e8ae696 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,11 @@ Windows Server 2022 DISA STIG -========= +============================= ![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2022-STIG?style=plastic) Configure a Windows Server 2022 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. -This role is based on Windows Server 2022 DISA STIG: [Version 1, Rel 3 released on May 17, 2022](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R3_STIG.zip). +This role is based on Windows Server 2022 DISA STIG: [Version 1, Rel 3 released on May 17, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R3_STIG.zip). Caution(s) ------- diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 0000000..97aad6f --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,8 @@ +--- + +collections: + - name: ansible.windows + + - name: community.windows + + - name: community.general diff --git a/handlers/main.yml b/handlers/main.yml index 023c9eb..3a979e9 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,6 @@ --- # handlers file for Windows-2022-STIG + +- name: Reboot_Windows + ansible.windows.win_reboot: + reboot_timeout: 3600 diff --git a/meta/main.yml b/meta/main.yml index c572acc..ff0d7f9 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,52 +1,33 @@ -galaxy_info: - author: your name - description: your role description - company: your company (optional) - - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker +--- - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 - license: license (GPL-2.0-or-later, MIT, etc) - - min_ansible_version: 2.1 +galaxy_info: + author: "George Nalen" + description: "Ansible Role to Apply the DISA Windows Server 2022 STIG" + company: "MindPoint Group" + license: MIT + role_name: windows22_stig + namespace: mindpointgroup + min_ansible_version: 2.10.1 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: + platforms: + - name: Windows Server + versions: + - 2022 - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 + galaxy_tags: + - system + - security + - stig + - hardening + - benchmark + - microsoft + - windows + - complianceascode + - compliance - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. + collections: + - ansible.windows + - community.windows + - community.general -dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. + dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml index abbce55..74d6999 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,38 @@ --- + # tasks file for Windows-2022-STIG +- name: Display Banner + ansible.builtin.debug: + msg: "{{ lockdown_banner.split('\n') }}" + tags: + - always + +- name: Gather distribution info + ansible.builtin.setup: + gather_subset: distribution,!all,!min + when: + - ansible_distribution is not defined + tags: + - always + +- name: Check OS version and family + ansible.builtin.assert: + that: + - ansible_os_family == 'Windows' + - ansible_distribution | regex_search('(Microsoft Windows Server 2022)') + success_msg: "{{ ansible_distribution }} {{ ansible_distribution_major_version }} is the detected operating system." + fail_msg: "This role can only be run against Windows Server 2022 Editions. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + tags: + - always + +- name: Check ansible version + ansible.builtin.assert: + that: ansible_version.full is version_compare(win2022stig_min_ansible_version, '>=') + msg: You must use Ansible {{ win2022stig_min_ansible_version }} or greater + tags: + - always + +- name: Include the preliminary tasks + ansible.builtin.import_tasks: prelim.yml + tags: + - prelim_tasks diff --git a/tasks/prelim.yml b/tasks/prelim.yml new file mode 100644 index 0000000..768c82a --- /dev/null +++ b/tasks/prelim.yml @@ -0,0 +1,41 @@ +--- + +- name: "PRELIM | Detect if Trusted Platform Module (TPM) is available" + ansible.windows.win_shell: (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType + changed_when: false + failed_when: false + register: win2022_tpm_enabled + tags: + - always + +# hvm is for amazon ami's, Hyper-V we have found for azure, kvm is used for +# ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') +# This list is not complete and will be updated as we try on more cloud based services. +# As of now testing is working in azure using Hyper-V. We are curently using this for reference: +# https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205 +- name: Set Fact If Cloud Based System. + ansible.builtin.set_fact: + win19stig_cloud_based_system: true + when: + - ansible_virtualization_type == 'Hyper-V' or + ansible_virtualization_type == 'hvm' or + ansible_virtualization_type == 'kvm' + tags: + - always + +# 1 = disabled 0 = enabled +# this reg key may be useful detect is secure conenctions enabled, etc? +- name: "PRELIM | Detect if Remote Desktop Services (RDP) is enabled" + ansible.windows.win_reg_stat: + path: HKLM:\System\CurrentControlSet\Control\Terminal Server + name: fDenyTSConnections + changed_when: false + failed_when: false + register: win2022_rdp_enabled + tags: + - always + +# remove this debug or set a verb level +- name: win2022_rdp_enabled.value var + ansible.builtin.debug: + var: win2022_rdp_enabled.value diff --git a/tests/inventory b/tests/inventory deleted file mode 100644 index 878877b..0000000 --- a/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/tests/test.yml b/tests/test.yml deleted file mode 100644 index 451da48..0000000 --- a/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - Windows-2022-STIG From 482890246a7cd761f1bec5b6fa3caf0bf1986109 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 20 Jun 2023 16:17:22 -0400 Subject: [PATCH 04/95] update readme1 Signed-off-by: Frederick Witty --- README.md | 145 ++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 108 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index e8ae696..2518306 100644 --- a/README.md +++ b/README.md @@ -1,37 +1,97 @@ -Windows Server 2022 DISA STIG -============================= +# Windows 2022 DISA STIG + +## Configure a Windows 2022 system to be [DISA STIG](https://public.cyber.mil/stigs/downloads/) compliant + +### Based on [Windows DISA STIG Version 1, Rel 3 released on May 17, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R3_STIG.zip) ![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2022-STIG?style=plastic) -Configure a Windows Server 2022 system to be DISA STIG compliant. All findings will be audited by default. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. +--- + +![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social) +![Stars](https://img.shields.io/github/stars/ansible-lockdown/Windows-2022-STIG?label=Repo%20Stars&style=social) +![Forks](https://img.shields.io/github/forks/ansible-lockdown/Windows-2022-STIG?style=social) +![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) +[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) + +![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) + +![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/Windows-2022-STIG/windows_benchmark_testing_to_devel.yml?label=Devel%20Build%20Status) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/Windows-2022-STIG/devel?color=dark%20green&label=Devel%20Branch%20commits) + +![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) +![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/Windows-2022-STIG/windows_benchmark_testing_to_main.yml?label=Build%20Status) +![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/Windows-2022-STIG?label=Release%20Date) +![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/Windows-2022-STIG?label=Release%20Tag&&color=success) + +![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/Windows-2022-STIG?label=Open%20Issues) +![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/Windows-2022-STIG?label=Closed%20Issues&&color=success) +![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/Windows-2022-STIG?label=Pull%20Requests) + +![License](https://img.shields.io/github/license/ansible-lockdown/Windows-2022-STIG?label=License) + +--- + +## Looking for support? + +[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_WINDOWS_2022_stig) + +[Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_2022_stig) + +### Community + +Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask questions, discuss features, or just chat with other Ansible-Lockdown users. + +--- + +## Caution(s) -This role is based on Windows Server 2022 DISA STIG: [Version 1, Rel 3 released on May 17, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R3_STIG.zip). +This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. -Caution(s) -------- +Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. -This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. +This role was developed against a clean install of the Windows 2022 operating system. If you are implementing to an existing system please review this role for any site specific changes that are needed. -This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. +To use release version please point to main branch and relevant release for the STIG benchmark you wish to work with. -To use release version please point to main branch -Based on [Windows Server 2022 DISA STIG](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R1_STIG.zipp). +--- -Documentation -------------- +## Matching a security Level for STIG -[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
-[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
-[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
-[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
-[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2022-STIG/)
+It is possible to to only run controls that are based on a particular for security level for STIG. +This is managed using tags: -Requirements ------------- +- CAT1 +- CAT2 +- CAT3 + +The control found in defaults main also need to reflect true so as this will allow the controls to run when the playbook is launched. + +## Coming from a previous release + +STIG releases always contain changes, it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown. +This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. + +Further details can be seen in the [Changelog](./ChangeLog.md) + +## Auditing (new) + +Currently this release does not have a auditing tool. + +## Documentation + +- [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/) +- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_WINDOWS_2022_stig) +- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_WINDOWS_2022_stig) +- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_WINDOWS_2022_stig) +- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_WINDOWS_2022_stig) + +## Requirements **General:** - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible + - [Main Ansible documentation page](https://docs.ansible.com) - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) @@ -41,10 +101,9 @@ Requirements **Technical Dependencies:** +- Windows 2022 - Other versions are not supported - Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer) - -The following packages must be installed on the controlling host/host where ansible is executed: - +- Python3 Ansible run environment - passlib (or python2-passlib, if using python2) - python-lxml - python-xmltodict @@ -53,26 +112,38 @@ The following packages must be installed on the controlling host/host where ansi Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible. -Role Variables --------------- +## Role Variables -This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. All variables have comments to describe variable details in defaults/main.yml +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `win22stig_disruption_high` to `yes`. -Branches --------- +## Tags -- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch -- **main** - This is the release branch -- **reports** - This is a protected branch for our scoring reports, no code should ever go here -- **gh-pages** - This is the github pages branch -- **all other branches** - Individual community member branches +Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag CCI-000366, this task will be skipped. The opposite can also happen where you run only controls tagged with CCI-000366. -Community Contribution ----------------------- +```sh +tags: + - WN22-00-000010 + - CAT2 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - SV-254238r848530_rule + - V-254238 +``` + +## Community Contribution We encourage you (the community) to contribute to this role. Please read the rules below. - Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. -- All community Pull Requests are pulled into the devel branch -- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved -- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release +- All community Pull Requests are pulled into the devel branch. +- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved. +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release. + +## Pipeline Testing + +uses: + +- ansible-core 2.12 +- ansible collections - pulls in the latest version based on requirements file +- runs the audit using the devel branch +- This is an automated test that occurs on pull requests into devel From ec047d39a7891d1fa155b93ab385a34127893570 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 21 Jun 2023 15:49:56 -0400 Subject: [PATCH 05/95] update cat1-1 Signed-off-by: Frederick Witty --- LICENSE | 2 +- tasks/cat1.yml | 46 +++++++++++++++++++++++++++++++++++++++++ tasks/main.yml | 21 +++++++++++++++---- tasks/prelim.yml | 4 ++-- tasks/warning_facts.yml | 21 +++++++++++++++++++ 5 files changed, 87 insertions(+), 7 deletions(-) create mode 100644 tasks/cat1.yml create mode 100644 tasks/warning_facts.yml diff --git a/LICENSE b/LICENSE index 39810af..4ed247b 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise +Copyright (c) 2023 MindPoint Group / Lockdown Enterprise Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/tasks/cat1.yml b/tasks/cat1.yml new file mode 100644 index 0000000..631201d --- /dev/null +++ b/tasks/cat1.yml @@ -0,0 +1,46 @@ +--- + +- name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." + block: + - name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." + + - name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000290' + when: + - wn19_dc_000290 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-DC-000290 + - V-254413 + - CAT1 + - SRG-OS-000066-GPOS-00034 + - SV-254413r849055_rule + - CCI-000185 + - high + +# add some task/external variable for approved CAs, check for DoD and how to pull programatically +- name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)." + block: + - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)." + + - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000300' + when: + - wn19_dc_000300 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-DC-000300 + - V-254414 + - SRG-OS-000066-GPOS-00034 + - SV-254414r849058_rule + - CCI-000185 + - high + - CAT1 diff --git a/tasks/main.yml b/tasks/main.yml index 74d6999..009178a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -7,7 +7,7 @@ tags: - always -- name: Gather distribution info +- name: Gather Distribution Info ansible.builtin.setup: gather_subset: distribution,!all,!min when: @@ -15,7 +15,7 @@ tags: - always -- name: Check OS version and family +- name: Check OS Version and Family ansible.builtin.assert: that: - ansible_os_family == 'Windows' @@ -25,14 +25,27 @@ tags: - always -- name: Check ansible version +- name: Check Ansible Version ansible.builtin.assert: that: ansible_version.full is version_compare(win2022stig_min_ansible_version, '>=') msg: You must use Ansible {{ win2022stig_min_ansible_version }} or greater tags: - always -- name: Include the preliminary tasks +- name: Include the Preliminary Tasks ansible.builtin.import_tasks: prelim.yml tags: - prelim_tasks + +- name: Execute the Category 1 (Highest Severity) Tasks + ansible.builtin.import_tasks: cat1.yml + when: win2019stig_cat1_patch + tags: + - CAT1 + +- name: If Warnings Found Output Count and Control IDs Affected + ansible.builtin.debug: + msg: + - "You have {{ warn_count }} Warning(s) that require investigation(s). Their ID's are listed below:" + - "{{ warn_control_list }}" + when: warn_count != 0 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 768c82a..57d8d32 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -1,6 +1,6 @@ --- -- name: "PRELIM | Detect if Trusted Platform Module (TPM) is available" +- name: "PRELIM | Detect if Trusted Platform Module (TPM) is Available" ansible.windows.win_shell: (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType changed_when: false failed_when: false @@ -25,7 +25,7 @@ # 1 = disabled 0 = enabled # this reg key may be useful detect is secure conenctions enabled, etc? -- name: "PRELIM | Detect if Remote Desktop Services (RDP) is enabled" +- name: "PRELIM | Detect if Remote Desktop Services (RDP) is Enabled" ansible.windows.win_reg_stat: path: HKLM:\System\CurrentControlSet\Control\Terminal Server name: fDenyTSConnections diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml new file mode 100644 index 0000000..f62133f --- /dev/null +++ b/tasks/warning_facts.yml @@ -0,0 +1,21 @@ +--- + +# This task is used to create variables used in giving a warning summary for manual tasks +# that need attention +# +# The warn_control_list and warn_count vars start life in vars/main.yml but get updated +# as the tasks that have a warning complete +# +# Those two variables are used in the tasks/main.yml to display a list of warnings +# +# warn_control_id is set within the task itself and has the control ID as the value +# +# warn_control_list is the main variable to be used and is a list made up of the warn_control_id's +# +# warn_count the main variable for the number of warnings and each time a warn_control_id is added +# the count increases by a value of 1 + +- name: "NO CONTROL ID | AUDIT | Set Fact for Manual Task Warning" + ansible.builtin.set_fact: + warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]" + warn_count: "{{ warn_count | int + 1 }}" From c68e66d161042f3b984e407aced7dcc44077fe31 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 22 Jun 2023 08:47:36 -0400 Subject: [PATCH 06/95] update cat1-2 +add banner Signed-off-by: Frederick Witty --- templates/banner.txt | 15 +++++++++++++++ vars/main.yml | 10 ++++++++++ 2 files changed, 25 insertions(+) create mode 100644 templates/banner.txt diff --git a/templates/banner.txt b/templates/banner.txt new file mode 100644 index 0000000..971be87 --- /dev/null +++ b/templates/banner.txt @@ -0,0 +1,15 @@ +░█████╗░███╗░░██╗░██████╗██╗██████╗░██╗░░░░░███████╗ +██╔══██╗████╗░██║██╔════╝██║██╔══██╗██║░░░░░██╔════╝ +███████║██╔██╗██║╚█████╗░██║██████╦╝██║░░░░░█████╗░░ +██╔══██║██║╚████║░╚═══██╗██║██╔══██╗██║░░░░░██╔══╝░░ +██║░░██║██║░╚███║██████╔╝██║██████╦╝███████╗███████╗ +╚═╝░░╚═╝╚═╝░░╚══╝╚═════╝░╚═╝╚═════╝░╚══════╝╚══════╝ + ██╗░░░░░░█████╗░░█████╗░██╗░░██╗██████╗░░█████╗░░██╗░░░░░░░██╗███╗░░██╗ + ██║░░░░░██╔══██╗██╔══██╗██║░██╔╝██╔══██╗██╔══██╗░██║░░██╗░░██║████╗░██║ + ██║░░░░░██║░░██║██║░░╚═╝█████═╝░██║░░██║██║░░██║░╚██╗████╗██╔╝██╔██╗██║ + ██║░░░░░██║░░██║██║░░██╗██╔═██╗░██║░░██║██║░░██║░░████╔═████║░██║╚████║ + ███████╗╚█████╔╝╚█████╔╝██║░╚██╗██████╔╝╚█████╔╝░░╚██╔╝░╚██╔╝░██║░╚███║ + ╚══════╝░╚════╝░░╚════╝░╚═╝░░╚═╝╚═════╝░░╚════╝░░░░╚═╝░░░╚═╝░░╚═╝░░╚══╝ + .------------------------------. + | SUPPORTED BY MINDPOINT GROUP | + '------------------------------' diff --git a/vars/main.yml b/vars/main.yml index b87d046..2e63a14 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,12 @@ --- + # vars file for Windows-2022-STIG +# Used to control warning summary +warn_control_list: "" +warn_count: 0 + +# This sets the variable that is created for the banner. +lockdown_banner: "{{lookup('file', './templates/banner.txt')}}" + +# This will be changed to true if discovered for cloud based systems. +wn19stig_cloud_based_system: false From 196ce68b4d167be065eff4881ed9bf23fefb31a4 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 22 Jun 2023 08:54:48 -0400 Subject: [PATCH 07/95] update cat1-3 Signed-off-by: Frederick Witty --- defaults/main.yml | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index 5a35176..8ebda12 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,43 @@ --- + # defaults file for Windows-2022-STIG +win2019stig_cat1_patch: true +win2019stig_cat2_patch: true +win2019stig_cat3_patch: true + +win2022stig_min_ansible_version: "2.10.1" + +# We've defined complexity-high to mean that we cannot automatically remediate +# the rule in question. In the future this might mean that the remediation +# may fail in some cases. +win2022stig_complexity_high: false + +# Show "changed" for complex items not remediated per complexity-high setting +# to make them stand out. "changed" items on a second run of the role would +# indicate items requiring manual review. +win2022stig_audit_complex: true + +# We've defined disruption-high to indicate items that are likely to cause +# disruption in a normal workflow. These items can be remediated automatically +# but are disabled by default to avoid disruption. +win2022stig_disruption_high: false + +# Show "changed" for disruptive items not remediated per disruption-high +# setting to make them stand out. +win2022stig_audit_disruptive: true + +# tweak role to run in a non-privileged container +win2022stig_system_is_container: false + +# set to false to skip long running tasks +long_running: false + +# win2022stig_skip_for_test is used in the playbook to skip over certain controls that +# may cause breaking changes when running it for testing purposes. +# Controls that will be skipped: +# WN22-CC-000470 - CAT1 +# WN22-CC-000500 - CAT1 +# WN22-CC-000480 - CAT2 +# WN22-CC-000510 - CAT2 +# WN22-CC-000520 - CAT2 +win2022stig_skip_for_test: false From a4865a90bf0b345c77e0fe673f7f64303bc3baaf Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 22 Jun 2023 08:58:53 -0400 Subject: [PATCH 08/95] update cat1-4 Signed-off-by: Frederick Witty --- defaults/main.yml | 43 ++++++++++++++++++++++++++++++++++++++++--- tasks/cat1.yml | 4 ++-- 2 files changed, 42 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8ebda12..e3caa07 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,9 +1,9 @@ --- # defaults file for Windows-2022-STIG -win2019stig_cat1_patch: true -win2019stig_cat2_patch: true -win2019stig_cat3_patch: true +win2022stig_cat1_patch: true +win2022stig_cat2_patch: true +win2022stig_cat3_patch: true win2022stig_min_ansible_version: "2.10.1" @@ -41,3 +41,40 @@ long_running: false # WN22-CC-000510 - CAT2 # WN22-CC-000520 - CAT2 win2022stig_skip_for_test: false + +# CAT 1 rules +wn22_00_000010: true +wn22_00_000030: true +wn22_00_000100: true +wn22_00_000110: true +wn22_00_000130: true +wn22_ac_000090: true +wn22_cc_000210: true +wn22_cc_000220: true +wn22_cc_000230: true +wn22_cc_000430: true +# WINRM CONTROL +wn22_cc_000470: true +wn22_cc_000500: true +# WINRM CONTROL END +wn22_dc_000010: true +wn22_dc_000070: true +wn22_dc_000080: true +wn22_dc_000090: true +wn22_dc_000100: true +wn22_dc_000110: true +wn22_dc_000150: true +wn22_dc_000290: true +wn22_dc_000300: true +wn22_ms_000010: true +wn22_ms_000140: true +wn22_so_000020: true +wn22_so_000210: true +wn22_so_000220: true +wn22_so_000230: true +wn22_so_000250: true +wn22_so_000300: true +wn22_so_000310: true +wn22_ur_000020: true +wn22_ur_000060: true +wn22_ur_000100: true diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 631201d..f490d5a 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -11,7 +11,7 @@ vars: warn_control_id: 'WN22-DC-000290' when: - - wn19_dc_000290 + - wn22_dc_000290 - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000290 @@ -34,7 +34,7 @@ vars: warn_control_id: 'WN22-DC-000300' when: - - wn19_dc_000300 + - wn22_dc_000300 - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000300 From 369356a68ebdc6aa72ba49bb71562a22cec1a2e7 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 22 Jun 2023 12:29:50 -0400 Subject: [PATCH 09/95] update cat1-5 Signed-off-by: Frederick Witty --- tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/main.yml b/tasks/main.yml index 009178a..7bb0d10 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -39,7 +39,7 @@ - name: Execute the Category 1 (Highest Severity) Tasks ansible.builtin.import_tasks: cat1.yml - when: win2019stig_cat1_patch + when: win2022stig_cat1_patch tags: - CAT1 From 933476f28bec8de75e1154fc38bd9ecfe115faf0 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 22 Jun 2023 15:28:45 -0400 Subject: [PATCH 10/95] update cat1-6 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 186 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 185 insertions(+), 1 deletion(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index f490d5a..f511017 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -16,11 +16,11 @@ tags: - WN22-DC-000290 - V-254413 - - CAT1 - SRG-OS-000066-GPOS-00034 - SV-254413r849055_rule - CCI-000185 - high + - CAT1 # add some task/external variable for approved CAs, check for DoD and how to pull programatically - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)." @@ -44,3 +44,187 @@ - CCI-000185 - high - CAT1 + +- name: "HIGH | WN22-AC-000090 | PATCH | Windows Server 2022 reversible password encryption must be disabled." + community.windows.win_security_policy: + section: System Access + key: ClearTextPassword + value: "0" + when: + - wn22_ac_000090 + tags: + - WN22-AC-000090 + - V-254293 + - SRG-OS-000073-GPOS-00041 + - SV-254293r877397_rule + - CCI-000196 + - high + - CAT1 + +- name: "HIGH | WN22-SO-000300 | PATCH | Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + value: NoLMHash + data: 1 + datatype: dword + when: + - wn22_so_000300 + tags: + - WN22-SO-000300 + - V-254474 + - SRG-OS-000073-GPOS-00041 + - SV-254474r877397_rule + - CCI-000196 + - high + - CAT1 + +- name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes." + block: + - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes." + ansible.windows.win_shell: Get-Volume + changed_when: false + failed_when: false + check_mode: false + register: WN22_00_000130_audit + + - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | Message out" + debug: + msg: "Warning!! This is a manual task. Windows Server 2022 local volumes must use a format that supports NTFS attributes." + + - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000130' + when: + - WN22_00_000130 + tags: + - WN22-00-000130 + - V-205663 + - SRG-OS-000080-GPOS-00048 + - SV-254250r848566_rule + - CCI-000213 + - high + - CAT1 + +- name: "HIGH | WN22-CC-000470 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client + value: AllowBasic + data: 0 + datatype: dword + when: + - wn22_cc_000470 + - not win2022stig_skip_for_test + tags: + - WN22-CC-000470 + - V-254378 + - SRG-OS-000125-GPOS-00065 + - SV-254378r877395_rule + - CCI-000877 + - high + - CAT1 + +- name: "HIGH | WN22-CC-000500 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service + value: AllowBasic + data: 0 + datatype: dword + when: + - wn22_cc_000500 + - not win2022stig_skip_for_test + tags: + - WN22-CC-000500 + - V-254381 + - SRG-OS-000125-GPOS-00065 + - SV-254381r877395_rule + - CCI-000877 + - high + - CAT1 + +- name: "HIGH | WN22-SO-000230 | PATCH | Windows Server 2022 must not allow anonymous enumeration of shares." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + value: RestrictAnonymous + data: 1 + datatype: dword + when: + - wn22_so_000230 + tags: + - WN22-SO-000230 + - V-254467 + - SRG-OS-000138-GPOS-00069 + - SV-254467r849217_rule + - CCI-001090 + - high + - CAT1 + +- name: "HIGH | WN22-SO-000250 | PATCH | Windows Server 2022 must restrict anonymous access to Named Pipes and Shares." + ansible.windows.win_regedit: + path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters + value: restrictnullsessaccess + data: 1 + datatype: dword + when: + - wn22_so_000250 + tags: + - WN22-SO-000250 + - V-254469 + - SRG-OS-000138-GPOS-00069 + - SV-254469r849223_rule + - CCI-001090 + - high + - CAT1 + +- name: "HIGH | WN22-DC-000010 | AUDIT | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system." + block: + - name: "HIGH | WN22-DC-000010 | AUDIT | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system." + ansible.windows.win_shell: get-localgroupmember administrators | Select name | Format-Table -HideTableHeaders + changed_when: false + failed_when: false + register: wn22_dc_000010_admin_usrs + + - name: "HIGH | WN22-DC-000010 | AUDIT | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system." + ansible.builtin.debug: + msg: + - "Alert! Below are the users in the administrators group. Please review and confirm all users should be in this group" + - "{{ wn22_dc_000010_admin_usrs.stdout_lines }}" + + - name: "HIGH | WN22-DC-000010 | AUDIT | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000010' + when: + - wn22_dc_000010 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-DC-000010 + - V-254385 + - SRG-OS-000324-GPOS-00125 + - SV-254385r877392_rule + - CCI-002235 + - notest + - high + - CAT1 + +- name: "HIGH | WN22-DC-000070 | AUDIT | Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access." + block: + - name: "HIGH | WN22-DC-000070 | AUDIT | Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access." + + - name: "WN22-DC-000070 | AUDIT | Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000070' + when: + - wn22_dc_000070 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-DC-000070 + - V-254391 + - SRG-OS-000324-GPOS-00125 + - SV-254391r877392_rule + - CCI-002235 + - high + - CAT1 From dc591a98a5b977dd2fdf9ad027ee2b8b9d673b27 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 22 Jun 2023 15:32:47 -0400 Subject: [PATCH 11/95] update cat1-7 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index f511017..5311e37 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -85,7 +85,7 @@ changed_when: false failed_when: false check_mode: false - register: WN22_00_000130_audit + register: wn22_00_000130_audit - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | Message out" debug: @@ -96,7 +96,7 @@ vars: warn_control_id: 'WN22-00-000130' when: - - WN22_00_000130 + - wn22_00_000130 tags: - WN22-00-000130 - V-205663 From 31d8c853d94ea2aa57fb8d13cd063241b91f3644 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 22 Jun 2023 16:26:55 -0400 Subject: [PATCH 12/95] update cat1-7 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 176 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 174 insertions(+), 2 deletions(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 5311e37..c3bbaea 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -57,7 +57,7 @@ - V-254293 - SRG-OS-000073-GPOS-00041 - SV-254293r877397_rule - - CCI-000196 + - CCI-000226 - high - CAT1 @@ -74,7 +74,7 @@ - V-254474 - SRG-OS-000073-GPOS-00041 - SV-254474r877397_rule - - CCI-000196 + - CCI-000226 - high - CAT1 @@ -228,3 +228,175 @@ - CCI-002235 - high - CAT1 + +- name: "HIGH | WN22-DC-000080 | AUDIT | Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions." + block: + - name: "HIGH | WN22-DC-000080 | AUDIT | Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions." + + - name: "HIGH | WN22-DC-000080 | AUDIT | Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000080' + when: + - wn22_dc_000080 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-DC-000080 + - V-254392 + - SRG-OS-000324-GPOS-00125 + - SV-254392r877392_rule + - CCI-002235 + - high + - CAT1 + +- name: "HIGH | WN22-DC-000090 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions." + block: + - name: "HIGH | WN22-DC-000090 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions." + + - name: "HIGH | WN22-DC-000090 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000090' + when: + - wn22_dc_000090 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-DC-000090 + - V-205741 + - SRG-OS-000324-GPOS-00125 + - SV-205741r569188_rule + - CCI-002235 + - high + - CAT1 + +- name: "HIGH | WN22-DC-000100 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions." + block: + - name: "HIGH | WN22-DC-000100 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions." + + - name: "HIGH | WN22-DC-000100 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000100' + when: + - wn22_dc_000100 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-DC-000100 + - V-254394 + - SRG-OS-000324-GPOS-00125 + - SV-254394r877392_rule + - CCI-002235 + - high + - CAT1 + +- name: "HIGH | WN22-DC-000110 | AUDIT | Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions." + block: + - name: "HIGH | WN22-DC-000110 | AUDIT | Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions." + + - name: "HIGH | WN22-DC-000110 | AUDIT | Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000110' + when: + - wn22_dc_000110 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-DC-000110 + - V-254395 + - SV-254395r877392_rule + - SRG-OS-000324-GPOS-00125 + - CCI-002235 + - high + - CAT1 + +# populate a dictionary/list from customer +- name: "HIGH | WN22-MS-000010 | AUDIT | Windows Server 2022 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system" + block: + - name: "HIGH | WN22-MS-000010 | AUDIT | Windows Server 2022 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system" + ansible.windows.win_shell: Get-LocalGroupMember -Name 'Administrators' + changed_when: false + check_mode: false + register: wn22_ms_000010_audit + + - name: "HIGH | WN22-MS-000010 | AUDIT | Windows Server 2022 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system" + ansible.builtin.debug: + msg: + - The following users or groups have Administrator rights on this system + - "{{ wn22_ms_000010_audit.stdout.split('\n') }}" + changed_when: false + + - name: "HIGH | WN22-MS-000010 | AUDIT | Windows Server 2022 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-MS-000010' + when: + - wn22_ms_000010 + - "'controller' not in ansible_windows_domain_role" + tags: + - WN22-MS-000010 + - V-254428 + - SRG-OS-000324-GPOS-00125 + - SV-254428r877392_rule + - CCI-002235 + - audit + - high + - CAT1 + +- name: "HIGH | WN22-UR-000020 | PATCH | Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts." + ansible.windows.win_user_right: + name: SeTcbPrivilege + users: [] + action: set + when: + - wn22_ur_000020 + tags: + - WN22-UR-000020 + - V-254492 + - SRG-OS-000324-GPOS-00125 + - SV-254492r877392_rule + - CCI-002235 + - high + - CAT1 + +- name: "HIGH | WN22-UR-000060 | PATCH | Windows Server 2022 Create a token object user right must not be assigned to any groups or accounts." + community.windows.win_security_policy: + section: Privilege Rights + key: SeCreateTokenPrivilege + value: "" + when: + - wn22_ur_000060 + tags: + - WN22-UR-000060 + - V-254496 + - SRG-OS-000324-GPOS-00125 + - SV-254496r877392_rule + - CCI-002235 + - CAT1 + +# fails openscap - the v1r10 xml checks for "Administrators" string but secedit uses the SIDs thus +# "SeDebugPrivilege = *S-1-5-32-544" is Administrators (openscap fails) +# emailed_disa.letterkenny.re.mbx.stig-customer-support-mailbox@mail.mil +# SCC tool works +- name: "HIGH | WN22-UR-000100 | PATCH | Windows Server 2022 Debug programs: user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeDebugPrivilege + users: Administrators + action: set + when: + - wn22_ur_000100 + tags: + - WN22-UR-000100 + - V-254500 + - SRG-OS-000324-GPOS-00125 + - SV-254500r877392_rule + - CCI-002235 + - high + - CAT1 From 5ecd3a9d27368b7b95a135124f07e642b59af6b5 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 23 Jun 2023 12:24:21 -0400 Subject: [PATCH 13/95] update cat1-8 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 204 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 204 insertions(+) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index c3bbaea..9730a07 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -400,3 +400,207 @@ - CCI-002235 - high - CAT1 + +- name: "HIGH | WN22-CC-000430 | PATCH | Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer + state: present + value: AlwaysInstallElevated + data: 0 + datatype: dword + when: + - wn22_cc_000430 + tags: + - WN22-CC-000430 + - V-254374 + - SRG-OS-000362-GPOS-00149 + - SV-254374r848938_rule + - CCI-001812 + - high + - CAT1 + +- name: "HIGH | WN22-CC-000210 | PATCH | Windows Server 2022 AutoPlay must be turned off for non-volume devices." + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + value: NoAutoplayfornonVolume + data: 1 + datatype: dword + when: + - wn22_cc_000210 + tags: + - WN22-CC-000210 + - V-254352 + - SRG-OS-000368-GPOS-00154 + - SV-254352r848872_rule + - CCI-001764 + - high + - CAT1 + +- name: "HIGH | WN22-CC-000220 | PATCH | Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + value: NoAutorun + data: 1 + datatype: dword + when: + - wn22_cc_000220 + tags: + - WN22-CC-000220 + - V-254353 + - SRG-OS-000368-GPOS-00154 + - SV-254353r848875_rule + - CCI-001764 + - high + - CAT1 + +- name: "HIGH | WN22-CC-000230 | PATCH | Windows Server 2022 AutoPlay must be disabled for all drives." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + name: NoDriveTypeAutoRun + data: 255 + datatype: dword + when: wn22_cc_000230 + tags: + - WN22-CC-000230 + - V-254354 + - SV-254354r848878_rule + - SRG-OS-000368-GPOS-00154 + - CCI-001764 + - high + - CAT1 + +- name: "HIGH | WN22-00-000030 | AUDIT | Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." + block: + - name: "HIGH | WN22-00-000030 | AUDIT | Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." + + - name: "HIGH | WN22-00-000030 | AUDIT | Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000030' + when: + - wn22_00_000030 + tags: + - WN22-00-000030 + - V-254240 + - SRG-OS-000480-GPOS-00227 + - SV-254240r848536_rule + - CCI-000366 + - high + - CAT1 + +- name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access." + block: + - name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access." + + - name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000150' + when: + - wn22_dc_000150 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-DC-000150 + - V-254399 + - SRG-OS-000480-GPOS-00227 + - SV-254399r849013_rule + - CCI-000366 + - high + - CAT1 + +- name: "HIGH | WN22-MS-000140 | PATCH | Windows Server 2022 must be running Credential Guard on domain-joined member servers." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + value: "{{ item }}" + data: 1 + datatype: dword + with_items: + - EnableVirtualizationBasedSecurity + - RequirePlatformSecurityFeatures + - HypervisorEnforcedCodeIntegrity + - HVCIMATRequired + - LsaCfgFlags + when: + - wn22_ms_000140 + - ansible_windows_domain_role == "Member server" + tags: + - WN22-MS-000140 + - V-254441 + - SRG-OS-000480-GPOS-00227 + - SV-254441r849139_rule + - CCI-000366 + - NeedToTestMemberServer + - high + - CAT1 + +- name: "HIGH | WN22-SO-000020 | PATCH | Windows Server 2022 must prevent local accounts with blank passwords from being used from the network." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + value: LimitBlankPasswordUse + data: 1 + datatype: string + when: + - wn22_so_000020 + tags: + - WN22-SO-000020 + - V-254446 + - SV-254446r849154_rule + - SRG-OS-000480-GPOS-00227 + - CCI-000366 + - high + - CAT1 + +- name: "HIGH | WN22-SO-000210 | PATCH | Windows Server 2022 must not allow anonymous SID/Name translation." + community.windows.win_security_policy: + section: System Access + key: LSAAnonymousNameLookup + value: 0 + when: + - wn22_so_000210 + tags: + - WN22-SO-000210 + - V-254465 + - SRG-OS-000480-GPOS-00227 + - SV-254465r849211_rule + - CCI-000366 + - high + - CAT1 + +- name: "HIGH | WN22-SO-000220 | PATCH | Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + value: RestrictAnonymousSAM + data: 1 + datatype: dword + when: + - wn22_so_000220 + - ansible_windows_domain_role != "Primary domain controller" + tags: + - WN22-SO-000220 + - V-254466 + - SRG-OS-000480-GPOS-00227 + - SV-254466r849214_rule + - CCI-000366 + - high + - CAT1 + +- name: "HIGH | WN22-SO-000310 | PATCH | Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM." + ansible.windows.win_regedit: + path: HKLM:\System\CurrentControlSet\Control\Lsa + value: LmCompatibilityLevel + data: 5 + datatype: dword + when: + - wn22_so_000310 + tags: + - WN22-SO-000310 + - V-254467 + - SRG-OS-000480-GPOS-00227 + - SV-254467r849217_rule + - CCI-000366 + - high + - CAT1 From 4c649922dbfc279e6f0ae853920dcd048ad868ad Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 23 Jun 2023 14:11:20 -0400 Subject: [PATCH 14/95] update cat1-9 Signed-off-by: Frederick Witty --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e3caa07..7e55045 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -54,8 +54,8 @@ wn22_cc_000220: true wn22_cc_000230: true wn22_cc_000430: true # WINRM CONTROL -wn22_cc_000470: true -wn22_cc_000500: true +wn22_cc_000470: false +wn22_cc_000500: false # WINRM CONTROL END wn22_dc_000010: true wn22_dc_000070: true From f9d6a56b53cfd98b16e6c57a29caa3db64ec9c7f Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 23 Jun 2023 16:02:57 -0400 Subject: [PATCH 15/95] update cat2+3-1 Signed-off-by: Frederick Witty --- .ansible-lint | 1 + defaults/main.yml | 341 ++++ tasks/cat2.yml | 4594 ++++++++++++++++++++++++++++++++++++++++++ tasks/cat2_cloud.yml | 115 ++ tasks/cat3.yml | 252 +++ tasks/main.yml | 26 + 6 files changed, 5329 insertions(+) create mode 100644 tasks/cat2.yml create mode 100644 tasks/cat2_cloud.yml create mode 100644 tasks/cat3.yml diff --git a/.ansible-lint b/.ansible-lint index 39c4d62..64239e1 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -12,6 +12,7 @@ skip_list: - 'name[casing]' - 'name[template]' - 'jinja[spacing]' + - 'yaml[line-length]' - 'var-naming' # Older playbook no new release - '204' - '208' diff --git a/defaults/main.yml b/defaults/main.yml index 7e55045..9652b2c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -78,3 +78,344 @@ wn22_so_000310: true wn22_ur_000020: true wn22_ur_000060: true wn22_ur_000100: true + +# CAT 2 rules +wn22_00_000020: true +wn22_00_000040: true +wn22_00_000050: true +wn22_00_000060: true +wn22_00_000070: true +wn22_00_000080: true +wn22_00_000090: true +wn22_00_000120: true +wn22_00_000140: true +wn22_00_000150: true +wn22_00_000160: true +wn22_00_000170: true +wn22_00_000190: true +wn22_00_000200: true +wn22_00_000210: true +wn22_00_000220: true +wn22_00_000230: true +wn22_00_000240: true +wn22_00_000250: true +wn22_00_000260: true +wn22_00_000270: true +wn22_00_000280: true +wn22_00_000290: true +wn22_00_000300: true +wn22_00_000310: true +wn22_00_000320: true +wn22_00_000330: true +wn22_00_000340: true +wn22_00_000350: true +wn22_00_000360: true +wn22_00_000370: true +wn22_00_000380: true +wn22_00_000390: true +wn22_00_000400: true +wn22_00_000410: true +wn22_00_000420: true +wn22_00_000430: true +wn22_00_000450: true +wn22_ac_000020: true +wn22_ac_000030: wn22_ac_000020 +wn22_ac_000010: wn22_ac_000030 +wn22_ac_000040: true +wn22_ac_000050: true +wn22_ac_000060: true +wn22_ac_000070: true +wn22_ac_000080: true +wn22_au_000010: true +wn22_au_000020: true +wn22_au_000030: true +wn22_au_000040: true +wn22_au_000050: true +wn22_au_000060: true +wn22_au_000070: true +wn22_au_000080: true +wn22_au_000090: true +wn22_au_000100: true +wn22_au_000110: true +wn22_au_000120: true +wn22_au_000130: true +wn22_au_000140: true +wn22_au_000150: true +wn22_au_000160: true +wn22_au_000170: true +wn22_au_000180: true +wn22_au_000190: true +wn22_au_000200: true +wn22_au_000210: true +wn22_au_000220: true +wn22_au_000230: true +wn22_au_000240: true +wn22_au_000250: true +wn22_au_000260: true +wn22_au_000270: true +wn22_au_000280: true +wn22_au_000290: true +wn22_au_000300: true +wn22_au_000310: true +wn22_au_000320: true +wn22_au_000330: true +wn22_au_000340: true +wn22_au_000350: true +wn22_au_000360: true +wn22_au_000370: true +wn22_au_000380: true +wn22_au_000390: true +wn22_cc_000010: true +wn22_cc_000020: true +wn22_cc_000070: true +wn22_cc_000080: true +wn22_cc_000090: true +wn22_cc_000100: true +wn22_cc_000110: true +wn22_cc_000130: true +wn22_cc_000140: true +wn22_cc_000150: true +wn22_cc_000160: true +wn22_cc_000170: true +wn22_cc_000180: true +wn22_cc_000190: true +wn22_cc_000240: true +wn22_cc_000250: true +wn22_cc_000270: true +wn22_cc_000280: true +wn22_cc_000290: true +wn22_cc_000300: true +wn22_cc_000310: true +wn22_cc_000330: true +wn22_cc_000340: true +wn22_cc_000350: true +wn22_cc_000360: true +wn22_cc_000370: true +wn22_cc_000380: true +wn22_cc_000390: true +wn22_cc_000400: true +wn22_cc_000410: true +wn22_cc_000420: true +wn22_cc_000440: true +wn22_cc_000450: true +wn22_cc_000451: true +wn22_cc_000460: true +# WINRM CONTROL +wn22_cc_000480: true +wn22_cc_000490: true +wn22_cc_000510: true +wn22_cc_000520: true +# WINRM CONTROL END +wn22_dc_000020: true +wn22_dc_000030: true +wn22_dc_000040: true +wn22_dc_000050: true +wn22_dc_000060: true +wn22_dc_000120: true +wn22_dc_000130: true +wn22_dc_000140: true +wn22_dc_000170: true +wn22_dc_000180: true +wn22_dc_000190: true +wn22_dc_000200: true +wn22_dc_000210: true +wn22_dc_000220: true +wn22_dc_000230: true +wn22_dc_000240: true +wn22_dc_000250: true +wn22_dc_000260: true +wn22_dc_000270: true +wn22_dc_000280: true +wn22_dc_000310: true +wn22_dc_000320: true +wn22_dc_000330: true +wn22_dc_000340: true +wn22_dc_000350: true +wn22_dc_000360: true +wn22_dc_000370: true +wn22_dc_000380: true +wn22_dc_000390: true +wn22_dc_000400: true +wn22_dc_000410: true +wn22_dc_000420: true +wn22_dc_000430: true +wn22_ms_000020: true +wn22_ms_000030: true +wn22_ms_000040: true +wn22_ms_000050: true +wn22_ms_000060: true +wn22_ms_000070: true +wn22_ms_000080: true +wn22_ms_000090: true +wn22_ms_000100: true +wn22_ms_000110: true +wn22_ms_000120: true +wn22_ms_000130: true +wn22_pk_000010: true +wn22_pk_000020: true +wn22_pk_000030: true +wn22_so_000010: true +wn22_so_000030: true +wn22_so_000040: true +wn22_so_000050: true +wn22_so_000060: true +wn22_so_000070: true +wn22_so_000080: true +wn22_so_000090: true +wn22_so_000100: true +wn22_so_000110: true +wn22_so_000120: true +wn22_so_000130: true +wn22_so_000150: true +wn22_so_000160: true +wn22_so_000170: true +wn22_so_000180: true +wn22_so_000190: true +wn22_so_000200: true +wn22_so_000240: true +wn22_so_000260: true +wn22_so_000270: true +wn22_so_000280: true +wn22_so_000290: true +wn22_so_000320: true +wn22_so_000330: true +wn22_so_000340: true +wn22_so_000350: true +wn22_so_000360: true +wn22_so_000380: true +wn22_so_000390: true +wn22_so_000400: true +wn22_so_000410: true +wn22_so_000420: true +wn22_so_000430: true +wn22_so_000440: true +wn22_so_000450: true +wn22_uc_000010: true +wn22_ur_000010: true +wn22_ur_000030: true +wn22_ur_000040: true +wn22_ur_000050: true +wn22_ur_000070: true +wn22_ur_000080: true +wn22_ur_000090: true +wn22_ur_000110: true +wn22_ur_000120: true +wn22_ur_000130: true +wn22_ur_000140: true +wn22_ur_000150: true +wn22_ur_000160: true +wn22_ur_000170: true +wn22_ur_000180: true +wn22_ur_000190: true +wn22_ur_000200: true +wn22_ur_000210: true +wn22_ur_000220: true + +# CAT 3 rules +wn22_00_000180: true +wn22_00_000440: true +wn22_00_000460: true +wn22_00_000470: true +wn22_cc_000030: true +wn22_cc_000040: true +wn22_cc_000050: true +wn22_cc_000060: true +wn22_cc_000200: true +wn22_cc_000260: true +wn22_cc_000320: true +wn22_dc_000160: true +wn22_so_000140: true +wn22_so_000370: true + +# CAT 2 defaults + +# WN22-00-000020 +# Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days. +# If the PasswordLastSet date is greater than wn22stig_pass_age days old, this is a finding. +wn22stig_pass_age: 60 + +# WN22-AC-000010 +# Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. +# Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding. +# Valid Variables are 15 or more or 0. +wn22stig_lockoutduration: 15 + +# WN22-AC-000020 +# Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. +# and may not be set to 0. +wn22stig_lockoutbadcount: 3 + +# WN22-AC-000030 +# Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. +# wn22stig_resetlockoutcount is the Reset account lockout counter after value in mintues. +wn22stig_resetlockoutcount: 15 + +# WN22-AC-000050 +# Windows Server 2019 maximum password age must be configured to 60 days or less and cannot be 0. +# wn22stig_maximumpasswordage is the Maximum password age value in days. +wn22stig_maximumpasswordage: 60 + +# WN22-AC-000060 +# Windows Server 2019 minimum password age must be configured to at least one day and cannot be set to 0. +# wn22stig_minimumpasswordage is the Minimum password age value in days. +wn22stig_minimumpasswordage: 1 + +# WN22-AC-000070 +# Windows Server 2019 minimum password length must be configured to 14 characters or more. +# wn22stig_minimumpasswordlength is the Minimum password characters length value. +wn22stig_minimumpasswordlength: 14 + +# WN22-SO-000030 +# Windows Server 2019 built-in administrator account must be renamed. +# wn22stig_newadministratorname is the non-default name for the Administror Account. +wn22stig_newadministratorname: adminchangethis + +# WN22-SO-000040 +# Windows Server 2019 built-in guest account must be renamed. +# wn22stig_newguestname is the non-default name for the guest Account. +wn22stig_newguestname: guestchangethis + +# WN22-SO-000130 +# Windows Server 2019 required legal notice must be configured to display before console logon. +# wn22stig_legalnoticetext is the LegalNoticeText for Win logon. +wn22stig_legalnoticetext: | + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + +# WN22-CC-000270 +# Windows Server 2019 Application event log size must be configured to 32768 KB or greater. +# wn22stig_app_maxsize is the EventLog Application max log size value in KB. +wn22stig_app_maxsize: 32768 + +# WN22-CC-000280 +# Windows Server 2019 Security event log size must be configured to 196608 KB or greater. +# wn22stig_sec_maxsize is the EventLog Security max log size value in KB. +wn22stig_sec_maxsize: 196608 + +# WN22-CC-000290 +# Windows Server 2019 System event log size must be configured to 32768 KB or greater. +# wn22stig_sys_maxsize is the EventLog System max log size value in KB. +wn22stig_sys_maxsize: 32768 + +# WN22-DC-000430 +# The password for the krbtgt account on a domain must be reset at least every 180 days. +# wn22stig_krbtgt_pass_age is the PasswordLastSet value in days for the krbtgt account. +wn22stig_krbtgt_pass_age: 180 + +# CAT 3 defaults + +# WN22-SO-000140 +# Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text. +# wn22stig_legalnoticecaption is the DoD Notice and Consent Banner text. +wn22stig_legalnoticecaption: "DoD Notice and Consent Banner" diff --git a/tasks/cat2.yml b/tasks/cat2.yml new file mode 100644 index 0000000..ad57767 --- /dev/null +++ b/tasks/cat2.yml @@ -0,0 +1,4594 @@ +--- + +# enumerating on DC is different than standalone +- name: "MEDIUM | WN19-00-000020 | AUDIT | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19stig_pass_age }} days." + block: + - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19stig_pass_age }} days." + ansible.windows.win_shell: "Get-ADUser -Filter * -Property PasswordLastSet | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19stig_pass_age }}))} | Select Name,PasswordLastSet" + # win_shell: "Get-ADUser krbtgt -Property PasswordLastSet | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19stig_krbtgt_pass_age }}))} | Select-Object -ExpandProperty PasswordLastSet" + changed_when: false + check_mode: false + register: wn19_00_000020_audit_dc + when: "'controller' in ansible_windows_domain_role" + + - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19stig_pass_age }} days." + ansible.builtin.debug: + msg: + - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn19stig_pass_age }}" + - "{{ wn9_00_000020_audit_dc.stdout.split('\n') }}" + when: + - not wn19_00_000020_audit_dc is skipped + - wn19_00_000020_audit_dc.stdout != "" + + - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19stig_pass_age }} days." + ansible.windows.win_shell: "Get-Localuser -Name * | Select * | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19stig_pass_age }}))} | Select Name,PasswordLastSet" + changed_when: false + check_mode: false + register: wn19_00_000020_audit_dm_sa + + - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19stig_pass_age }} days." + ansible.builtin.debug: + msg: + - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn19stig_pass_age }}" + - "{{ wn19_00_000020_audit_dm_sa.stdout.split('\n') }}" + when: + - wn19_00_000020_audit_dm_sa is defined + - wn19_00_000020_audit_dm_sa.stdout != "" + + - name: Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000020' + when: + - not wn19_00_000020_audit_dc is skipped + - wn19_00_000020_audit_dc.stdout != "" or + - wn19_00_000020_audit_dm_sa is defined + - wn19_00_000020_audit_dm_sa.stdout != "" + when: + - wn19_00_000020 + tags: + - WN19-00-000020 + - V-205657 + - CCI-000199 + - SV-205657r857286_rule + - SRG-OS-000076-GPOS-00044 + - NeedToTestDomainController + - audit + - CAT2 + +- name: "MEDIUM | WN19-00-000040 | AUDIT | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." + block: + - name: "MEDIUM | WN19-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." + ansible.windows.win_shell: Get-LocalGroupMember -Name 'Backup Operators' + changed_when: false + check_mode: false + register: wn19_00_000040_audit + + - name: "MEDIUM | WN19-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." + ansible.builtin.debug: + msg: + - The accounts listed are members of the Backup Operators group + - "{{ wn19_00_000040_audit.stdout.split('\n') }}" + when: + - not wn19_00_000040_audit is skipped + - wn19_00_000040_audit.stdout != "" + changed_when: false + + - name: "MEDIUM | WN19-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000040' + when: + - not wn19_00_000040_audit is skipped + - wn19_00_000040_audit.stdout != "" + when: + - wn19_00_000040 + - "'controller' not in ansible_windows_domain_role" + tags: + - WN19-00-000040 + - V-205846 + - SRG-OS-000480-GPOS-00227 + - SV-205846r569188_rule + - CCI-000366 + - audit + - CAT2 + +- name: "MEDIUM | WN19-00-000050 | AUDIT | Windows Server 2019 manually managed application account passwords must be at least 15 characters in length." + block: + - name: "MEDIUM | WN19-00-000050 | AUDIT | Windows Server 2019 manually managed application account passwords must be at least 15 characters in length. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 manually managed application account passwords must be at least 15 characters in length." + + - name: "MEDIUM | WN19-00-000050 | AUDIT | Windows Server 2019 manually managed application account passwords must be at least 15 characters in length. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000050' + when: + - wn19_00_000050 + tags: + - WN19-00-000050 + - V-205661 + - SRG-OS-000078-GPOS-00046 + - SV-205661r569188_rule + - CCI-000205 + - CAT2 + +- name: "MEDIUM | WN19-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." + block: + - name: "MEDIUM | WN19-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." + + - name: "MEDIUM | WN19-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000060' + when: + - wn19_00_000060 + tags: + - WN19-00-000060 + - V-205847 + - SRG-OS-000480-GPOS-00227 + - SV-205847r857288_rule + - CCI-000366 + - CAT2 + # how to make this list? + +- name: "MEDIUM | WN19-00-000070 | AUDIT | Windows Server 2019 shared user accounts must not be permitted." + block: + - name: "MEDIUM | WN19-00-000070 | Windows Server 2019 shared user accounts must not be permitted. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 shared user accounts must not be permitted." + + - name: "MEDIUM | WN19-00-000070 | AUDIT | Windows Server 2019 shared user accounts must not be permitted. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000070' + when: + - wn19_00_000070 + tags: + - WN19-00-000070 + - V-205699 + - SRG-OS-000104-GPOS-00051 + - SV-205699r569188_rule + - CCI-000764 + - CAT2 + +- name: "MEDIUM | WN19-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." + block: + - name: "MEDIUM | WN19-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." + + - name: "MEDIUM | WN19-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000080' + when: + - wn19_00_000080 + tags: + - WN19-00-000080 + - V-205807 + - SRG-OS-000370-GPOS-00155 + - SV-205807r569188_rule + - CCI-001774 + - CAT2 + # Get-AppLockerPolicy -Effective + +# Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. +- name: "MEDIUM | WN19-00-000090 | AUDIT | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." + block: + - name: "MEDIUM | WN19-00-000090 | AUDIT | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." + + - name: "MEDIUM | WN19-00-000090 | AUDIT | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000090' + when: + - wn19_00_000090 + tags: + - WN19-00-000090 + - V-205848 + - SRG-OS-000480-GPOS-00227 + - SV-205848r857290_rule + - CCI-000366 + - CAT2 + # wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * + # if not enabled see "No Instance(s) Available." ? + +- name: "MEDIUM | WN19-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system." + block: + - name: "MEDIUM | WN19-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must have a host-based intrusion detection or prevention system." + + - name: "MEDIUM | WN19-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000120' + when: + - wn19_00_000120 + tags: + - WN19-00-000120 + - V-205851 + - SRG-OS-000480-GPOS-00227 + - SV-205851r793214_rule + - CCI-000366 + - CAT2 + # think this is mcafee but need install and figure out paths for AV vs HIDS and/or running services? + +- name: "MEDIUM | WN19-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements." + block: + - name: "MEDIUM | WN19-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements." + + - name: "MEDIUM | WN19-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000140' + when: + - wn19_00_000140 + tags: + - WN19-00-000140 + - V-205734 + - SRG-OS-000312-GPOS-00122 + - SV-205734r569188_rule + - CCI-002165 + - CAT2 + +- name: "MEDIUM | WN19-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements." + block: + - name: "MEDIUM | WN19-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 permissions for program file directories must conform to minimum requirements." + + - name: "MEDIUM | WN19-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000150' + when: + - wn19_00_000150 + tags: + - WN19-00-000150 + - V-205735 + - SRG-OS-000312-GPOS-00122 + - SV-205735r569188_rule + - CCI-002165 + - CAT2 + +- name: "MEDIUM | WN19-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements." + block: + - name: "MEDIUM | WN19-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements." + + - name: "MEDIUM | WN19-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000160' + when: + - wn19_00_000160 + tags: + - WN19-00-000160 + - V-205736 + - SRG-OS-000312-GPOS-00122 + - SV-205736r569188_rule + - CCI-002165 + - CAT2 + +- name: "MEDIUM | WN19-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + block: + - name: "MEDIUM | WN19-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + + - name: "MEDIUM | WN19-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000170' + when: + - wn19_00_000170 + tags: + - WN19-00-000170 + - V-205737 + - SRG-OS-000324-GPOS-00125 + - SV-205737r793220_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-00-000190 | AUDIT | Windows Server 2019 outdated or unused accounts must be removed from the system or disabled." + block: + - name: "MEDIUM | WN19-00-000190 | AUDIT | Windows Server 2019 outdated or unused accounts must be removed from the system or disabled. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 outdated or unused accounts must be removed from the system or disabled." + + - name: "MEDIUM | WN19-00-000190 | AUDIT | Windows Server 2019 outdated or unused accounts must be removed from the system or disabled. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000190' + when: + - wn19_00_000190 + tags: + - WN19-00-000190 + - V-205707 + - SRG-OS-000118-GPOS-00060 + - SV-205707r857292_rule + - CCI-000795 + - CAT2 + +- name: "MEDIUM | WN19-00-000200 | AUDIT | Windows Server 2019 accounts must require passwords." + block: + - name: "MEDIUM | WN19-00-000200 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 accounts must require passwords." + ansible.windows.win_shell: Get-Aduser -Filter "(Passwordnotrequired -eq 'True') -and (Enabled -eq 'True')" | Select Name,Passwordnotrequired,Enabled + changed_when: false + failed_when: false + check_mode: false + register: wn19_00_000200_audit_dc + when: ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN19-00-000200 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 accounts must require passwords." + ansible.builtin.debug: + msg: + - The accounts listed are do not require a password and are currently enabled + - "{{ wn19_00_000200_audit_dc.stdout.split('\n') }}" + when: + - not wn19_00_000200_audit_dc is skipped + - wn19_00_000200_audit_dc.stdout != "" + + - name: "MEDIUM | WN19-00-000200 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 accounts must require passwords." + ansible.windows.win_shell: Get-LocalUser | Where-Object {($_.PasswordRequired -ne 'True' -and $_.Enabled -eq 'True')} | Select Name,PasswordRequired,Enabled + changed_when: false + failed_when: false + check_mode: false + register: wn19_00_000200_audit_dm_sa + when: not ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN19-00-000200 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 accounts must require passwords." + ansible.builtin.debug: + msg: + - The accounts listed are do not require a password and are currently enabled + - "{{ wn19_00_000200_audit_dm_sa.stdout.split('\n') }}" + when: + - not wn19_00_000200_audit_dm_sa is skipped + - wn19_00_000200_audit_dm_sa.stdout != "" + + - name: Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000200' + when: + - not wn19_00_000200_audit_dc is skipped + - wn19_00_000200_audit_dc.stdout != "" or + - not wn19_00_000200_audit_dm_sa is skipped + - wn19_00_000200_audit_dm_sa.stdout != "" + when: + - wn19_00_000200 + tags: + - WN19-00-000200 + - V-205700 + - SRG-OS-000104-GPOS-00051 + - SV-205700r857294_rule + - CCI-000764 + - audit + - CAT2 + +- name: "MEDIUM | WN19-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire." + block: + - name: "MEDIUM | WN19-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire." + ansible.windows.win_shell: | + Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | + Where-Object -FilterScript {$_.PasswordExpires -EQ $False -AND $_.Disabled -EQ $False} | + Format-Table -Property Name,PasswordExpires,Disabled,LocalAccount + changed_when: false + failed_when: false + check_mode: false + register: wn19_00_000210_audit + + - name: "MEDIUM | WN19-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire.| Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 passwords must be configured to expire." + + - name: "MEDIUM | WN19-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire.| import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000210' + when: + - wn19_00_000210 + tags: + - WN19-00-000210 + - V-205658 + - SRG-OS-000076-GPOS-00044 + - SV-205658r857297_rule + - CAT2 + - CCI-000199 + +- name: "MEDIUM | WN19-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes." + block: + - name: "MEDIUM | WN19-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 system files must be monitored for unauthorized changes." + + - name: "MEDIUM | WN19-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000220' + when: + - wn19_00_000220 + tags: + - WN19-00-000220 + - V-205803 + - SRG-OS-000363-GPOS-00150 + - SV-205803r860026_rule + - CCI-001744 + - CAT2 + # Some third party software to monitor files + +- name: "MEDIUM | WN19-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." + block: + - name: "MEDIUM | WN19-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." + ansible.windows.win_shell: Get-SmbShare | Where-Object -FilterScript {$_.Special -EQ $False} + changed_when: false + failed_when: false + check_mode: false + register: wn19_00_000230_audit + + - name: "MEDIUM | WN19-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." + + - name: "MEDIUM | WN19-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000230' + when: + - wn19_00_000230 + tags: + - WN19-00-000230 + - V-205721 + - SRG-OS-000138-GPOS-00069 + - SV-205721r569188_rule + - CCI-001090 + - CAT2 + +# https://stackoverflow.com/questions/31049454/how-to-retrieve-recursively-any-files-with-a-specific-extensions-in-powershell/31049571 +- name: "MEDIUM | WN19-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed." + block: + - name: "MEDIUM | WN19-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed." + ansible.windows.win_find: + paths: c:\ + patterns: ['*.p12', '*.pfx'] + hidden: true + recurse: true + follow: true + check_mode: false + register: wn19_00_000240_audit + when: long_running + + - name: "MEDIUM | WN19-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must have software certificate installation files removed." + + - name: "MEDIUM | WN19-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000240' + when: + - wn19_00_000240 + tags: + - WN19-00-000240 + - V-205852 + - SRG-OS-000480-GPOS-00227 + - SV-205852r569188_rule + - CCI-000366 + - CAT2 + # do we need async; its very long running to search filesystems + # get an array of drive letters to search? + +- name: "MEDIUM | WN19-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." + block: + - name: "MEDIUM | WN19-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." + + - name: "MEDIUM | WN19-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000250' + when: + - wn19_00_000250 + tags: + - WN19-00-000250 + - V-205727 + - SRG-OS-000185-GPOS-00079 + - SV-205727r569188_rule + - CCI-001199 + - CCI-002475 + - CCI-002476 + - CAT2 + +- name: "MEDIUM | WN19-00-000260 | AUDIT | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." + block: + - name: "MEDIUM | WN19-00-000260 | AUDIT | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." + + - name: "MEDIUM | WN19-00-000260 | AUDIT | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000260' + when: + - wn19_00_000260 + tags: + - WN19-00-000260 + - V-205829 + - SRG-OS-000425-GPOS-00189 + - SV-205829r790513_rule + - CCI-002420 + - CCI-002422 + - CAT2 + +- name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented." + block: + - name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 bust have the roles and features required by the system documented." + ansible.windows.win_shell: Get-WindowsFeature | Where-Object -FilterScript {$_.Installed -EQ $True} + changed_when: false + failed_when: false + check_mode: false + register: wn19_00_000270_audit + + - name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must have the roles and features required by the system documented." + + - name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000270' + when: + - wn19_00_000270 + tags: + - WN19-00-000270 + - V-205677 + - SRG-OS-000095-GPOS-00049 + - SV-205677r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-00-000280 | AUDIT | Windows Server 2019 must have a host-based firewall installed and enabled." + block: + - name: "MEDIUM | WN19-00-000280 | AUDIT | Windows Server 2019 must have a host-based firewall installed and enabled." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must have a host-based firewall installed and enabled." + + - name: "MEDIUM | WN19-00-000280 | AUDIT | Windows Server 2019 must have a host-based firewall installed and enabled. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000280' + when: + - wn19_00_000280 + tags: + - WN19-00-000280 + - V-214936 + - SRG-OS-000480-GPOS-00227 + - SV-214936r569188_rule + - CCI-000366 + - CCI-002080 + - CAT2 + +- name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." + block: + - name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." + + - name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000290' + when: + - wn19_00_000290 + tags: + - WN19-00-000290 + - V-205728 + - SRG-OS-000191-GPOS-00080 + - SV-205728r793217_rule + - CCI-001233 + - CAT2 + +- name: "MEDIUM | WN19-00-000300 | AUDIT | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours." + block: + - name: "MEDIUM | WN19-00-000300 | AUDIT | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours." + + - name: "MEDIUM | WN19-00-000300 | AUDIT | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000300' + when: + - wn19_00_000300 + tags: + - WN19-00-000300 + - V-205624 + - SRG-OS-000002-GPOS-00002 + - SV-205624r857301_rule + - CCI-000016 + - CAT2 + +- name: "MEDIUM | WN19-00-000310 | AUDIT | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." + block: + - name: "MEDIUM | WN19-00-000310 | AUDIT | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." + + - name: "MEDIUM | WN19-00-000310 | AUDIT | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000310' + when: + - wn19_00_000310 + tags: + - WN19-00-000310 + - V-205710 + - SRG-OS-000123-GPOS-00064 + - SV-205710r857303_rule + - CCI-001682 + - CAT2 + +- name: "MEDIUM | WN19-00-000320 | PATCH | Windows Server 2019 must not have the Fax Server role installed." + ansible.windows.win_feature: + name: Fax + state: absent + notify: reboot_windows + when: + - wn19_00_000320 + tags: + - WN19-00-000320 + - V-205678 + - SRG-OS-000095-GPOS-00049 + - SV-205678r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-00-000330 | PATCH | Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization." + ansible.windows.win_feature: + name: Web-Ftp-Server + state: absent + notify: reboot_windows + when: + - wn19_00_000330 + tags: + - WN19-00-000330 + - V-205697 + - SRG-OS-000096-GPOS-00050 + - SV-205697r569188_rule + - CCI-000382 + - CAT2 + +- name: "MEDIUM | WN19-00-000340 | PATCH | Windows Server 2019 must not have the Peer Name Resolution Protocol installed." + ansible.windows.win_feature: + name: PNRP + state: absent + notify: reboot_windows + when: + - wn19_00_000340 + tags: + - WN19-00-000340 + - V-205679 + - SRG-OS-000095-GPOS-00049 + - SV-205679r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-00-000350 | PATCH | Windows Server 2019 must not have Simple TCP/IP Services installed." + ansible.windows.win_feature: + name: Simple-TCPIP + state: absent + when: + - wn19_00_000350 + tags: + - WN19-00-000350 + - V-205680 + - SRG-OS-000095-GPOS-00049 + - SV-205680r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-00-000360 | PATCH | Windows Server 2019 must not have the Telnet Client installed." + ansible.windows.win_feature: + name: Telnet-Client + state: absent + when: + - wn19_00_000360 + tags: + - WN19-00-000360 + - V-205698 + - SRG-OS-000096-GPOS-00050 + - SV-205698r569188_rule + - CCI-000382 + - CAT2 + +- name: "MEDIUM | WN19-00-000370 | PATCH | Windows Server 2019 must not have the TFTP Client installed." + ansible.windows.win_feature: + name: TFTP-Client + state: absent + when: + - wn19_00_000370 + tags: + - WN19-00-000370 + - V-205681 + - SRG-OS-000095-GPOS-00049 + - SV-205681r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-00-000380 | PATCH | Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed." + ansible.windows.win_feature: + name: FS-SMB1 + state: absent + notify: reboot_windows + when: + - wn19_00_000380 + tags: + - WN19-00-000380 + - V-205682 + - CAT2 + - SRG-OS-000095-GPOS-00049 + - SV-205682r819711_rule + - CCI-000381 + +- name: "MEDIUM | WN19-00-000390 | PATCH | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + name: SMB1 + data: 0x00000000 + type: dword + notify: reboot_windows + when: + - wn19_00_000390 + tags: + - WN19-00-000390 + - V-205683 + - SRG-OS-000095-GPOS-00049 + - SV-205683r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-00-000400 | PATCH | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 + name: Start + data: 0x00000004 + type: dword + notify: reboot_windows + when: + - wn19_00_000400 + tags: + - WN19-00-000400 + - V-205684 + - SRG-OS-000095-GPOS-00049 + - SV-205684r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-00-000410 | PATCH | Windows Server 2019 must not have Windows PowerShell 2.0 installed." + ansible.windows.win_feature: + name: PowerShell-V2 + state: absent + when: + - wn19_00_000410 + tags: + - WN19-00-000410 + - V-205685 + - SRG-OS-000095-GPOS-00049 + - SV-205685r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons." + block: + - name: "MEDIUM | WN19-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 FTP servers must be configured to prevent anonymous logons." + + - name: "MEDIUM | WN19-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000420' + when: + - wn19_00_000420 + tags: + - WN19-00-000420 + - V-205853 + - SRG-OS-000480-GPOS-00227 + - SV-205853r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive." + block: + - name: "MEDIUM | WN19-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 FTP servers must be configured to prevent access to the system drive." + + - name: "MEDIUM | WN19-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000430' + when: + - wn19_00_000430 + tags: + - WN19-00-000430 + - V-205854 + - SRG-OS-000480-GPOS-00227 + - SV-205854r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights" + block: + - name: "MEDIUM | WN19-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights" + + - name: "MEDIUM | WN19-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-00-000450' + when: + - wn19_00_000450 + tags: + - WN19-00-000450 + - V-205800 + - SRG-OS-000480-GPOS-00227 + - SV-205855r569188_rule + - CCI-000366 + - CAT2 + # https://www.stigviewer.com/stig/windows_server_2016/2019-01-16/finding/V-78127 + +# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL BASED SYSTEMS. +- name: "MEDIUM | WN19-AC-000020 | PATCH | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less." + block: + - name: "MEDIUM | WN19-AC-000020 | AUDIT | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of days set for wn19stig_lockoutbadcount please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn19stig_lockoutbadcount == 0 or + wn19stig_lockoutbadcount > 3 + + - name: "MEDIUM | WN19-AC-000020 | AUDIT | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-AC-000020' + when: + - wn19stig_lockoutbadcount == 0 or + wn19stig_lockoutbadcount > 3 + + - name: "MEDIUM | WN19-AC-000020 | PATCH | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Apply Variable." + community.windows.win_security_policy: + section: System Access + key: LockoutBadCount + value: "{{ wn19stig_lockoutbadcount }}" + when: + - wn19stig_lockoutbadcount > 0 + - wn19stig_lockoutbadcount <= 3 + when: + - wn19_ac_000020 + - not win19stig_cloud_based_system + tags: + - WN19-AC-000020 + - V-205629 + - SRG-OS-000021-GPOS-00005 + - SV-205629r569188_rule + - CCI-000044 + - CAT2 + +# below task is dependent on WN16-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" +- name: "MEDIUM | WN19-AC-000030 | PATCH | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + block: + - name: MEDIUM | WN19-AC-000030 | AUDIT | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of days set for wn19stig_resetlockoutcount please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn19stig_resetlockoutcount < 15 + + - name: MEDIUM | WN19-AC-000030 | AUDIT | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-AC-000030' + when: + - wn19stig_resetlockoutcount < 15 + + - name: "MEDIUM | WN19-AC-000030 | PATCH | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" + community.windows.win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ wn19stig_resetlockoutcount }}" + when: + - wn19stig_resetlockoutcount >= 15 + when: + - wn19_ac_000030 + - not win19stig_cloud_based_system + tags: + - WN19-AC-000030 + - V-205630 + - SRG-OS-000021-GPOS-00005 + - SV-205630r569188_rule + - CCI-000044 + - CCI-002238 + - CAT2 + +# below task is dependent on WN19-AC-000020 and WN19-AC-000030, maybe custom fail when known error if WN19-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" +- name: "MEDIUM | WN19-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater." + block: + - name: "MEDIUM | WN19-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of minutes set for wn19stig_lockoutduration please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn19stig_lockoutduration < 15 + - wn19stig_lockoutduration > 0 + + - name: "MEDIUM | WN19-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-AC-000010' + when: + - wn19stig_lockoutduration < 15 + - wn19stig_lockoutduration > 0 + + - name: "MEDIUM | WN19-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Apply Variable." + community.windows.win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ wn19stig_lockoutduration }}" + when: + - wn19stig_lockoutduration == 0 or + wn19stig_lockoutduration >= 15 + when: + - wn19_ac_000010 + - not win19stig_cloud_based_system + tags: + - WN19-AC-000010 + - V-205795 + - SRG-OS-000329-GPOS-00128 + - SV-205795r569188_rule + - CCI-002238 + - CAT2 + +- name: "MEDIUM | WN19-AC-000040 | PATCH | Windows Server 2019 password history must be configured to 24 passwords remembered." + community.windows.win_security_policy: + section: System Access + key: PasswordHistorySize + value: 24 + when: + - wn19_ac_000040 + tags: + - WN19-AC-000040 + - V-205660 + - SRG-OS-000077-GPOS-00045 + - SV-205660r569188_rule + - CCI-000200 + - CAT2 + +- name: "MEDIUM | WN19-AC-000050 | PATCH | Windows Server 2019 maximum password age must be configured to 60 days or less." + block: + - name: "MEDIUM | WN19-AC-000050 | AUDIT | Windows Server 2019 maximum password age must be configured to 60 days or less. | Warning For Bad Variable." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of days set for wn19stig_maximumpasswordage please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn19stig_maximumpasswordage == 0 or + wn19stig_maximumpasswordage > 60 + + - name: "MEDIUM | WN19-AC-000050 | AUDIT | Windows Server 2019 maximum password age must be configured to 60 days or less. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-AC-000050' + when: + - wn19stig_maximumpasswordage == 0 or + wn19stig_maximumpasswordage > 60 + + - name: "MEDIUM | WN19-AC-000050 | PATCH | Windows Server 2019 maximum password age must be configured to 60 days or less. | Apply Variable." + community.windows.win_security_policy: + section: System Access + key: MaximumPasswordAge + value: "{{ wn19stig_maximumpasswordage }}" + when: + - wn19stig_maximumpasswordage > 0 + - wn19stig_maximumpasswordage <= 60 + when: + - wn19_ac_000050 + tags: + - WN19-AC-000050 + - V-205659 + - SRG-OS-000076-GPOS-00044 + - SV-205659r569188_rule + - CCI-000199 + - CAT2 + +- name: "MEDIUM | WN19-AC-000060 | PATCH | Windows Server 2019 minimum password age must be configured to at least one day." + block: + - name: "MEDIUM | WN19-AC-000060 | AUDIT | Windows Server 2019 minimum password age must be configured to at least one day. | Warning For Bad Variable." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of days set for wn19stig_minimumpasswordage please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn19stig_minimumpasswordage == 0 + + - name: "MEDIUM | WN19-AC-000060 | AUDIT | Windows Server 2019 minimum password age must be configured to at least one day. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-AC-000060' + when: + wn19stig_minimumpasswordage == 0 + + - name: "MEDIUM | WN19-AC-000060 | PATCH | Windows Server 2019 minimum password age must be configured to at least one day. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: MinimumPasswordAge + value: "{{ wn19stig_minimumpasswordage }}" + when: + wn19stig_minimumpasswordage > 0 + when: + - wn19_ac_000060 + tags: + - WN19-AC-000060 + - V-205656 + - SRG-OS-000075-GPOS-00043 + - SV-205656r569188_rule + - CCI-000198 + - CAT2 + +- name: "MEDIUM | WN19-AC-000070 | PATCH | Windows Server 2019 minimum password length must be configured to 14 characters." + block: + - name: "MEDIUM | WN19-AC-000070 | AUDIT | Windows Server 2019 minimum password length must be configured to 14 characters. | Warning For Bad Variable." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid password length for wn19stig_minimumpasswordlength please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn19stig_minimumpasswordlength < 14 + + - name: "MEDIUM | WN19-AC-000070 | AUDIT | Windows Server 2019 minimum password length must be configured to 14 characters. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-AC-000070' + when: + - wn19stig_minimumpasswordlength < 14 + + - name: "MEDIUM | WN19-AC-000070 | PATCH | Windows Server 2019 minimum password length must be configured to 14 characters. | Apply Variable." + community.windows.win_security_policy: + section: System Access + key: MinimumPasswordLength + value: "{{ wn19stig_minimumpasswordlength }}" + when: + - wn19stig_minimumpasswordlength >= 14 + when: + - wn19_ac_000070 + tags: + - WN19-AC-000070 + - V-205662 + - SRG-OS-000078-GPOS-00046 + - SV-205662r569188_rule + - CCI-000205 + - CAT2 + +- name: "MEDIUM | WN19-AC-000080 | PATCH | Windows Server 2019 must have the built-in Windows password complexity policy enabled." + community.windows.win_security_policy: + section: System Access + key: PasswordComplexity + value: 1 + when: + - wn19_ac_000080 + tags: + - WN19-AC-000080 + - V-205652 + - SRG-OS-000069-GPOS-00037 + - SV-205652r569188_rule + - CCI-000192 + - CCI-000193 + - CCI-000194 + - CCI-001619 + - CAT2 + +- name: "MEDIUM | WN19-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited." + block: + - name: "MEDIUM | WN19-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 audit records must be backed up to a different system or media than the system being audited." + + - name: "MEDIUM | WN19-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-AU-000010' + when: + - wn19_au_000010 + tags: + - WN19-AU-000010 + - V-205799 + - SRG-OS-000342-GPOS-00133 + - SV-205799r569188_rule + - CCI-001851 + - CAT2 + +- name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." + block: + - name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." + + - name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-AU-000020' + when: + - wn19_au_000020 + tags: + - WN19-AU-000020 + - V-205843 + - SRG-OS-000479-GPOS-00224 + - SV-205843r860027_rule + - CCI-001851 + - CAT2 + # hard one, either need to standardize on say log shipping like splunk or other is set? + +- name: "MEDIUM | WN19-AU-000030 | AUDIT | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." + block: + - name: "MEDIUM | WN19-AU-000030 | AUDIT | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." + + - name: "MEDIUM | WN19-AU-000030 | AUDIT | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-AU-000030' + when: + - wn19_au_000030 + tags: + - WN19-AU-000030 + - V-205640 + - SRG-OS-000057-GPOS-00027 + - SV-205640r569188_rule + - CCI-000162 + - CCI-000163 + - CCI-000164 + - CAT2 + +- name: "MEDIUM | WN19-AU-000040 | AUDIT | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." + block: + - name: "MEDIUM | WN19-AU-000040 | AUDIT | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." + + - name: "MEDIUM | WN19-AU-000040 | AUDIT | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-AU-000040' + when: + - wn19_au_000040 + tags: + - WN19-AU-000040 + - V-205641 + - SRG-OS-000057-GPOS-00027 + - SV-205641r569188_rule + - CCI-000162 + - CCI-000163 + - CCI-000164 + - CAT2 + +- name: "MEDIUM | WN19-AU-000050 | AUDIT | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." + block: + - name: "MEDIUM | WN19-AU-000050 | AUDIT | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." + + - name: "MEDIUM | WN19-AU-000050 | AUDIT | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-AU-000050' + when: + - wn19_au_000050 + tags: + - WN19-AU-000050 + - V-205642 + - SRG-OS-000057-GPOS-00027 + - SV-205642r569188_rule + - CCI-000162 + - CCI-000163 + - CCI-000164 + - CAT2 + +- name: "MEDIUM | WN19-AU-000060 | AUDIT | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." + block: + - name: "MEDIUM | WN19-AU-000060 | AUDIT | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." + + - name: "MEDIUM | WN19-AU-000060 | AUDIT | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-AU-000060' + when: + - wn19_au_000060 + tags: + - WN19-AU-000060 + - V-205731 + - SRG-OS-000257-GPOS-00098 + - SV-205731r569188_rule + - CCI-001494 + - CCI-001495 + - CAT2 + +- name: "MEDIUM | WN19-AU-000070 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." + block: + - name: "MEDIUM | WN19-AU-000070 | AUDIT | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000070_audit + + - name: "MEDIUM | WN19-AU-000070 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable + when: "'Success' not in wn19_au_000070_audit.stdout" + when: + - wn19_au_000070 + tags: + - WN19-AU-000070 + - V-205832 + - SRG-OS-000470-GPOS-00214 + - SV-205832r569188_rule + - CCI-000172 + - CAT2 + +- name: "MEDIUM | WN19-AU-000080 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." + block: + - name: "MEDIUM | WN19-AU-000080 | AUDIT | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." + ansible.windows.win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000080_audit + + - name: "MEDIUM | WN19-AU-000080 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." + ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable + when: "'Failure' not in wn19_au_000080_audit.stdout" + when: + - wn19_au_000080 + tags: + - WN19-AU-000080 + - V-205833 + - SRG-OS-000470-GPOS-00214 + - SV-205833r569188_rule + - CCI-000172 + - CAT2 + +- name: "MEDIUM | WN19-AU-000090 | PATCH | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." + block: + - name: "MEDIUM | WN19-AU-000090 | AUDIT | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000090_audit + + - name: "MEDIUM | WN19-AU-000090 | PATCH | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable + when: "'Success' not in wn19_au_000090_audit.stdout" + when: + - wn19_au_000090 + tags: + - WN19-AU-000090 + - V-205769 + - SRG-OS-000327-GPOS-00127 + - SV-205769r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000120 | PATCH | Windows Server 2019 must be configured to audit Account Management - User Account Management failures." + block: + - name: "MEDIUM | WN19-AU-000120 | AUDIT | Windows Server 2019 must be configured to audit Account Management - User Account Management failures." + ansible.windows.win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000120_audit + + - name: "MEDIUM | WN19-AU-000120 | PATCH | Windows Server 2019 must be configured to audit Account Management - User Account Management failures." + ansible.windows.win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable + when: "'Failure' not in wn19_au_000120_audit.stdout" + when: + - wn19_au_000120 + tags: + - WN19-AU-000120 + - V-205627 + - SRG-OS-000004-GPOS-00004 + - SV-205627r569188_rule + - CCI-000018 + - CCI-000172 + - CCI-001403 + - CCI-001404 + - CCI-001405 + - CCI-002130 + - CAT2 + +- name: "MEDIUM | WN19-AU-000130 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." + block: + - name: "MEDIUM | WN19-AU-000130 | AUDIT | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000130_audit + + - name: "MEDIUM | WN19-AU-000130 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable + when: "'Success' not in wn19_au_000130_audit.stdout" + when: + - wn19_au_000130 + tags: + - WN19-AU-000130 + - V-205839 + - SRG-OS-000474-GPOS-00219 + - SV-205839r569188_rule + - CCI-000172 + - CAT2 + +- name: "MEDIUM | WN19-AU-000140 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." + block: + - name: "MEDIUM | WN19-AU-000140 | AUDIT | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000140_audit + + - name: "MEDIUM | WN19-AU-000140 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable + when: "'Success' not in wn19_au_000140_audit.stdout" + when: + - wn19_au_000140 + tags: + - WN19-AU-000140 + - V-205770 + - SRG-OS-000327-GPOS-00127 + - SV-205770r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000150 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." + block: + - name: "MEDIUM | WN19-AU-000150 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000150_audit + + - name: "MEDIUM | WN19-AU-000150 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable + when: "'Success' not in wn19_au_000150_audit.stdout" + when: + - wn19_au_000150 + tags: + - WN19-AU-000150 + - V-205729 + - SRG-OS-000240-GPOS-00090 + - SV-205729r569188_rule + - CCI-000172 + - CCI-001404 + - CAT2 + +- name: "MEDIUM | WN19-AU-000160 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." + block: + - name: "MEDIUM | WN19-AU-000160 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." + ansible.windows.win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000160_audit + + - name: "MEDIUM | WN19-AU-000160 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." + ansible.windows.win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable + when: "'Failure' not in wn19_au_000160_audit.stdout" + when: + - wn19_au_000160 + tags: + - WN19-AU-000160 + - V-205730 + - SRG-OS-000240-GPOS-00090 + - SV-205730r569188_rule + - CCI-000172 + - CCI-001404 + - CAT2 + +- name: "MEDIUM | WN19-AU-000170 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." + block: + - name: "MEDIUM | WN19-AU-000170 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000170_audit + + - name: "MEDIUM | WN19-AU-000170 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable + when: "'Success' not in wn19_au_000170_audit.stdout" + when: + - wn19_au_000170 + tags: + - WN19-AU-000170 + - V-205834 + - SRG-OS-000470-GPOS-00214 + - SV-205834r569188_rule + - CCI-000172 + - CAT2 + +- name: "MEDIUM | WN19-AU-000180 | PATCH | Windows Server 2019 must be configured to audit logoff successes." + block: + - name: "MEDIUM | WN19-AU-000180 | AUDIT | Windows Server 2019 must be configured to audit logoff successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000180_audit + + - name: "MEDIUM | WN19-AU-000180 | PATCH | Windows Server 2019 must be configured to audit logoff successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Logoff" /success:enable + when: "'Success' not in wn19_au_000180_audit.stdout" + when: + - wn19_au_000180 + tags: + - WN19-AU-000180 + - V-205838 + - SRG-OS-000472-GPOS-00217 + - SV-205838r569188_rule + - CCI-000172 + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-AU-000190 | PATCH | Windows Server 2019 must be configured to audit logon successes." + block: + - name: "MEDIUM | WN19-AU-000190 | AUDIT | Windows Server 2019 must be configured to audit logon successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000190_audit + + - name: "MEDIUM | WN19-AU-000190 | PATCH Windows Server 2019 must be configured to audit logon successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Logon" /success:enable + when: "'Success' not in wn19_au_000190_audit.stdout" + when: + - wn19_au_000190 + tags: + - WN19-AU-000190 + - V-205634 + - SRG-OS-000032-GPOS-00013 + - SV-205634r569188_rule + - CCI-000067 + - CCI-000172 + - CAT2 + +- name: "MEDIUM | WN19-AU-000200 | PATCH | Windows Server 2019 must be configured to audit logon failures" + block: + - name: "MEDIUM | WN19-AU-000200 | AUDIT | Windows Server 2019 must be configured to audit logon failures" + ansible.windows.win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000200_audit + + - name: "MEDIUM | WN19-AU-000200 | PATCH | Windows Server 2019 must be configured to audit logon failures" + ansible.windows.win_shell: AuditPol /set /subcategory:"Logon" /failure:enable + when: "'Failure' not in wn19_au_000200_audit.stdout" + when: + - wn19_au_000200 + tags: + - WN19-AU-000200 + - V-205635 + - SRG-OS-000032-GPOS-00013 + - SV-205635r569188_rule + - CCI-000067 + - CCI-000172 + - CAT2 + +- name: "MEDIUM | WN19-AU-000210 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." + block: + - name: "MEDIUM | WN19-AU-000210 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000210_audit + + - name: "MEDIUM | WN19-AU-000210 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable + when: "'Success' not in wn19_au_000210_audit.stdout" + when: + - wn19_au_000210 + tags: + - WN19-AU-000210 + - V-205835 + - SRG-OS-000470-GPOS-00214 + - SV-205835r569188_rule + - CCI-000172 + - CAT2 + +- name: "MEDIUM | WN19-AU-000220 | PATCH | Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes." + community.windows.win_audit_policy_system: + subcategory: Other Object Access Events + audit_type: success, failure + when: + - wn19_au_000220 + tags: + - WN19-AU-000220 + - V-205836 + - SRG-OS-000470-GPOS-00214 + - SV-205836r569188_rule + - CCI-000172 + - CAT2 + +- name: "MEDIUM | WN19-AU-000230 | PATCH | Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures." + community.windows.win_audit_policy_system: + subcategory: Other Object Access Events + audit_type: success, failure + when: + - wn19_au_000230 + tags: + - WN19-AU-000230 + - V-205837 + - SRG-OS-000470-GPOS-00214 + - SV-205837r569188_rule + - CCI-000172 + - CAT2 + +- name: "MEDIUM | WN19-AU-000240 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." + block: + - name: "MEDIUM | WN19-AU-000240 | AUDIT | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000240_audit + + - name: "MEDIUM | WN19-AU-000240 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable + when: "'Success' not in wn19_au_000240_audit.stdout" + when: + - wn19_au_000240 + tags: + - WN19-AU-000240 + - V-205840 + - SRG-OS-000474-GPOS-00219 + - SV-205840r569188_rule + - CCI-000172 + - CAT2 + +- name: "MEDIUM | WN19-AU-000250 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." + block: + - name: "MEDIUM | WN19-AU-000250 | AUDIT | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." + ansible.windows.win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000250_audit + + - name: "MEDIUM | WN19-AU-000250 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." + ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable + when: "'Failure' not in wn19_au_000250_audit.stdout" + when: + - wn19_au_000250 + tags: + - WN19-AU-000250 + - V-205841 + - SRG-OS-000474-GPOS-00219 + - SV-205841r569188_rule + - CCI-000172 + - CAT2 + +- name: "MEDIUM | WN19-AU-000260 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." + block: + - name: "MEDIUM | WN19-AU-000260 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000260_audit + + - name: "MEDIUM | WN19-AU-000260 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable + when: "'Success' not in wn19_au_000260_audit.stdout" + when: + - wn19_au_000260 + tags: + - WN19-AU-000260 + - V-205771 + - SRG-OS-000327-GPOS-00127 + - SV-205771r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000270 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." + block: + - name: "MEDIUM | WN19-AU-000270 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." + ansible.windows.win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000270_audit + + - name: "MEDIUM | WN19-AU-000270 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." + ansible.windows.win_shell: AuditPol /set /subcategory:"Audit Policy Change" /failure:enable + when: "'Failure' not in wn19_au_000270_audit.stdout" + when: + - wn19_au_000270 + tags: + - WN19-AU-000270 + - V-205772 + - SRG-OS-000327-GPOS-00127 + - SV-205772r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000280 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." + block: + - name: "MEDIUM | WN19-AU-000280 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000280_audit + + - name: "MEDIUM | WN19-AU-000280 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable + when: "'Success' not in wn19_au_000280_audit.stdout" + when: + - wn19_au_000280 + tags: + - WN19-AU-000280 + - V-205773 + - SRG-OS-000327-GPOS-00127 + - SV-205773r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000290 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." + block: + - name: "MEDIUM | WN19-AU-000290 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000290_audit + + - name: "MEDIUM | WN19-AU-000290 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable + when: "'Success' not in wn19_au_000290_audit.stdout" + when: + - wn19_au_000290 + tags: + - WN19-AU-000290 + - V-205774 + - SRG-OS-000327-GPOS-00127 + - SV-205774r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000300 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." + block: + - name: "MEDIUM | WN19-AU-000300 | AUDIT | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000300_audit + + - name: "MEDIUM | WN19-AU-000300 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable + when: "'Success' not in wn19_au_000300_audit.stdout" + when: + - wn19_au_000300 + tags: + - WN19-AU-000300 + - V-205775 + - SRG-OS-000327-GPOS-00127 + - SV-205775r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000310 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." + block: + - name: "MEDIUM | WN19-AU-000310 | AUDIT | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." + ansible.windows.win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000310_audit + + - name: "MEDIUM | WN19-AU-000310 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." + ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable + when: "'Failure' not in wn19_au_000310_audit.stdout" + when: + - wn19_au_000310 + tags: + - WN19-AU-000310 + - V-205776 + - SRG-OS-000327-GPOS-00127 + - SV-205776r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000320 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver successes." + block: + - name: "MEDIUM | WN19-AU-000320 | AUDIT | Windows Server 2019 must be configured to audit System - IPsec Driver successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000320_audit + + - name: "MEDIUM | WN19-AU-000320 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable + when: "'Success' not in wn19_au_000320_audit.stdout" + when: + - wn19_au_000320 + tags: + - WN19-AU-000320 + - V-205777 + - SRG-OS-000327-GPOS-00127 + - SV-205777r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000330 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver failures." + block: + - name: "MEDIUM | WN19-AU-000330 | AUDIT | Windows Server 2019 must be configured to audit System - IPsec Driver failures." + ansible.windows.win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000330_audit + + - name: "MEDIUM | WN19-AU-000330 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver failures." + ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable + when: "'Success' not in wn19_au_000330_audit.stdout" + when: + - wn19_au_000330 + tags: + - WN19-AU-000330 + - V-205778 + - SRG-OS-000327-GPOS-00127 + - SV-205778r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000340 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events successes." + block: + - name: "MEDIUM | WN19-AU-000340 | AUDIT | Windows Server 2019 must be configured to audit System - Other System Events successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000340_audit + + - name: "MEDIUM | WN19-AU-000340 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable + when: "'Success' not in wn19_au_000340_audit.stdout" + when: + - wn19_au_000340 + tags: + - WN19-AU-000340 + - V-205779 + - SRG-OS-000327-GPOS-00127 + - SV-205779r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000350 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events failures." + block: + - name: "MEDIUM | WN19-AU-000350 | AUDIT | Windows Server 2019 must be configured to audit System - Other System Events failures." + ansible.windows.win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000350_audit + + - name: "MEDIUM | WN19-AU-000350 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events failures." + ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable + when: "'Failure' not in wn19_au_000350_audit.stdout" + when: + - wn19_au_000350 + tags: + - WN19-AU-000350 + - V-205780 + - SRG-OS-000327-GPOS-00127 + - SV-205780r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000360 | PATCH | Windows Server 2019 must be configured to audit System - Security State Change successes." + block: + - name: "MEDIUM | WN19-AU-000360 | AUDIT | Windows Server 2019 must be configured to audit System - Security State Change successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000360_audit + + - name: "MEDIUM | WN19-AU-000360 | PATCH | Windows Server 2019 must be configured to audit System - Security State Change successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable + when: "'Success' not in wn19_au_000360_audit.stdout" + when: + - wn19_au_000360 + tags: + - WN19-AU-000360 + - V-205781 + - SRG-OS-000327-GPOS-00127 + - SV-205781r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000370 | PATCH | Windows Server 2019 must be configured to audit System - Security System Extension successes." + block: + - name: "MEDIUM | WN19-AU-000370 | AUDIT | Must be configured to audit System - Security System Extension successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000370_audit + + - name: "MEDIUM | WN19-AU-000370 | PATCH | Must be configured to audit System - Security System Extension successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable + when: "'Success' not in wn19_au_000370_audit.stdout" + when: + - wn19_au_000370 + tags: + - WN19-AU-000370 + - V-205782 + - SRG-OS-000327-GPOS-00127 + - SV-205782r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000380 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity successes." + block: + - name: "MEDIUM | WN19-AU-000380 | AUDIT | Windows Server 2019 must be configured to audit System - System Integrity successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000380_audit + + - name: "MEDIUM | WN19-AU-000380 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable + when: "'Success' not in wn19_au_000380_audit.stdout" + when: + - wn19_au_000380 + tags: + - WN19-AU-000380 + - V-205783 + - SRG-OS-000327-GPOS-00127 + - SV-205783r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-AU-000390 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity failures." + block: + - name: "MEDIUM | WN19-AU-000390 | AUDIT | Windows Server 2019 must be configured to audit System - System Integrity failures." + ansible.windows.win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_au_000390_audit + + - name: "MEDIUM | WN19-AU-000390 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity failures." + ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable + when: "'Failure' not in wn19_au_000390_audit.stdout" + when: + - wn19_au_000390 + tags: + - WN19-AU-000390 + - V-205784 + - SRG-OS-000327-GPOS-00127 + - SV-205784r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +# some versions may be core/no gui, may need a prelim to detect? +- name: "MEDIUM | WN19-CC-000010 | PATCH | Windows Server 2019 must prevent the display of slide shows on the lock screen." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization + value: NoLockScreenSlideshow + data: 1 + datatype: dword + when: + - wn19_cc_000010 + tags: + - WN19-CC-000010 + - V-205686 + - SRG-OS-000095-GPOS-00049 + - SV-205686r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-CC-000020 | PATCH | Windows Server 2019 must have WDigest Authentication disabled." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest + value: UseLogonCredential + data: 0 + datatype: dword + when: + - wn19_cc_000020 + tags: + - WN19-CC-000020 + - V-205687 + - SRG-OS-000095-GPOS-00049 + - SV-205687r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-CC-000070 | PATCH | Windows Server 2019 insecure logons to an SMB server must be disabled." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation + value: AllowInsecureGuestAuth + data: 0 + datatype: dword + when: + - wn19_cc_000070 + tags: + - WN19-CC-000070 + - V-205861 + - SRG-OS-000480-GPOS-00227 + - SV-205861r569188_rule + - CCI-000366 + - CAT2 + +# verify if this applies to DC or only MS? +- name: "MEDIUM | WN19-CC-000080 | PATCH | Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the SYSVOL and NETLOGON shares." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths + value: "{{ item }}" + data: RequireMutualAuthentication=1, RequireIntegrity=1 + datatype: string + with_items: + - \\*\SYSVOL + - \\*\NETLOGON + when: + - wn19_cc_000080 + - ansible_windows_domain_member + tags: + - WN19-CC-000080 + - V-205862 + - SRG-OS-000480-GPOS-00227 + - 205862r857311_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000090 | PATCH | Windows Server 2019 command line data must be included in process creation events." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit + value: ProcessCreationIncludeCmdLine_Enabled + data: 1 + datatype: dword + when: + - wn19_cc_000090 + tags: + - WN19-CC-000090 + - V-205638 + - SRG-OS-000042-GPOS-00020 + - SV-205638r569188_rule + - CCI-000135 + - CAT2 + +- name: "MEDIUM | WN19-CC-000100 | PATCH | Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation + value: AllowProtectedCreds + data: 1 + datatype: dword + when: + - wn19_cc_000100 + tags: + - WN19-CC-000100 + - V-205863 + - SRG-OS-000480-GPOS-00227 + - SV-205863r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000110 | AUDIT | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + block: + - name: "MEDIUM | WN19-CC-000110 | AUDIT | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + + - name: "MEDIUM | WN19-CC-000110 | AUDIT | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-CC-000110' + when: + - wn19_cc_000110 + - ansible_windows_domain_member + tags: + - WN19-CC-000110 + - V-205864 + - SRG-OS-000480-GPOS-00227 + - SV-205864r857313_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000130 | PATCH | Windows Server 2019 early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch + value: DriverLoadPolicy + data: 1 + datatype: dword + when: + - wn19_cc_000130 + tags: + - WN19-CC-000130 + - V-205865 + - SRG-OS-000480-GPOS-00227 + - SV-205865r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000140 | PATCH | Windows Server 2019 group policy objects must be reprocessed even if they have not changed." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} + value: NoGPOListChanges + data: 0 + datatype: dword + when: + - wn19_cc_000140 + tags: + - WN19-CC-000140 + - V-205866 + - SRG-OS-000480-GPOS-00227 + - SV-205866r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000150 | PATCH | Windows Server 2019 downloading print driver packages over HTTP must be turned off." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers + value: DisableWebPnPDownload + data: 1 + datatype: dword + when: + - wn19_cc_000150 + tags: + - WN19-CC-000150 + - V-205688 + - SRG-OS-000095-GPOS-00049 + - SV-205688r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-CC-000160 | PATCH | Windows Server 2019 printing over HTTP must be turned off." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers + value: DisableHTTPPrinting + data: 1 + datatype: dword + when: + - wn19_cc_000160 + tags: + - WN19-CC-000160 + - V-205689 + - SRG-OS-000095-GPOS-00049 + - SV-205689r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-CC-000170 | PATCH | Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + value: DontDisplayNetworkSelectionUI + data: 1 + datatype: dword + when: + - wn19_cc_000170 + tags: + - WN19-CC-000170 + - V-205690 + - SRG-OS-000095-GPOS-00049 + - SV-205690r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-CC-000180 | PATCH | Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery)." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + value: DCSettingIndex + data: 1 + datatype: dword + when: + - wn19_cc_000180 + tags: + - WN19-CC-000180 + - V-205867 + - SRG-OS-000480-GPOS-00227 + - SV-205867r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000190 | PATCH | Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in)." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + value: ACSettingIndex + data: 1 + datatype: dword + when: + - wn19_cc_000190 + tags: + - WN19-CC-000190 + - V-205868 + - SRG-OS-000480-GPOS-00227 + - SV-205868r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000240 | PATCH | Windows Server 2019 administrator accounts must not be enumerated during elevation." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI + value: EnumerateAdministrators + data: 0 + datatype: dword + when: + - wn19_cc_000240 + tags: + - WN19-CC-000240 + - V-205714 + - SRG-OS-000134-GPOS-00068 + - SV-205714r569188_rule + - CCI-001084 + - CAT2 + +- name: "MEDIUM | WN19-CC-000250 | PATCH | Windows Server 2019 Telemetry must be configured to Security or Basic." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + value: AllowTelemetry + data: 0 + datatype: dword + when: + - wn19_cc_000250 + tags: + - WN19-CC-000250 + - V-205869 + - SRG-OS-000480-GPOS-00227 + - SV-205869r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000270 | PATCH | Windows Server 2019 Application event log size must be configured to 32768 KB or greater." + block: + - name: "MEDIUM | WN19-CC-000270 | AUDIT | Windows Server 2019 Application event log size must be configured to 32768 KB or greater." + ansible.windows.win_reg_stat: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application + name: MaxSize + register: wn19_cc_000270_audit + + - name: "MEDIUM | WN19-CC-000270 | PATCH | Windows Server 2019 Application event log size must be configured to 32768 KB or greater." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application + value: MaxSize + data: "{{ wn19stig_app_maxsize }}" + datatype: dword + when: + - wn19_cc_000270_audit is defined + - not wn19_cc_000270_audit.exists or + wn19_cc_000270_audit.value < 32768 + when: + - wn19_cc_000270 + tags: + - WN19-CC-000270 + - V-205796 + - SRG-OS-000341-GPOS-00132 + - SV-205796r569188_rule + - CCI-001849 + - CAT2 + +- name: "MEDIUM | WN19-CC-000280 | PATCH | Windows Server 2019 Security event log size must be configured to 196608 KB or greater." + block: + - name: "MEDIUM | WN19-CC-000280 | AUDIT | Windows Server 2019 Security event log size must be configured to 196608 KB or greater." + ansible.windows.win_reg_stat: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security + name: MaxSize + register: wn19_cc_000280_audit + + - name: "MEDIUM | WN19-CC-000280 | PATCH | Windows Server 2019 Security event log size must be configured to 196608 KB or greater." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security + value: MaxSize + data: "{{ wn19stig_sec_maxsize }}" + datatype: dword + when: + - wn19_cc_000280_audit is defined + - not wn19_cc_000280_audit.exists or + wn19_cc_000280_audit.value < 196608 + when: + - wn19_cc_000280 + tags: + - WN19-CC-000280 + - V-205797 + - SRG-OS-000341-GPOS-00132 + - SV-205797r569188_rule + - CCI-001849 + - CAT2 + +- name: "MEDIUM | WN19-CC-000290 | PATCH | Windows Server 2019 System event log size must be configured to 32768 KB or greater." + block: + - name: "MEDIUM | WN19-CC-000290 | AUDIT | Windows Server 2019 System event log size must be configured to 32768 KB or greater." + ansible.windows.win_reg_stat: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System + name: MaxSize + register: wn19_cc_000290_audit + + - name: "MEDIUM | WN19-CC-000290 | PATCH | Windows Server 2019 System event log size must be configured to 32768 KB or greater." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System + value: MaxSize + data: "{{ wn19stig_sys_maxsize }}" + datatype: dword + when: + - wn19_cc_000290_audit is defined + - not wn19_cc_000290_audit.exists or + wn19_cc_000290_audit.value < 32768 + when: + - wn19_cc_000290 + tags: + - WN19-CC-000290 + - V-93181 + - SRG-OS-000341-GPOS-00132 + - SV-103269r1 + - CCI-001849 + +- name: "MEDIUM | WN19-CC-000300 | PATCH | Windows Server 2019 Windows Defender SmartScreen must be enabled." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + value: EnableSmartScreen + data: 1 + datatype: dword + when: + - wn19_cc_000300 + tags: + - WN19-CC-000300 + - V-205798 + - SRG-OS-000095-GPOS-00049 + - SV-205798r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-CC-000310 | PATCH | Windows Server 2019 Explorer Data Execution Prevention must be enabled." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer + value: NoDataExecutionPrevention + data: 0 + datatype: dword + when: + - wn19_cc_000310 + tags: + - WN19-CC-000310 + - V-205830 + - SRG-OS-000433-GPOS-00192 + - SV-205830r569188_rule + - CCI-002824 + - CAT2 + +- name: "MEDIUM | WN19-CC-000330 | PATCH | Windows Server 2019 File Explorer shell protocol must run in protected mode." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + value: PreXPSP2ShellProtocolBehavior + data: 0 + datatype: dword + when: + - wn19_cc_000330 + tags: + - WN19-CC-000330 + - V-205872 + - SRG-OS-000480-GPOS-00227 + - SV-205872r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000340 | PATCH | Windows Server 2019 must not save passwords in the Remote Desktop Client." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + value: DisablePasswordSaving + data: 1 + datatype: dword + when: + - wn19_cc_000340 + tags: + - WN19-CC-000340 + - V-205808 + - SRG-OS-000373-GPOS-00157 + - SV-205808r569188_rule + - CCI-002038 + - CAT2 + +- name: "MEDIUM | WN19-CC-000350 | PATCH | Windows Server 2019 Remote Desktop Services must prevent drive redirection." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + value: fDisableCdm + data: 1 + datatype: dword + when: + - wn19_cc_000350 + tags: + - WN19-CC-000350 + - V-205722 + - SRG-OS-000138-GPOS-00069 + - SV-205722r569188_rule + - CCI-001090 + - CAT2 + +- name: "MEDIUM | WN19-CC-000360 | PATCH | Windows Server 2019 remote Desktop Services must always prompt a client for passwords upon connection." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + value: fPromptForPassword + data: 1 + datatype: dword + when: + - wn19_cc_000360 + tags: + - WN19-CC-000360 + - V-205809 + - SRG-OS-000373-GPOS-00157 + - SV-205809r569188_rule + - CCI-002038 + - CAT2 + +- name: "MEDIUM | WN19-CC-000370 | PATCH | Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + value: fEncryptRPCTraffic + data: 1 + datatype: dword + when: + - wn19_cc_000370 + tags: + - WN19-CC-000370 + - V-92971 + - SRG-OS-000033-GPOS-00014 + - SV-103059r1 + - CCI-000068 + - CCI-001453 + - CAT2 + +- name: "MEDIUM | WN19-CC-000380 | PATCH | Windows Server 2019 remote Desktop Services must be configured with the client connection encryption set to High Level." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + value: MinEncryptionLevel + data: 3 + datatype: dword + when: + - wn19_cc_000380 + tags: + - WN19-CC-000380 + - V-205636 + - SRG-OS-000033-GPOS-00014 + - SRG-OS-000250-GPOS-00093 + - SV-205636r569188_rule + - CCI-000068 + - CCI-001453 + - CAT2 + +- name: "MEDIUM | WN19-CC-000390 | PATCH | Windows Server 2019 must prevent attachments from being downloaded from RSS feeds." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds + value: DisableEnclosureDownload + data: 1 + datatype: dword + when: + - wn19_cc_000390 + tags: + - WN19-CC-000390 + - V-205873 + - SRG-OS-000480-GPOS-00227 + - SV-205873r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000400 | PATCH | Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds + value: AllowBasicAuthInClear + data: 0 + datatype: dword + when: + - wn19_cc_000400 + tags: + - WN19-CC-000400 + - V-205693 + - SRG-OS-000095-GPOS-00049 + - SV-205693r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-CC-000410 | PATCH | Windows Server 2019 must prevent Indexing of encrypted files." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search + value: AllowIndexingEncryptedStoresOrItems + data: 0 + datatype: dword + when: + - wn19_cc_000410 + tags: + - WN19-CC-000410 + - V-205694 + - SRG-OS-000095-GPOS-00049 + - SV-205694r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-CC-000420 | PATCH | Windows Server 2019 must prevent users from changing installation options." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer + value: EnableUserControl + data: 0 + datatype: dword + when: + - wn19_cc_000420 + tags: + - WN19-CC-000420 + - V-205801 + - SRG-OS-000362-GPOS-00149 + - SV-205801r569188_rule + - CCI-001812 + - CAT2 + +- name: "MEDIUM | WN19-CC-000440 | PATCH | Windows Server 2019 users must be notified if a web-based program attempts to install software." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer + value: SafeForScripting + data: 0 + datatype: dword + when: + - wn19_cc_000440 + tags: + - WN19-CC-000440 + - V-205874 + - SRG-OS-000480-GPOS-00227 + - SV-205874r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000450 | PATCH | Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: DisableAutomaticRestartSignOn + data: 1 + datatype: dword + when: + - wn19_cc_000450 + tags: + - WN19-CC-000450 + - V-205925 + - SRG-OS-000480-GPOS-00229 + - SV-205925r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000451 | PATCH | The Windows Explorer Preview pane must be disabled for Windows Server 2019." + ansible.windows.win_regedit: + path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + value: NoPreviewPane + data: 1 + datatype: dword + when: + - wn19_cc_000451 + tags: + - WN19-CC-000451 + - V-236001 + - SRG-OS-000095-GPOS-00049 + - SV-236001r641821_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-CC-000460 | PATCH | Windows Server 2019 PowerShell script block logging must be enabled." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging + value: EnableScriptBlockLogging + data: 1 + datatype: dword + when: + - wn19_cc_000460 + tags: + - WN19-CC-000460 + - V-205639 + - SRG-OS-000042-GPOS-00020 + - SV-205639r569188_rule + - CCI-000135 + - CAT2 + +- name: "MEDIUM | WN19-CC-000480 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client + value: AllowUnencryptedTraffic + data: 0 + datatype: dword + when: + - wn19_cc_000480 + - not win2019stig_skip_for_test + tags: + - WN19-CC-000480 + - V-205816 + - SRG-OS-000393-GPOS-00173 + - SV-205816r569188_rule + - CCI-002890 + - CCI-003123 + - CAT2 + +- name: "MEDIUM | WN19-CC-000490 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client + value: AllowDigest + data: 0 + datatype: dword + when: + - wn19_cc_000490 + tags: + - WN19-CC-000490 + - V-205712 + - SRG-OS-000125-GPOS-00065 + - SV-205712r569188_rule + - CCI-000877 + - CAT2 + +- name: "MEDIUM | WN19-CC-000510 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service + value: AllowUnencryptedTraffic + data: 0 + datatype: dword + when: + - wn19_cc_000510 + - not win2019stig_skip_for_test + tags: + - WN19-CC-000510 + - V-205817 + - SRG-OS-000393-GPOS-00173 + - SV-205817r569188_rule + - CCI-002890 + - CCI-003123 + - CAT2 + +- name: "MEDIUM | WN19-CC-000520 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service + value: DisableRunAs + data: 1 + datatype: dword + when: + - wn19_cc_000520 + - not win2019stig_skip_for_test + tags: + - WN19-CC-000520 + - V-205810 + - SRG-OS-000373-GPOS-00157 + - SV-205810r569188_rule + - CCI-002038 + - CAT2 + +- name: "MEDIUM | WN19-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced." + block: + - name: "MEDIUM | WN19-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 Kerberos user logon restrictions must be enforced." + + - name: "MEDIUM | WN19-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000020' + when: + - wn19_dc_000020 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000020 + - V-205702 + - SRG-OS-000112-GPOS-00057 + - SV-205702r569188_rule + - CCI-001941 + - CCI-001942 + - CAT2 + +- name: "MEDIUM | WN19-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." + block: + - name: "MEDIUM | WN19-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." + + - name: "MEDIUM | WN19-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000030' + when: + - wn19_dc_000030 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000030 + - V-205703 + - SRG-OS-000112-GPOS-00057 + - SV-205703r569188_rule + - CCI-001941 + - CCI-001942 + - CAT2 + +- name: "MEDIUM | WN19-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less." + block: + - name: "MEDIUM | WN19-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less." + + - name: "MEDIUM | WN19-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000040' + when: + - wn19_dc_000040 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000040 + - V-205704 + - SRG-OS-000112-GPOS-00057 + - SV-205704r569188_rule + - CCI-001941 + - CCI-001942 + - CAT2 + +- name: "MEDIUM | WN19-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." + block: + - name: "MEDIUM | WN19-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." + + - name: "MEDIUM | WN19-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.| import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000050' + when: + - wn19_dc_000050 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000050 + - V-205705 + - SRG-OS-000112-GPOS-00057 + - SV-205705r569188_rule + - CCI-001941 + - CCI-001942 + - CAT2 + +- name: "MEDIUM | WN19-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less." + block: + - name: "MEDIUM | WN19-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less." + + - name: "MEDIUM | WN19-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000060' + when: + - wn19_dc_000060 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000060 + - V-205706 + - SRG-OS-000112-GPOS-00057 + - SV-205706r569188_rule + - CCI-001941 + - CCI-001942 + - CAT2 + +- name: "MEDIUM | WN19-DC-000120 | AUDIT | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files." + block: + - name: "MEDIUM | WN19-DC-000120 | AUDIT | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files." + + - name: "MEDIUM | WN19-DC-000120 | AUDIT | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000120' + when: + - wn19_dc_000120 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000120 + - V-205723 + - SRG-OS-000138-GPOS-00069 + - SV-205723r569188_rule + - CCI-001090 + - CAT2 + +- name: "MEDIUM | WN19-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function." + block: + - name: "MEDIUM | WN19-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 domain controllers must run on a machine dedicated to that function." + + - name: "MEDIUM | WN19-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000130' + when: + - wn19_dc_000130 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000130 + - V-205695 + - SRG-OS-000095-GPOS-00049 + - SV-205695r569188_rule + - CCI-000381 + - CAT2 + +- name: "MEDIUM | WN19-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." + block: + - name: "MEDIUM | WN19-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." + + - name: "MEDIUM | WN19-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000140' + when: + - wn19_dc_000140 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000140 + - V-205818 + - SRG-OS-000396-GPOS-00176 + - SV-205818r569188_rule + - CCI-002450 + - CAT2 + +- name: "MEDIUM | WN19-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings." + block: + - name: "MEDIUM | WN19-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings." + + - name: "MEDIUM | WN19-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000170' + when: + - wn19_dc_000170 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000170 + - V-205785 + - SRG-OS-000327-GPOS-00127 + - SV-205785r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings." + block: + - name: "MEDIUM | WN19-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Domain object must be configured with proper audit settings." + + - name: "MEDIUM | WN19-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000180' + when: + - wn19_dc_000180 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000180 + - V-205786 + - SRG-OS-000327-GPOS-00127 + - SV-205786r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings." + block: + - name: "MEDIUM | WN19-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings." + + - name: "MEDIUM | WN19-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000190' + when: + - wn19_dc_000190 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000190 + - V-205787 + - SRG-OS-000327-GPOS-00127 + - SV-205787r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." + block: + - name: "MEDIUM | WN19-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." + + - name: "MEDIUM | WN19-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000200' + when: + - wn19_dc_000200 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000200 + - V-205788 + - SRG-OS-000327-GPOS-00127 + - SV-205788r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings." + block: + - name: "MEDIUM | WN19-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings." + + - name: "MEDIUM | WN19-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000210' + when: + - wn19_dc_000210 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000210 + - V-205789 + - SRG-OS-000327-GPOS-00127 + - WN19-DC-000210 + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings." + block: + - name: "MEDIUM | WN19-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings." + + - name: "MEDIUM | WN19-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000220' + when: + - wn19_dc_000220 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000220 + - V-205790 + - SRG-OS-000327-GPOS-00127 + - SV-205790r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN19-DC-000230 | PATCH | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." + block: + - name: "MEDIUM | WN19-DC-000230 | AUDIT | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_dc_000230_audit + + - name: "MEDIUM | WN19-DC-000230 | PATCH | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable + when: "'Success' not in wn19_dc_000230_audit.stdout" + when: + - wn19_dc_000230 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000230 + - V-205628 + - SRG-OS-000004-GPOS-00004 + - SRG-OS-000239-GPOS-00089 + - SRG-OS-000240-GPOS-00090 + - SRG-OS-000241-GPOS-00091 + - SRG-OS-000303-GPOS-00120 + - SRG-OS-000476-GPOS-00221 + - SV-205628r569188_rule + - CCI-000018 + - CCI-000172 + - CCI-001403 + - CCI-001404 + - CCI-001405 + - CCI-002130 + - CAT2 + +- name: "MEDIUM | WN19-DC-000240 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." + block: + - name: "MEDIUM | WN19-DC-000240 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_dc_000240_audit + + - name: "MEDIUM | WN19-DC-000240 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable + when: "'Success' not in wn19_dc_000240_audit.stdout" + when: + - wn19_dc_000240 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000240 + - V-205791 + - SRG-OS-000327-GPOS-00127 + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000468-GPOS-00212 + - SV-205791r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000250 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." + block: + - name: "MEDIUM | WN19-DC-000250 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." + ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_dc_000250_audit + + - name: "MEDIUM | WN19-DC-000250 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." + ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Access" /failure:enable + when: "'Failure' not in wn19_dc_000250_audit.stdout" + when: + - wn19_dc_000250 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000250 + - V-205792 + - SRG-OS-000327-GPOS-00127 + - SV-205792r569188_rule + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000468-GPOS-00212 + - CCI-000172 + - CCI-002234 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000260 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." + block: + - name: "MEDIUM | WN19-DC-000260 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_dc_000260_audit + + - name: "MEDIUM | WN19-DC-000260 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable + when: "'Success' not in wn19_dc_000260_audit.stdout" + when: + - wn19_dc_000260 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000260 + - V-205793 + - SRG-OS-000327-GPOS-00127 + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000468-GPOS-00212 + - SV-205793r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000270 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." + block: + - name: "MEDIUM | WN19-DC-000270 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." + ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn19_dc_000270_audit + + - name: "MEDIUM | WN19-DC-000270 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." + ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Changes" /failure:enable + when: "'Failure' not in wn19_dc_000270_audit.stdout" + when: + - wn19_dc_000270 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000270 + - V-205794 + - SRG-OS-000327-GPOS-00127 + - SRG-OS-000458-GPOS-00203 + - SRG-OS-000463-GPOS-00207 + - SRG-OS-000468-GPOS-00212 + - SV-205794r569188_rule + - CCI-000172 + - CCI-002234 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate." + block: + - name: "MEDIUM | WN19-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 domain controllers must have a PKI server certificate." + + - name: "MEDIUM | WN19-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000280' + when: + - wn19_dc_000280 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000280 + - V-205645 + - SRG-OS-000066-GPOS-00034 + - SV-205645r569188_rule + - CCI-000185 + - CAT2 + +- name: "MEDIUM | WN19-DC-000310 | AUDIT | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." + block: + - name: "MEDIUM | WN19-DC-000310 | AUDIT | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." + + - name: "MEDIUM | WN19-DC-000310 | AUDIT | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000310' + when: + - wn19_dc_000310 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000310 + - V-205701 + - SRG-OS-000105-GPOS-00052 + - SRG-OS-000106-GPOS-00053 + - SRG-OS-000107-GPOS-00054 + - SRG-OS-000108-GPOS-00055 + - SRG-OS-000375-GPOS-00160 + - SV-205701r569188_rule + - CCI-000765 + - CCI-000766 + - CCI-000767 + - CCI-000768 + - CCI-001948 + - CAT2 + +- name: "MEDIUM | WN19-DC-000320 | PATCH | Windows Server 2019 domain controllers must require LDAP access signing." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters + value: LDAPServerIntegrity + data: 2 + datatype: dword + when: + - wn19_dc_000320 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000320 + - V-205820 + - SRG-OS-000423-GPOS-00187 + - SRG-OS-000424-GPOS-00188 + - SV-205820r569188_rule + - CCI-002418 + - CCI-002421 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000330 | PATCH | Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + value: RefusePasswordChange + data: 0 + datatype: dword + when: + - wn19_dc_000330 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000330 + - V-205876 + - SRG-OS-000480-GPOS-00227 + - SV-205876r569188_rule + - CCI-000366 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000340 | PATCH | Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers." + ansible.windows.win_user_right: + name: SeNetworkLogonRight + users: + - Administrators + - Authenticated Users + - Enterprise Domain Controllers + action: set + when: + - wn19_dc_000340 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000340 + - V-205665 + - SRG-OS-000080-GPOS-00048 + - SV-205665r569188_rule + - CCI-000213 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000350 | PATCH | Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers." + ansible.windows.win_user_right: + name: SeMachineAccountPrivilege + users: Administrators + action: set + when: + - wn19_dc_000350 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000350 + - V-205744 + - SRG-OS-000324-GPOS-00125 + - SV-205744r569188_rule + - CCI-002235 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000360 | PATCH | Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers." + ansible.windows.win_user_right: + name: SeRemoteInteractiveLogonRight + users: Administrators + action: set + when: + - wn19_dc_000360 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000360 + - V-205666 + - SRG-OS-000080-GPOS-00048 + - SV-205666r569188_rule + - CCI-000213 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000370 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access." + ansible.windows.win_user_right: + name: SeDenyNetworkLogonRight + users: Guests + action: set + when: + - wn19_dc_000370 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000370 + - V-205667 + - SRG-OS-000080-GPOS-00048 + - SV-205667r569188_rule + - CCI-000213 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000380 | PATCH | Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access." + ansible.windows.win_user_right: + name: SeDenyBatchLogonRight + users: Guests + action: set + when: + - wn19_dc_000380 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000380 + - V-205668 + - SRG-OS-000080-GPOS-00048 + - SV-205668r569188_rule + - CCI-000213 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000390 | PATCH | Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers." + community.windows.win_security_policy: + section: Privilege Rights + key: SeDenyServiceLogonRight + value: "" + when: + - wn19_dc_000390 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000390 + - V-205669 + - SRG-OS-000080-GPOS-00048 + - SV-205669r569188_rule + - CCI-000213 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000400 | PATCH | Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access." + ansible.windows.win_user_right: + name: SeDenyInteractiveLogonRight + users: Guests + action: set + when: + - wn19_dc_000400 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000400 + - V-205670 + - SRG-OS-000080-GPOS-00048 + - SV-205670r569188_rule + - CCI-000213 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000410 | PATCH | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access." + ansible.windows.win_user_right: + name: SeDenyRemoteInteractiveLogonRight + users: Guests + action: set + when: + - wn19_dc_000410 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000410 + - V-205732 + - SRG-OS-000297-GPOS-00115 + - SV-205732r569188_rule + - CCI-002314 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000420 | PATCH | Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers." + ansible.windows.win_user_right: + name: SeEnableDelegationPrivilege + users: Administrators + action: set + when: + - wn19_dc_000420 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-DC-000420 + - V-205745 + - SRG-OS-000324-GPOS-00125 + - SV-205745r569188_rule + - CCI-002235 + - CAT2 + - NeedToTestDomainController + +- name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." + block: + - name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." + ansible.windows.win_shell: "Get-ADUser krbtgt -Property PasswordLastSet | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19stig_krbtgt_pass_age }}))} | Select-Object -ExpandProperty PasswordLastSet" + changed_when: false + failed_when: false + check_mode: false + register: wn19_dc_000430_audit + + - name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. The password for the krbtgt account on a domain must be reset at least every 180 days." + + - name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-DC-000430' + when: + - wn19_dc_000430 + - ansible_windows_domain_role == "Primary domain controller" + - win2019stig_complexity_high + tags: + - WN19-DC-000430 + - V-205877 + - SRG-OS-000480-GPOS-00227 + - SV-205877r857315_rule + - CCI-000366 + - NeedToTestDomainController + - CAT2 + +- name: "MEDIUM | WN19-MS-000020 | PATCH | Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: LocalAccountTokenFilterPolicy + data: 0 + datatype: dword + when: + - wn19_ms_000020 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-MS-000020 + - V-205715 + - SRG-OS-000134-GPOS-00068 + - SV-205715r857320_rule + - CCI-001084 + - CAT2 + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000030 | PATCH | Windows Server 2019 local users on domain-joined member servers must not be enumerated." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + value: EnumerateLocalUsers + data: 0 + datatype: dword + when: + - wn19_ms_000030 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-MS-000030 + - V-205696 + - SRG-OS-000095-GPOS-00049 + - SV-205696r857322_rule + - CCI-000381 + - CAT2 + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000040 | PATCH | Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc + value: RestrictRemoteClients + data: 1 + datatype: dword + when: + - wn19_ms_000040 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-MS-000040 + - V-205814 + - SRG-OS-000379-GPOS-00164 + - SV-205814r860031_rule + - CCI-001967 + - CAT2 + +- name: "MEDIUM | WN19-MS-000050 | PATCH | Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + value: CachedLogonsCount + data: 4 + datatype: dword + when: + - wn19_ms_000050 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-MS-000050 + - V-205906 + - SRG-OS-000480-GPOS-00227 + - SV-205906r857326_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-MS-000060 | PATCH | Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + value: RestrictRemoteSAM + data: O:BAG:BAD:(A;;RC;;;BA) + datatype: string + when: + - wn19_ms_000060 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-MS-000060 + - V-205747 + - SRG-OS-000324-GPOS-00125 + - SV-205747r860032_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-MS-000070 | PATCH | Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems." + ansible.windows.win_user_right: + name: SeNetworkLogonRight + users: + - Administrators + - Authenticated Users + action: set + when: + - wn19_ms_000070 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-MS-000070 + - V-205671 + - SRG-OS-000080-GPOS-00048 + - SV-205671r857331_rule + - CCI-000213 + - CAT2 + +- name: "MEDIUM | WN19-MS-000080 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." + block: + - name: "MEDIUM | WN19-MS-000080 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." + ansible.windows.win_user_right: + name: SeDenyNetworkLogonRight + users: + - Guests + - Enterprise Admins + - Domain Admins + - Local account + - Local account and member of Administrators group + action: set + when: ansible_windows_domain_role == "Member server" + + - name: "MEDIUM | WN19-MS-000080 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." + ansible.windows.win_user_right: + name: SeDenyNetworkLogonRight + users: Guests + action: set + when: not ansible_windows_domain_member + when: + - wn19_ms_000080 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - WN19-MS-000080 + - V-205672 + - SRG-OS-000080-GPOS-00048 + - SV-205672r857333_rule + - CCI-000213 + - CAT2 + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000090 | PATCH | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + block: + - name: "MEDIUM | WN19-MS-000090 | PATCH | DOMAIN MEMBER | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + ansible.windows.win_user_right: + name: SeDenyBatchLogonRight + users: + - Enterprise Admins + - Domain Admins + - Guests + action: set + when: ansible_windows_domain_role == "Member server" + + - name: "MEDIUM | WN19-MS-000090 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + ansible.windows.win_user_right: + name: SeDenyBatchLogonRight + users: + - Guests + action: set + when: not ansible_windows_domain_member + when: + - wn19_ms_000090 + tags: + - WN19-MS-000090 + - V-205673 + - SRG-OS-000080-GPOS-00048 + - SV-205673r857335_rule + - CCI-000213 + - CAT2 + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000100 | PATCH | Windows Server 2019 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right." + ansible.windows.win_user_right: + name: SeDenyServiceLogonRight + users: + - Enterprise Admins + - Domain Admins + action: set + when: + - wn19_ms_000100 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-MS-000100 + - V-205674 + - SRG-OS-000080-GPOS-00048 + - SV-205674r819709_rule + - CCI-000213 + - CAT2 + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000110 | PATCH | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + block: + - name: "MEDIUM | WN19-MS-000110 | PATCH | DOMAIN MEMBER | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + ansible.windows.win_user_right: + name: SeDenyInteractiveLogonRight + users: + - Guests + - Enterprise Admins + - Domain Admins + action: set + when: ansible_windows_domain_role == "Member server" + + - name: "MEDIUM | WN19-MS-000110 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + ansible.windows.win_user_right: + name: SeDenyInteractiveLogonRight + users: + - Guests + action: set + when: not ansible_windows_domain_member + when: + - wn19_ms_000110 + tags: + - WN19-MS-000110 + - V-205675 + - SRG-OS-000080-GPOS-00048 + - SV-205675r857337_rule + - CCI-000213 + - CAT2 + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000120 | PATCH | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." + block: + - name: "MEDIUM | WN19-MS-000120 | PATCH | DOMAIN MEMBER | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." + ansible.windows.win_user_right: + name: SeDenyRemoteInteractiveLogonRight + users: + - Guests + - Local account + - Enterprise Admins + - Domain Admins + action: set + when: ansible_windows_domain_role == "Member server" + + - name: "MEDIUM | WN19-MS-000120 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." + ansible.windows.win_user_right: + name: SeDenyRemoteInteractiveLogonRight + users: + - Guests + action: set + when: not ansible_windows_domain_member + when: + - wn19_ms_000120 + tags: + - WN19-MS-000120 + - V-205733 + - SRG-OS-000297-GPOS-00115 + - SV-205733r860033_rule + - CCI-002314 + - CAT2 + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-MS-000130 | PATCH | Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems." + community.windows.win_security_policy: + section: Privilege Rights + key: SeEnableDelegationPrivilege + value: "" + when: + - wn19_ms_000130 + tags: + - WN19-MS-000130 + - V-205748 + - SRG-OS-000324-GPOS-00125 + - SV-205748r860034_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-PK-000010 | AUDIT | Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." + block: + - name: "MEDIUM | WN19-PK-000010 | AUDIT | Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter + changed_when: false + check_mode: false + register: wn19_PK_000010_audit + when: + - wn19_pk_000010 + tags: + - WN19-PK-000010 + - V-205648 + - SRG-OS-000066-GPOS-00034 + - SV-205648r819704_rule + - CCI-000185 + - CCI-002470 + - CAT2 + +- name: "MEDIUM | WN19-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + block: + - name: "MEDIUM | WN19-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter + changed_when: false + check_mode: false + register: wn19_pk_000020_audit + + - name: "MEDIUM | WN19-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + + - name: "MEDIUM | WN19-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-PK-000020' + when: + - wn19_pk_000020 + tags: + - WN19-PK-000020 + - V-205649 + - SRG-OS-000066-GPOS-00034 + - SV-205649r857346_rule + - CCI-000185 + - CCI-002470 + - CAT2 + +- name: "MEDIUM | WN19-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + block: + - name: "MEDIUM | WN19-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter + changed_when: false + check_mode: false + register: wn19_pk_000030_audit + + - name: "MEDIUM | WN19-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + + - name: "MEDIUM | WN19-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-PK-000030' + when: + - wn19_pk_000030 + tags: + - WN19-PK-000030 + - V-205650 + - SRG-OS-000066-GPOS-00034 + - SV-205650r573797_rule + - CCI-000185 + - CCI-002470 + - CAT2 + +- name: "MEDIUM | WN19-SO-000010 | PATCH | Windows Server 2019 must have the built-in guest account disabled." + community.windows.win_security_policy: + section: System Access + key: EnableGuestAccount + value: 0 + when: + - wn19_so_000010 + tags: + - WN19-SO-000010 + - V-205709 + - SRG-OS-000121-GPOS-00062 + - SV-205709r569188_rule + - CCI-000804 + - CAT2 + +- name: "MEDIUM | WN19-SO-000030 | PATCH | Windows Server 2019 built-in administrator account must be renamed." + block: + - name: "MEDIUM | WN19-SO-000030 | AUDIT | Windows Server 2019 built-in administrator account must be renamed. | Warning For Bad Variable." + ansible.builtin.debug: + msg: + - "Warning!! You have not changed the default name for wn19stig_newadministratorname, please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - "'adminchangethis' in wn19stig_newadministratorname" + + - name: "MEDIUM | WN19-SO-000030 | AUDIT | Windows Server 2019 built-in administrator account must be renamed. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-SO-000030' + when: + - "'adminchangethis' in wn19stig_newadministratorname" + + - name: "MEDIUM | WN19-SO-000030 | PATCH | Windows Server 2019 built-in administrator account must be renamed. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: NewAdministratorName + value: "{{ wn19stig_newadministratorname }}" + when: + - "'adminchangethis' not in wn19stig_newadministratorname" + when: + - wn19_so_000030 + tags: + - WN19-SO-000030 + - V-205909 + - SRG-OS-000480-GPOS-00227 + - SV-205909r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-SO-000040 | PATCH | Windows Server 2019 built-in guest account must be renamed." + block: + - name: "MEDIUM | WN19-SO-000040 | AUDIT | Windows Server 2019 built-in guest account must be renamed. | Warning For Bad Variable." + ansible.builtin.debug: + msg: + - "Warning!! You have not changed the default name for wn19stig_newguestname, please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - "'guestchangethis' in wn19stig_newguestname" + + - name: "MEDIUM | WN19-SO-000040 | AUDIT | Windows Server 2019 built-in guest account must be renamed. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN19-SO-000040' + when: + - "'guestchangethis' in wn19stig_newguestname" + + - name: "MEDIUM | WN19-SO-000040 | PATCH | Windows Server 2019 built-in guest account must be renamed. | Set Variable." + community.windows.win_security_policy: + section: System Access + key: NewGuestName + value: "{{ wn19stig_newguestname }}" + when: + - "'guestchangethis' not in wn19stig_newguestname" + when: + - wn19_so_000040 + tags: + - WN19-SO-000040 + - V-205910 + - SRG-OS-000480-GPOS-00227 + - SV-205910r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-SO-000050 | PATCH | Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ + value: SCENoApplyLegacyAuditPolicy + data: 1 + datatype: dword + when: + - wn19_so_000050 + tags: + - WN19-SO-000050 + - V-205644 + - SRG-OS-000062-GPOS-00031 + - SV-205644r569188_rule + - CCI-000169 + - CAT2 + +- name: "MEDIUM | WN19-SO-000060 | PATCH | Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + value: RequireSignOrSeal + data: 1 + datatype: dword + when: + - wn19_so_000060 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-SO-000060 + - V-205821 + - SRG-OS-000423-GPOS-00187 + - SRG-OS-000424-GPOS-00188 + - SV-205821r569188_rule + - CCI-002418 + - CCI-002421 + - CAT2 + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-SO-000080 | PATCH | Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + value: SignSecureChannel + data: 1 + datatype: dword + when: + - wn19_so_000080 + - ansible_windows_domain_role == "Member server" + tags: + - WN19-SO-000080 + - V-205823 + - SRG-OS-000423-GPOS-00187 + - SV-205823r569188_rule + - CCI-002418 + - CCI-002421 + - CAT2 + - NeedToTestMemberServer + +- name: "MEDIUM | WN19-SO-000090 | PATCH | Windows Server 2019 computer account password must not be prevented from being reset." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + value: DisablePasswordChange + data: 0 + datatype: dword + when: + - wn19_so_000090 + tags: + - WN19-SO-000090 + - V-205815 + - SRG-OS-000379-GPOS-00164 + - SV-205815r569188_rule + - CCI-001967 + - CAT2 + +- name: "MEDIUM | WN19-SO-000100 | PATCH | Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + value: MaximumPasswordAge + data: 30 + datatype: dword + when: + - wn19_so_000100 + tags: + - WN19-SO-000100 + - V-205911 + - SRG-OS-000480-GPOS-00227 + - SV-205911r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-SO-000110 | PATCH | Windows Server 2019 must be configured to require a strong session key." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + value: RequireStrongKey + data: 1 + datatype: dword + when: + - wn19_so_000110 + tags: + - WN19-SO-000110 + - V-205824 + - SRG-OS-000423-GPOS-00187 + - SV-205824r569188_rule + - CCI-002418 + - CCI-002421 + - CAT2 + +- name: "MEDIUM | WN19-SO-000120 | PATCH | Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: InactivityTimeoutSecs + data: 900 + datatype: dword + when: + - wn19_so_000120 + tags: + - WN19-SO-000120 + - V-205633 + - SRG-OS-000028-GPOS-00009 + - SV-205633r569188_rule + - CCI-000056 + - CCI-000057 + - CCI-000060 + - CAT2 + +- name: "MEDIUM | WN19-SO-000130 | PATCH | Windows Server 2019 required legal notice must be configured to display before console logon." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: LegalNoticeText + data: "{{ wn19stig_legalnoticetext }}" + datatype: string + when: + - wn19_so_000130 + tags: + - WN19-SO-000130 + - V-205631 + - SRG-OS-000023-GPOS-00006 + - SV-205631r569188_rule + - CCI-000048 + - CCI-000050 + - CCI-001384 + - CCI-001385 + - CCI-001386 + - CCI-001387 + - CCI-001388 + - CAT2 + +- name: "MEDIUM | WN19-SO-000150 | PATCH | Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + value: scremoveoption + data: 1 + datatype: string + when: + - wn19_so_000150 + tags: + - WN19-SO-000150 + - V-205912 + - SRG-OS-000480-GPOS-00227 + - SV-205912r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-SO-000160 | PATCH | Windows Server 2019 etting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters + value: RequireSecuritySignature + data: 1 + datatype: dword + when: + - wn19_so_000160 + tags: + - WN19-SO-000160 + - V-205825 + - SRG-OS-000423-GPOS-00187 + - SRG-OS-000424-GPOS-00188 + - SV-205825r569188_rule + - CCI-002418 + - CCI-002421 + - CAT2 + +- name: "MEDIUM | WN19-SO-000170 | PATCH | Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters + value: EnableSecuritySignature + data: 1 + datatype: dword + when: + - wn19_so_000170 + tags: + - WN19-SO-000170 + - V-205826 + - SRG-OS-000423-GPOS-00187 + - SRG-OS-000424-GPOS-00188 + - SV-205826r569188_rule + - CCI-002421 + - CCI-002418 + - CAT2 + +- name: "MEDIUM | WN19-SO-000180 | PATCH | Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters + value: EnablePlainTextPassword + data: 0 + datatype: dword + when: + - wn19_so_000180 + tags: + - WN19-SO-000180 + - V-205655 + - SRG-OS-000074-GPOS-00042 + - SV-205655r569188_rule + - CCI-000197 + - CAT2 + +- name: "MEDIUM | WN19-SO-000190 | PATCH | Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters + value: RequireSecuritySignature + data: 1 + datatype: dword + when: + - wn19_so_000190 + tags: + - WN19-SO-000190 + - V-205827 + - SRG-OS-000423-GPOS-00187 + - SV-205827r569188_rule + - CCI-002418 + - CCI-002421 + - CAT2 + +- name: "MEDIUM | WN19-SO-000200 | PATCH | Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters + value: EnableSecuritySignature + data: 1 + datatype: dword + when: + - wn19_so_000200 + tags: + - WN19-SO-000200 + - V-205828 + - SRG-OS-000423-GPOS-00187 + - SV-205828r569188_rule + - CCI-002418 + - CCI-002421 + - CAT2 + +- name: "MEDIUM | WN19-SO-000240 | PATCH | Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + value: EveryoneIncludesAnonymous + data: 0 + datatype: dword + when: + - wn19_so_000240 + tags: + - WN19-SO-000240 + - V-205915 + - SRG-OS-000480-GPOS-00227 + - SV-205915r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-SO-000260 | PATCH | Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + value: UseMachineId + data: 1 + datatype: dword + when: + - wn19_so_000260 + tags: + - WN19-SO-000260 + - V-205916 + - SRG-OS-000480-GPOS-00227 + - SV-205916r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-SO-000270 | PATCH | Windows Server 2019 must prevent NTLM from falling back to a Null session." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 + value: allownullsessionfallback + data: 0 + datatype: dword + when: + - wn19_so_000270 + tags: + - WN19-SO-000270 + - V-205917 + - SRG-OS-000480-GPOS-00227 + - SV-205917r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-SO-000280 | PATCH | Windows Server 2019 Must prevent PKU2U authentication using online identities." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\pku2u + value: AllowOnlineID + data: 0 + datatype: dword + when: + - wn19_so_000280 + tags: + - WN19-SO-000280 + - V-205918 + - SRG-OS-000480-GPOS-00227 + - SV-205918r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-SO-000290 | PATCH | Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters + value: SupportedEncryptionTypes + data: 2147483640 + datatype: dword + when: + - wn19_so_000290 + tags: + - WN19-SO-000290 + - V-205708 + - SRG-OS-000120-GPOS-00061 + - WN19-SO-000290 + - CCI-000803 + - CAT2 + +- name: "MEDIUM | WN19-SO-000320 | PATCH | Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP + value: LDAPClientIntegrity + data: 1 + datatype: dword + when: + - wn19_so_000320 + tags: + - WN19-SO-000320 + - V-205920 + - SRG-OS-000480-GPOS-00227 + - SV-205920r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-SO-000330 | PATCH | Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 + value: NTLMMinClientSec + data: 537395200 + datatype: dword + when: + - wn19_so_000330 + tags: + - WN19-SO-000330 + - V-205921 + - SRG-OS-000480-GPOS-00227 + - SV-205921r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-SO-000340 | PATCH | Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 + value: NTLMMinServerSec + data: 537395200 + datatype: dword + when: + - wn19_so_000340 + tags: + - WN19-SO-000340 + - V-205922 + - SRG-OS-000480-GPOS-00227 + - SV-205922r569188_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN19-SO-000350 | PATCH | Windows Server 2019 users must be required to enter a password to access private keys stored on the computer." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography + value: ForceKeyProtection + data: 2 + datatype: dword + when: + - wn19_so_000350 + tags: + - WN19-SO-000350 + - V-205651 + - SRG-OS-000067-GPOS-00035 + - SV-205651r569188_rule + - CCI-000186 + - CAT2 + +- name: "MEDIUM | WN19-SO-000360 | PATCH | Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager + value: ProtectionMode + data: 1 + datatype: dword + when: + - wn19_so_000360 + tags: + - WN19-SO-000360 + - V-205842 + - SRG-OS-000480-GPOS-00227 + - SV-205842r569188_rule + - CCI-002450 + - CAT2 + +- name: "MEDIUM | WN19-SO-000380 | PATCH | Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: FilterAdministratorToken + data: 1 + datatype: dword + when: + - wn19_so_000380 + tags: + - WN19-SO-000380 + - V-205811 + - SRG-OS-000373-GPOS-00157 + - SV-205811r569188_rule + - CCI-002038 + - CAT2 + # - exclusions for server core? think its NA there + +- name: "MEDIUM | WN19-SO-000390 | PATCH | Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: EnableUIADesktopToggle + data: 0 + datatype: dword + when: + - wn19_so_000390 + tags: + - WN19-SO-000390 + - V-205716 + - SRG-OS-000134-GPOS-00068 + - SV-205716r569188_rule + - CCI-001084 + - CAT2 + +- name: "MEDIUM | WN19-SO-000400 | PATCH | Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: ConsentPromptBehaviorAdmin + data: 2 + datatype: dword + when: + - wn19_so_000400 + tags: + - WN19-SO-000400 + - V-205717 + - SRG-OS-000134-GPOS-00068 + - SV-205717r569188_rule + - CCI-001084 + - CAT2 + +- name: "MEDIUM | WN19-SO-000410 | PATCH | Windows Server 2019 User Account Control must automatically deny standard user requests for elevation." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: ConsentPromptBehaviorUser + data: 0 + datatype: dword + when: + - wn19_so_000410 + tags: + - WN19-SO-000410 + - V-205812 + - SRG-OS-000373-GPOS-00157 + - SV-205812r569188_rule + - CCI-002038 + - CAT2 + +- name: "MEDIUM | WN19-SO-000420 | PATCH | Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: EnableInstallerDetection + data: 1 + datatype: dword + when: + - wn19_so_000420 + tags: + - WN19-SO-000420 + - V-205718 + - SRG-OS-000134-GPOS-00068 + - SV-205718r569188_rule + - CCI-001084 + - CAT2 + +- name: "MEDIUM | WN19-SO-000430 | PATCH | Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: EnableSecureUIAPaths + data: 1 + datatype: dword + when: + - wn19_so_000430 + tags: + - WN19-SO-000430 + - V-205719 + - SRG-OS-000134-GPOS-00068 + - SV-205719r569188_rule + - CCI-001084 + - CAT2 + +- name: "MEDIUM | WN19-SO-000440 | PATCH | Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: EnableLUA + data: 1 + datatype: dword + when: + - wn19_so_000440 + tags: + - WN19-SO-000440 + - V-205813 + - SRG-OS-000373-GPOS-00157 + - SV-205813r569188_rule + - CCI-002038 + - CAT2 + +- name: "MEDIUM | WN19-SO-000450 | PATCH | Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: EnableVirtualization + data: 1 + datatype: dword + when: + - wn19_so_000450 + tags: + - WN19-SO-000450 + - V-205720 + - SRG-OS-000134-GPOS-00068 + - SV-205720r569188_rule + - CCI-001084 + - CAT2 + +- name: "MEDIUM | WN19-UC-000010 | PATCH | Windows Server 2019 must preserve zone information when saving attachments." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments + value: SaveZoneInformation + data: 2 + datatype: dword + when: + - wn19_uc_000010 + tags: + - WN19-UC-000010 + - V-205924 + - SRG-OS-000480-GPOS-00227 + - SV-205924r569188_rule + - CCI-000366 + - CAT2 + +# [WARNING]: Using this module to edit rights and privileges is error-prone, use the win_user_right module instead +- name: "MEDIUM | WN19-UR-000010 | PATCH | Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." + community.windows.win_security_policy: + section: Privilege Rights + key: SeTrustedCredManAccessPrivilege + value: "" + when: + - wn19_ur_000010 + tags: + - WN19-UR-000010 + - V-205749 + - SRG-OS-000324-GPOS-00125 + - SV-205749r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000030 | PATCH | Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeInteractiveLogonRight + users: Administrators + action: set + when: + - wn19_ur_000030 + tags: + - WN19-UR-000030 + - V-205676 + - SRG-OS-000080-GPOS-00048 + - SV-205676r569188_rule + - CCI-000213 + - CAT2 + +- name: "MEDIUM | WN19-UR-000040 | PATCH | Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeBackupPrivilege + users: Administrators + action: set + when: + - wn19_ur_000040 + tags: + - WN19-UR-000040 + - V-205751 + - SRG-OS-000324-GPOS-00125 + - SV-205751r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000050 | PATCH | Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeCreatePagefilePrivilege + users: Administrators + action: set + when: + - wn19_ur_000050 + tags: + - WN19-UR-000050 + - V-205752 + - SRG-OS-000324-GPOS-00125 + - SV-205752r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000070 | PATCH | Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." + ansible.windows.win_user_right: + name: SeCreateGlobalPrivilege + users: + - Administrators + - Service + - "Local Service" + - Network Service + action: set + when: + - wn19_ur_000070 + tags: + - WN19-UR-000070 + - V-205754 + - SRG-OS-000324-GPOS-00125 + - SV-205754r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000080 | PATCH | Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts." + community.windows.win_security_policy: + section: Privilege Rights + key: SeCreatePermanentPrivilege + value: "" + when: + - wn19_ur_000080 + tags: + - WN19-UR-000080 + - V-205755 + - SRG-OS-000324-GPOS-00125 + - SV-205755r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000090 | PATCH | Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeCreateSymbolicLinkPrivilege + users: Administrators + action: set + when: + - wn19_ur_000090 + tags: + - WN19-UR-000090 + - V-205756 + - SRG-OS-000324-GPOS-00125 + - SV-205756r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000110 | PATCH | Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeRemoteShutdownPrivilege + users: Administrators + action: set + when: + - wn19_ur_000110 + tags: + - WN19-UR-000110 + - V-205758 + - SRG-OS-000324-GPOS-00125 + - SV-205758r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000120 | PATCH | Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service." + ansible.windows.win_user_right: + name: SeAuditPrivilege + users: + - Local Service + - Network Service + action: set + when: + - wn19_ur_000120 + tags: + - WN19-UR-000120 + - V-205759 + - SRG-OS-000324-GPOS-00125 + - SV-205759r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000130 | PATCH | Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." + ansible.windows.win_user_right: + name: SeImpersonatePrivilege + users: + - Administrators + - Service + - Local Service + - Network Service + action: set + when: + - wn19_ur_000130 + tags: + - WN19-UR-000130 + - V-205760 + - SRG-OS-000324-GPOS-00125 + - SV-205760r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000140 | PATCH | Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeIncreaseBasePriorityPrivilege + users: Administrators + action: set + when: + - wn19_ur_000140 + tags: + - WN19-UR-000140 + - V-205761 + - SRG-OS-000324-GPOS-00125 + - SV-205761r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000150 | PATCH | Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeLoadDriverPrivilege + users: Administrators + action: set + when: + - wn19_ur_000150 + tags: + - WN19-UR-000150 + - V-205762 + - SRG-OS-000324-GPOS-00125 + - SV-205762r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000160 | PATCH | Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts." + community.windows.win_security_policy: + section: Privilege Rights + key: SeLockMemoryPrivilege + value: "" + when: + - wn19_ur_000160 + tags: + - WN19-UR-000160 + - V-205763 + - SRG-OS-000324-GPOS-00125 + - SV-205763r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000170 | PATCH | Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeSecurityPrivilege + users: Administrators + action: set + when: + - wn19_ur_000170 + tags: + - WN19-UR-000170 + - V-205643 + - SRG-OS-000057-GPOS-00027 + - SV-205643r569188_rule + - CCI-000162 + - CCI-000163 + - CCI-000164 + - CCI-000171 + - CCI-001914 + - CAT2 + +- name: "MEDIUM | WN19-UR-000180 | PATCH | Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeSystemEnvironmentPrivilege + users: Administrators + action: set + when: + - wn19_ur_000180 + tags: + - WN19-UR-000180 + - V-205764 + - SRG-OS-000324-GPOS-00125 + - SV-205764r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000190 | PATCH | Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeManageVolumePrivilege + users: Administrators + action: set + when: + - wn19_ur_000190 + tags: + - WN19-UR-000190 + - V-205765 + - SRG-OS-000324-GPOS-00125 + - SV-205765r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000200 | PATCH | Windows Server 2019 Profile single process user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeProfileSingleProcessPrivilege + users: Administrators + action: set + when: + - wn19_ur_000200 + tags: + - WN19-UR-000200 + - V-205766 + - SRG-OS-000324-GPOS-00125 + - SV-205766r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000210 | PATCH | Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeRestorePrivilege + users: Administrators + action: set + when: + - wn19_ur_000210 + tags: + - WN19-UR-000210 + - V-205767 + - SRG-OS-000324-GPOS-00125 + - SV-205767r569188_rule + - CCI-002235 + - CAT2 + +- name: "MEDIUM | WN19-UR-000220 | PATCH | Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeTakeOwnershipPrivilege + users: Administrators + action: set + when: + - wn19_ur_000220 + tags: + - WN19-UR-000220 + - V-205768 + - SRG-OS-000324-GPOS-00125 + - SV-205768r569188_rule + - CCI-002235 + - CAT2 diff --git a/tasks/cat2_cloud.yml b/tasks/cat2_cloud.yml new file mode 100644 index 0000000..99956e3 --- /dev/null +++ b/tasks/cat2_cloud.yml @@ -0,0 +1,115 @@ +--- +# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR CLOUD BASED SYSTEMS +# below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" +- name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less." + block: + - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of days set for wn22stig_lockoutbadcount please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn22stig_lockoutbadcount == 0 or + wn22stig_lockoutbadcount > 3 + + - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-AC-000020' + when: + - wn22stig_lockoutbadcount == 0 or + wn22stig_lockoutbadcount > 3 + + - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Apply Variable." + community.windows.win_security_policy: + section: System Access + key: LockoutBadCount + value: "{{ wn22stig_lockoutbadcount }}" + when: + - wn22stig_lockoutbadcount > 0 + - wn22stig_lockoutbadcount <= 3 + when: + - wn22_ac_000020 + tags: + - WN22-AC-000020 + - V-205629 + - SRG-OS-000021-GPOS-00005 + - SV-205629r569188_rule + - CCI-000044 + - CAT2_CLOUD2 + +- name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater." + block: + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of minutes set for wn22stig_lockoutduration please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn22stig_lockoutduration < 15 + - wn22stig_lockoutduration > 0 + + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-AC-000010' + when: + - wn22stig_lockoutduration < 15 + - wn22stig_lockoutduration > 0 + + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Apply Variable." + community.windows.win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ wn22stig_lockoutduration }}" + when: + - wn22stig_lockoutduration == 0 or + wn22stig_lockoutduration >= 15 + when: + - wn22_ac_000010 + tags: + - WN22-AC-000010 + - V-205795 + - SRG-OS-000329-GPOS-00128 + - SV-205795r569188_rule + - CCI-002238 + - CAT2_CLOUD2 + +# below task is dependent on WN16-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" +- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + block: + - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn22stig_resetlockoutcount > wn22stig_lockoutduration or + wn22stig_resetlockoutcount < 15 + + - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-AC-000030' + when: + - wn22stig_resetlockoutcount > wn22stig_lockoutduration or + wn22stig_resetlockoutcount < 15 + + - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" + community.windows.win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ wn22stig_resetlockoutcount }}" + when: + - wn22stig_resetlockoutcount >= 15 + - wn22stig_resetlockoutcount <= wn22stig_lockoutduration + when: + - wn22_ac_000030 + tags: + - WN22-AC-000030 + - V-205630 + - SRG-OS-000021-GPOS-00005 + - SV-205630r569188_rule + - CCI-000044 + - CCI-002238 + - CAT2_CLOUD2 diff --git a/tasks/cat3.yml b/tasks/cat3.yml new file mode 100644 index 0000000..772be1a --- /dev/null +++ b/tasks/cat3.yml @@ -0,0 +1,252 @@ +--- +- name: "LOW | WN22-SO-000140 | PATCH | Windows Server 2022 title for the legal banner must be configured with the appropriate text." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: LegalNoticeCaption + data: "{{ wn22stig_legalnoticecaption }}" + datatype: string + when: + - wn22_so_000140 + tags: + - WN22-SO-000140 + - V-205632 + - SRG-OS-000023-GPOS-00006 + - SRG-OS-000228-GPOS-00088 + - SV-205632r569188_rule + - CCI-000048 + - CCI-001384 + - CCI-001385 + - CCI-001386 + - CCI-001387 + - CCI-001388 + +- name: "LOW | WN22-00-000180 | AUDIT | Windows Server 2022 non-administrative accounts or groups must only have print permissions on printer shares." + block: + - name: "LOW | WN22-00-000180 | AUDIT | Windows Server 2022 non-administrative accounts or groups must only have print permissions on printer shares." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 non-administrative accounts or groups must only have print permissions on printer shares." + + - name: "LOW | WN22-00-000180 | AUDIT | Windows Server 2022 non-administrative accounts or groups must only have print permissions on printer shares. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000180' + when: + - wn22_00_000180 + tags: + - WN22-00-000180 + - V-205664 + - SRG-OS-000080-GPOS-00048 + - SV-205664r569188_rule + - CCI-000213 + - CAT3 + +- name: "LOW | WN22-CC-000200 | PATCH | Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat + value: DisableInventory + data: 1 + datatype: dword + when: + - wn22_cc_000200 + tags: + - WN22-CC-000200 + - V-205691 + - SRG-OS-000095-GPOS-00049 + - SV-205691r569188_rule + - CCI-000381 + - CAT3 + +- name: "LOW | WN22-DC-000160 | AUDIT | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." + block: + - name: "LOW | WN22-DC-000160 | AUDIT | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." + + - name: "LOW | WN22-DC-000160 | AUDIT | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000160' + when: + - wn22_dc_000160 + tags: + - WN22-DC-000160 + - V-205726 + - SRG-OS-000163-GPOS-00072 + - SV-205726r569188_rule + - CCI-001133 + - CAT3 + +- name: "LOW | WN22-00-000440 | AUDIT | The Windows Server 2022 time service must synchronize with an appropriate DoD time source." + block: + - name: "LOW | WN22-00-000440 | AUDIT | The Windows Server 2022 time service must synchronize with an appropriate DoD time source." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. The Windows Server 2022 time service must synchronize with an appropriate DoD time source. " + + - name: "LOW | WN22-00-000440 | AUDIT | The Windows Server 2022 time service must synchronize with an appropriate DoD time source. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000440' + when: wn22_00_000440 + tags: + - WN22-00-000440 + - V-205800 + - SRG-OS-000355-GPOS-00143 + - SV-205800r859311_rule + - CCI-001891 + - CAT3 + +- name: "LOW | WN22-CC-000060 | PATCH | Windows Server 2022 Must be configured to ignore NetBIOS name release requests except from WINS servers." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netbt\Parameters + value: NoNameReleaseOnDemand + data: 1 + datatype: dword + when: + - wn22_cc_000060 + tags: + - WN22-CC-000060 + - V-205822 + - SRG-OS-000420-GPOS-00186 + - SV-205822r569188_rule + - CCI-002385 + - CAT3 + +- name: "LOW | WN22-00-000460 | AUDIT | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." + block: + - name: "LOW | WN22-00-000460 | AUDIT | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." + + - name: "LOW | WN22-00-000460 | AUDIT | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000460' + when: + - wn22_00_000460 + tags: + - WN22-00-000460 + - V-205856 + - SRG-OS-000480-GPOS-00227 + - SV-205856r569188_rule + - CCI-000366 + - CAT3 + +- name: "LOW | WN22-00-000470 | AUDIT | Windows Server 2022 must have Secure Boot enabled." + block: + - name: "LOW | WN22-00-000470 | AUDIT | Windows Server 2022 must have Secure Boot enabled." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 must have Secure Boot enabled. " + + - name: "LOW | WN22-00-000470 | AUDIT | Windows Server 2022 must have Secure Boot enabled. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000470' + when: + - wn22_00_000470 + tags: + - WN22-00-000470 + - V-205857 + - SRG-OS-000480-GPOS-00227 + - SV-205857r569188_rule + - CCI-000366 + - CAT3 + +- name: "LOW | WN22-CC-000030 | PATCH | Windows Server 2022 internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + value: DisableIPSourceRouting + data: 2 + datatype: dword + when: + - wn22_cc_000030 + tags: + - WN22-CC-000030 + - V-205858 + - SRG-OS-000480-GPOS-00227 + - SV-205858r569188_rule + - CCI-000366 + - CAT3 + +- name: "LOW | WN22-CC-000040 | PATCH | Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + value: DisableIPSourceRouting + data: 2 + datatype: dword + when: + - wn22_cc_000040 + tags: + - WN22-CC-000040 + - V-205859 + - SRG-OS-000480-GPOS-00227 + - SV-205859r569188_rule + - CCI-000366 + - CAT3 + +- name: "LOW | WN22-CC-000050 | PATCH | Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + value: EnableICMPRedirect + data: 0 + datatype: dword + when: + - wn22_cc_000050 + tags: + - WN22-CC-000050 + - V-205860 + - SRG-OS-000480-GPOS-00227 + - SV-205860r569188_rule + - CCI-000366 + - CAT3 + +- name: "LOW | WN22-CC-000260 | PATCH | Windows Server 2022 Windows Update must not obtain updates from other PCs on the Internet." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization + value: DODownloadMode + data: 1 + datatype: dword + when: + - wn22_cc_000260 + tags: + - WN22-CC-000260 + - V-205870 + - SRG-OS-000480-GPOS-00227 + - SV-205870r569188_rule + - CCI-000366 + - CAT3 + +- name: "LOW | WN22-CC-000320 | AUDIT | Windows Server 2022 turning off File Explorer heap termination on corruption must be disabled." + block: + - name: "LOW | WN22-CC-000320 | AUDIT | Windows Server 2022 turning off File Explorer heap termination on corruption must be disabled." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 turning off File Explorer heap termination on corruption must be disabled. " + + - name: "LOW | WN22-CC-000320 | AUDIT | Windows Server 2022 turning off File Explorer heap termination on corruption must be disabled. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-CC-000320' + when: + - wn22_cc_000320 + tags: + - WN22-CC-000320 + - SV-205871r569188_rule + - V-205871 + - CCI-000366 + - SRG-OS-000480-GPOS-00227 + - CAT3 + +- name: "LOW | WN22-SO-000370 | PATCH | Windows Server 2022 default permissions of global system objects must be strengthened." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager + value: ProtectionMode + data: 1 + datatype: string + when: + - wn22_so_000370 + tags: + - WN22-SO-000370 + - V-205871 + - SRG-OS-000480-GPOS-00227 + - SV-205871r569188_rule + - CCI-000366 + - CAT3 diff --git a/tasks/main.yml b/tasks/main.yml index 7bb0d10..ef09f5d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,6 +43,32 @@ tags: - CAT1 +# We have found the order of these three tasks varies between cloud based instances +# and VM based instances. The task below breaks out to run in a different order +# for cloud based systems +- name: Execute the category 2 (medium severity) tasks for cloud based system + ansible.builtin.import_tasks: cat2_cloud.yml + when: + - win22stig_cloud_based_system + - wn22_ac_000010 or + wn22_ac_000020 or + wn22_ac_000030 + tags: + - CAT2_CLOUD2 + +- name: Execute the category 2 (medium severity) tasks + ansible.builtin.import_tasks: cat2.yml + when: win2022stig_cat2_patch + tags: + - CAT2 + +- name: Execute the category 3 (lowest severity) tasks + ansible.builtin.import_tasks: cat3.yml + when: win2022stig_cat3_patch + tags: + - CAT3 + + - name: If Warnings Found Output Count and Control IDs Affected ansible.builtin.debug: msg: From 30f63044f89cde87092408d8f6d61e0d182c3554 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 23 Jun 2023 16:09:25 -0400 Subject: [PATCH 16/95] update cat2+3-2 Signed-off-by: Frederick Witty --- tasks/prelim.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 57d8d32..bb5c174 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -15,7 +15,7 @@ # https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205 - name: Set Fact If Cloud Based System. ansible.builtin.set_fact: - win19stig_cloud_based_system: true + win22stig_cloud_based_system: true when: - ansible_virtualization_type == 'Hyper-V' or ansible_virtualization_type == 'hvm' or From 827fb1d623e67ee1c5fce61f3b4814e7b9a11fb3 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 23 Jun 2023 16:16:47 -0400 Subject: [PATCH 17/95] update cat2+3-3 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 2286 ++++++++++++++++++++++++------------------------ 1 file changed, 1143 insertions(+), 1143 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index ad57767..fe85e0c 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1,53 +1,53 @@ --- # enumerating on DC is different than standalone -- name: "MEDIUM | WN19-00-000020 | AUDIT | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19stig_pass_age }} days." +- name: "MEDIUM | WN22-00-000020 | AUDIT | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." block: - - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19stig_pass_age }} days." - ansible.windows.win_shell: "Get-ADUser -Filter * -Property PasswordLastSet | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19stig_pass_age }}))} | Select Name,PasswordLastSet" - # win_shell: "Get-ADUser krbtgt -Property PasswordLastSet | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19stig_krbtgt_pass_age }}))} | Select-Object -ExpandProperty PasswordLastSet" + - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." + ansible.windows.win_shell: "Get-ADUser -Filter * -Property PasswordLastSet | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_pass_age }}))} | Select Name,PasswordLastSet" + # win_shell: "Get-ADUser krbtgt -Property PasswordLastSet | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_krbtgt_pass_age }}))} | Select-Object -ExpandProperty PasswordLastSet" changed_when: false check_mode: false - register: wn19_00_000020_audit_dc + register: wn22_00_000020_audit_dc when: "'controller' in ansible_windows_domain_role" - - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19stig_pass_age }} days." + - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." ansible.builtin.debug: msg: - - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn19stig_pass_age }}" + - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn22stig_pass_age }}" - "{{ wn9_00_000020_audit_dc.stdout.split('\n') }}" when: - - not wn19_00_000020_audit_dc is skipped - - wn19_00_000020_audit_dc.stdout != "" + - not wn22_00_000020_audit_dc is skipped + - wn22_00_000020_audit_dc.stdout != "" - - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19stig_pass_age }} days." - ansible.windows.win_shell: "Get-Localuser -Name * | Select * | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19stig_pass_age }}))} | Select Name,PasswordLastSet" + - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." + ansible.windows.win_shell: "Get-Localuser -Name * | Select * | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_pass_age }}))} | Select Name,PasswordLastSet" changed_when: false check_mode: false - register: wn19_00_000020_audit_dm_sa + register: wn22_00_000020_audit_dm_sa - - name: "MEDIUM | WN19-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn19stig_pass_age }} days." + - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." ansible.builtin.debug: msg: - - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn19stig_pass_age }}" - - "{{ wn19_00_000020_audit_dm_sa.stdout.split('\n') }}" + - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn22stig_pass_age }}" + - "{{ wn22_00_000020_audit_dm_sa.stdout.split('\n') }}" when: - - wn19_00_000020_audit_dm_sa is defined - - wn19_00_000020_audit_dm_sa.stdout != "" + - wn22_00_000020_audit_dm_sa is defined + - wn22_00_000020_audit_dm_sa.stdout != "" - name: Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000020' + warn_control_id: 'WN22-00-000020' when: - - not wn19_00_000020_audit_dc is skipped - - wn19_00_000020_audit_dc.stdout != "" or - - wn19_00_000020_audit_dm_sa is defined - - wn19_00_000020_audit_dm_sa.stdout != "" + - not wn22_00_000020_audit_dc is skipped + - wn22_00_000020_audit_dc.stdout != "" or + - wn22_00_000020_audit_dm_sa is defined + - wn22_00_000020_audit_dm_sa.stdout != "" when: - - wn19_00_000020 + - wn22_00_000020 tags: - - WN19-00-000020 + - WN22-00-000020 - V-205657 - CCI-000199 - SV-205657r857286_rule @@ -56,36 +56,36 @@ - audit - CAT2 -- name: "MEDIUM | WN19-00-000040 | AUDIT | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." +- name: "MEDIUM | WN22-00-000040 | AUDIT | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." block: - - name: "MEDIUM | WN19-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." + - name: "MEDIUM | WN22-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." ansible.windows.win_shell: Get-LocalGroupMember -Name 'Backup Operators' changed_when: false check_mode: false - register: wn19_00_000040_audit + register: wn22_00_000040_audit - - name: "MEDIUM | WN19-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." + - name: "MEDIUM | WN22-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." ansible.builtin.debug: msg: - The accounts listed are members of the Backup Operators group - - "{{ wn19_00_000040_audit.stdout.split('\n') }}" + - "{{ wn22_00_000040_audit.stdout.split('\n') }}" when: - - not wn19_00_000040_audit is skipped - - wn19_00_000040_audit.stdout != "" + - not wn22_00_000040_audit is skipped + - wn22_00_000040_audit.stdout != "" changed_when: false - - name: "MEDIUM | WN19-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. | Warn Count." + - name: "MEDIUM | WN22-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000040' + warn_control_id: 'WN22-00-000040' when: - - not wn19_00_000040_audit is skipped - - wn19_00_000040_audit.stdout != "" + - not wn22_00_000040_audit is skipped + - wn22_00_000040_audit.stdout != "" when: - - wn19_00_000040 + - wn22_00_000040 - "'controller' not in ansible_windows_domain_role" tags: - - WN19-00-000040 + - WN22-00-000040 - V-205846 - SRG-OS-000480-GPOS-00227 - SV-205846r569188_rule @@ -93,40 +93,40 @@ - audit - CAT2 -- name: "MEDIUM | WN19-00-000050 | AUDIT | Windows Server 2019 manually managed application account passwords must be at least 15 characters in length." +- name: "MEDIUM | WN22-00-000050 | AUDIT | Windows Server 2019 manually managed application account passwords must be at least 15 characters in length." block: - - name: "MEDIUM | WN19-00-000050 | AUDIT | Windows Server 2019 manually managed application account passwords must be at least 15 characters in length. | Message out" + - name: "MEDIUM | WN22-00-000050 | AUDIT | Windows Server 2019 manually managed application account passwords must be at least 15 characters in length. | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 manually managed application account passwords must be at least 15 characters in length." - - name: "MEDIUM | WN19-00-000050 | AUDIT | Windows Server 2019 manually managed application account passwords must be at least 15 characters in length. | Warn Count." + - name: "MEDIUM | WN22-00-000050 | AUDIT | Windows Server 2019 manually managed application account passwords must be at least 15 characters in length. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000050' + warn_control_id: 'WN22-00-000050' when: - - wn19_00_000050 + - wn22_00_000050 tags: - - WN19-00-000050 + - WN22-00-000050 - V-205661 - SRG-OS-000078-GPOS-00046 - SV-205661r569188_rule - CCI-000205 - CAT2 -- name: "MEDIUM | WN19-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." +- name: "MEDIUM | WN22-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." block: - - name: "MEDIUM | WN19-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | Message out" + - name: "MEDIUM | WN22-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." - - name: "MEDIUM | WN19-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | import reuseable task." + - name: "MEDIUM | WN22-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000060' + warn_control_id: 'WN22-00-000060' when: - - wn19_00_000060 + - wn22_00_000060 tags: - - WN19-00-000060 + - WN22-00-000060 - V-205847 - SRG-OS-000480-GPOS-00227 - SV-205847r857288_rule @@ -134,40 +134,40 @@ - CAT2 # how to make this list? -- name: "MEDIUM | WN19-00-000070 | AUDIT | Windows Server 2019 shared user accounts must not be permitted." +- name: "MEDIUM | WN22-00-000070 | AUDIT | Windows Server 2019 shared user accounts must not be permitted." block: - - name: "MEDIUM | WN19-00-000070 | Windows Server 2019 shared user accounts must not be permitted. | Message out" + - name: "MEDIUM | WN22-00-000070 | Windows Server 2019 shared user accounts must not be permitted. | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 shared user accounts must not be permitted." - - name: "MEDIUM | WN19-00-000070 | AUDIT | Windows Server 2019 shared user accounts must not be permitted. | import reuseable task." + - name: "MEDIUM | WN22-00-000070 | AUDIT | Windows Server 2019 shared user accounts must not be permitted. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000070' + warn_control_id: 'WN22-00-000070' when: - - wn19_00_000070 + - wn22_00_000070 tags: - - WN19-00-000070 + - WN22-00-000070 - V-205699 - SRG-OS-000104-GPOS-00051 - SV-205699r569188_rule - CCI-000764 - CAT2 -- name: "MEDIUM | WN19-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." +- name: "MEDIUM | WN22-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." block: - - name: "MEDIUM | WN19-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Message out" + - name: "MEDIUM | WN22-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." - - name: "MEDIUM | WN19-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | import reuseable task." + - name: "MEDIUM | WN22-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000080' + warn_control_id: 'WN22-00-000080' when: - - wn19_00_000080 + - wn22_00_000080 tags: - - WN19-00-000080 + - WN22-00-000080 - V-205807 - SRG-OS-000370-GPOS-00155 - SV-205807r569188_rule @@ -176,20 +176,20 @@ # Get-AppLockerPolicy -Effective # Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. -- name: "MEDIUM | WN19-00-000090 | AUDIT | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." +- name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." block: - - name: "MEDIUM | WN19-00-000090 | AUDIT | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Message out" + - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." - - name: "MEDIUM | WN19-00-000090 | AUDIT | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | import reuseable task." + - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000090' + warn_control_id: 'WN22-00-000090' when: - - wn19_00_000090 + - wn22_00_000090 tags: - - WN19-00-000090 + - WN22-00-000090 - V-205848 - SRG-OS-000480-GPOS-00227 - SV-205848r857290_rule @@ -198,20 +198,20 @@ # wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * # if not enabled see "No Instance(s) Available." ? -- name: "MEDIUM | WN19-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system." +- name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system." block: - - name: "MEDIUM | WN19-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system. | Message out" + - name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system. | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must have a host-based intrusion detection or prevention system." - - name: "MEDIUM | WN19-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system. | import reuseable task." + - name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000120' + warn_control_id: 'WN22-00-000120' when: - - wn19_00_000120 + - wn22_00_000120 tags: - - WN19-00-000120 + - WN22-00-000120 - V-205851 - SRG-OS-000480-GPOS-00227 - SV-205851r793214_rule @@ -219,155 +219,155 @@ - CAT2 # think this is mcafee but need install and figure out paths for AV vs HIDS and/or running services? -- name: "MEDIUM | WN19-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements." +- name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements." block: - - name: "MEDIUM | WN19-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | Message out" + - name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements." - - name: "MEDIUM | WN19-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | import reuseable task." + - name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000140' + warn_control_id: 'WN22-00-000140' when: - - wn19_00_000140 + - wn22_00_000140 tags: - - WN19-00-000140 + - WN22-00-000140 - V-205734 - SRG-OS-000312-GPOS-00122 - SV-205734r569188_rule - CCI-002165 - CAT2 -- name: "MEDIUM | WN19-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements." +- name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements." block: - - name: "MEDIUM | WN19-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements. | Message out" + - name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements. | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 permissions for program file directories must conform to minimum requirements." - - name: "MEDIUM | WN19-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements. | import reuseable task." + - name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000150' + warn_control_id: 'WN22-00-000150' when: - - wn19_00_000150 + - wn22_00_000150 tags: - - WN19-00-000150 + - WN22-00-000150 - V-205735 - SRG-OS-000312-GPOS-00122 - SV-205735r569188_rule - CCI-002165 - CAT2 -- name: "MEDIUM | WN19-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements." +- name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements." block: - - name: "MEDIUM | WN19-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements. | Message out" + - name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements. | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements." - - name: "MEDIUM | WN19-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements. | import reuseable task." + - name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000160' + warn_control_id: 'WN22-00-000160' when: - - wn19_00_000160 + - wn22_00_000160 tags: - - WN19-00-000160 + - WN22-00-000160 - V-205736 - SRG-OS-000312-GPOS-00122 - SV-205736r569188_rule - CCI-002165 - CAT2 -- name: "MEDIUM | WN19-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." +- name: "MEDIUM | WN22-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." block: - - name: "MEDIUM | WN19-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | Message out" + - name: "MEDIUM | WN22-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." - - name: "MEDIUM | WN19-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | import reuseable task." + - name: "MEDIUM | WN22-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000170' + warn_control_id: 'WN22-00-000170' when: - - wn19_00_000170 + - wn22_00_000170 tags: - - WN19-00-000170 + - WN22-00-000170 - V-205737 - SRG-OS-000324-GPOS-00125 - SV-205737r793220_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-00-000190 | AUDIT | Windows Server 2019 outdated or unused accounts must be removed from the system or disabled." +- name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2019 outdated or unused accounts must be removed from the system or disabled." block: - - name: "MEDIUM | WN19-00-000190 | AUDIT | Windows Server 2019 outdated or unused accounts must be removed from the system or disabled. | Message out" + - name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2019 outdated or unused accounts must be removed from the system or disabled. | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 outdated or unused accounts must be removed from the system or disabled." - - name: "MEDIUM | WN19-00-000190 | AUDIT | Windows Server 2019 outdated or unused accounts must be removed from the system or disabled. | import reuseable task." + - name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2019 outdated or unused accounts must be removed from the system or disabled. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000190' + warn_control_id: 'WN22-00-000190' when: - - wn19_00_000190 + - wn22_00_000190 tags: - - WN19-00-000190 + - WN22-00-000190 - V-205707 - SRG-OS-000118-GPOS-00060 - SV-205707r857292_rule - CCI-000795 - CAT2 -- name: "MEDIUM | WN19-00-000200 | AUDIT | Windows Server 2019 accounts must require passwords." +- name: "MEDIUM | WN22-00-000200 | AUDIT | Windows Server 2019 accounts must require passwords." block: - - name: "MEDIUM | WN19-00-000200 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 accounts must require passwords." + - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 accounts must require passwords." ansible.windows.win_shell: Get-Aduser -Filter "(Passwordnotrequired -eq 'True') -and (Enabled -eq 'True')" | Select Name,Passwordnotrequired,Enabled changed_when: false failed_when: false check_mode: false - register: wn19_00_000200_audit_dc + register: wn22_00_000200_audit_dc when: ansible_windows_domain_role == "Primary domain controller" - - name: "MEDIUM | WN19-00-000200 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 accounts must require passwords." + - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 accounts must require passwords." ansible.builtin.debug: msg: - The accounts listed are do not require a password and are currently enabled - - "{{ wn19_00_000200_audit_dc.stdout.split('\n') }}" + - "{{ wn22_00_000200_audit_dc.stdout.split('\n') }}" when: - - not wn19_00_000200_audit_dc is skipped - - wn19_00_000200_audit_dc.stdout != "" + - not wn22_00_000200_audit_dc is skipped + - wn22_00_000200_audit_dc.stdout != "" - - name: "MEDIUM | WN19-00-000200 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 accounts must require passwords." + - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 accounts must require passwords." ansible.windows.win_shell: Get-LocalUser | Where-Object {($_.PasswordRequired -ne 'True' -and $_.Enabled -eq 'True')} | Select Name,PasswordRequired,Enabled changed_when: false failed_when: false check_mode: false - register: wn19_00_000200_audit_dm_sa + register: wn22_00_000200_audit_dm_sa when: not ansible_windows_domain_role == "Primary domain controller" - - name: "MEDIUM | WN19-00-000200 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 accounts must require passwords." + - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 accounts must require passwords." ansible.builtin.debug: msg: - The accounts listed are do not require a password and are currently enabled - - "{{ wn19_00_000200_audit_dm_sa.stdout.split('\n') }}" + - "{{ wn22_00_000200_audit_dm_sa.stdout.split('\n') }}" when: - - not wn19_00_000200_audit_dm_sa is skipped - - wn19_00_000200_audit_dm_sa.stdout != "" + - not wn22_00_000200_audit_dm_sa is skipped + - wn22_00_000200_audit_dm_sa.stdout != "" - name: Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000200' + warn_control_id: 'WN22-00-000200' when: - - not wn19_00_000200_audit_dc is skipped - - wn19_00_000200_audit_dc.stdout != "" or - - not wn19_00_000200_audit_dm_sa is skipped - - wn19_00_000200_audit_dm_sa.stdout != "" + - not wn22_00_000200_audit_dc is skipped + - wn22_00_000200_audit_dc.stdout != "" or + - not wn22_00_000200_audit_dm_sa is skipped + - wn22_00_000200_audit_dm_sa.stdout != "" when: - - wn19_00_000200 + - wn22_00_000200 tags: - - WN19-00-000200 + - WN22-00-000200 - V-205700 - SRG-OS-000104-GPOS-00051 - SV-205700r857294_rule @@ -375,9 +375,9 @@ - audit - CAT2 -- name: "MEDIUM | WN19-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire." +- name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire." block: - - name: "MEDIUM | WN19-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire." + - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire." ansible.windows.win_shell: | Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | Where-Object -FilterScript {$_.PasswordExpires -EQ $False -AND $_.Disabled -EQ $False} | @@ -385,40 +385,40 @@ changed_when: false failed_when: false check_mode: false - register: wn19_00_000210_audit + register: wn22_00_000210_audit - - name: "MEDIUM | WN19-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire.| Message out" + - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire.| Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 passwords must be configured to expire." - - name: "MEDIUM | WN19-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire.| import reuseable task." + - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire.| import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000210' + warn_control_id: 'WN22-00-000210' when: - - wn19_00_000210 + - wn22_00_000210 tags: - - WN19-00-000210 + - WN22-00-000210 - V-205658 - SRG-OS-000076-GPOS-00044 - SV-205658r857297_rule - CAT2 - CCI-000199 -- name: "MEDIUM | WN19-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes." +- name: "MEDIUM | WN22-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes." block: - - name: "MEDIUM | WN19-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes. | Message out" + - name: "MEDIUM | WN22-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes. | Message out" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 system files must be monitored for unauthorized changes." - - name: "MEDIUM | WN19-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes. | import reuseable task." + - name: "MEDIUM | WN22-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000220' + warn_control_id: 'WN22-00-000220' when: - - wn19_00_000220 + - wn22_00_000220 tags: - - WN19-00-000220 + - WN22-00-000220 - V-205803 - SRG-OS-000363-GPOS-00150 - SV-205803r860026_rule @@ -426,27 +426,27 @@ - CAT2 # Some third party software to monitor files -- name: "MEDIUM | WN19-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." +- name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." block: - - name: "MEDIUM | WN19-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." + - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." ansible.windows.win_shell: Get-SmbShare | Where-Object -FilterScript {$_.Special -EQ $False} changed_when: false failed_when: false check_mode: false - register: wn19_00_000230_audit + register: wn22_00_000230_audit - - name: "MEDIUM | WN19-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." + - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." - - name: "MEDIUM | WN19-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it. | import reuseable task." + - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000230' + warn_control_id: 'WN22-00-000230' when: - - wn19_00_000230 + - wn22_00_000230 tags: - - WN19-00-000230 + - WN22-00-000230 - V-205721 - SRG-OS-000138-GPOS-00069 - SV-205721r569188_rule @@ -454,9 +454,9 @@ - CAT2 # https://stackoverflow.com/questions/31049454/how-to-retrieve-recursively-any-files-with-a-specific-extensions-in-powershell/31049571 -- name: "MEDIUM | WN19-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed." +- name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed." block: - - name: "MEDIUM | WN19-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed." + - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed." ansible.windows.win_find: paths: c:\ patterns: ['*.p12', '*.pfx'] @@ -464,21 +464,21 @@ recurse: true follow: true check_mode: false - register: wn19_00_000240_audit + register: wn22_00_000240_audit when: long_running - - name: "MEDIUM | WN19-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed." + - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must have software certificate installation files removed." - - name: "MEDIUM | WN19-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed. | import reuseable task." + - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000240' + warn_control_id: 'WN22-00-000240' when: - - wn19_00_000240 + - wn22_00_000240 tags: - - WN19-00-000240 + - WN22-00-000240 - V-205852 - SRG-OS-000480-GPOS-00227 - SV-205852r569188_rule @@ -487,20 +487,20 @@ # do we need async; its very long running to search filesystems # get an array of drive letters to search? -- name: "MEDIUM | WN19-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." +- name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." block: - - name: "MEDIUM | WN19-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." + - name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." - - name: "MEDIUM | WN19-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | import reuseable task." + - name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000250' + warn_control_id: 'WN22-00-000250' when: - - wn19_00_000250 + - wn22_00_000250 tags: - - WN19-00-000250 + - WN22-00-000250 - V-205727 - SRG-OS-000185-GPOS-00079 - SV-205727r569188_rule @@ -509,20 +509,20 @@ - CCI-002476 - CAT2 -- name: "MEDIUM | WN19-00-000260 | AUDIT | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." +- name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." block: - - name: "MEDIUM | WN19-00-000260 | AUDIT | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." + - name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." - - name: "MEDIUM | WN19-00-000260 | AUDIT | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | import reuseable task." + - name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000260' + warn_control_id: 'WN22-00-000260' when: - - wn19_00_000260 + - wn22_00_000260 tags: - - WN19-00-000260 + - WN22-00-000260 - V-205829 - SRG-OS-000425-GPOS-00189 - SV-205829r790513_rule @@ -530,47 +530,47 @@ - CCI-002422 - CAT2 -- name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented." +- name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented." block: - - name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 bust have the roles and features required by the system documented." + - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2019 bust have the roles and features required by the system documented." ansible.windows.win_shell: Get-WindowsFeature | Where-Object -FilterScript {$_.Installed -EQ $True} changed_when: false failed_when: false check_mode: false - register: wn19_00_000270_audit + register: wn22_00_000270_audit - - name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented." + - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must have the roles and features required by the system documented." - - name: "MEDIUM | WN19-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented. | import reuseable task." + - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000270' + warn_control_id: 'WN22-00-000270' when: - - wn19_00_000270 + - wn22_00_000270 tags: - - WN19-00-000270 + - WN22-00-000270 - V-205677 - SRG-OS-000095-GPOS-00049 - SV-205677r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-00-000280 | AUDIT | Windows Server 2019 must have a host-based firewall installed and enabled." +- name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2019 must have a host-based firewall installed and enabled." block: - - name: "MEDIUM | WN19-00-000280 | AUDIT | Windows Server 2019 must have a host-based firewall installed and enabled." + - name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2019 must have a host-based firewall installed and enabled." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must have a host-based firewall installed and enabled." - - name: "MEDIUM | WN19-00-000280 | AUDIT | Windows Server 2019 must have a host-based firewall installed and enabled. | import reuseable task." + - name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2019 must have a host-based firewall installed and enabled. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000280' + warn_control_id: 'WN22-00-000280' when: - - wn19_00_000280 + - wn22_00_000280 tags: - - WN19-00-000280 + - WN22-00-000280 - V-214936 - SRG-OS-000480-GPOS-00227 - SV-214936r569188_rule @@ -578,169 +578,169 @@ - CCI-002080 - CAT2 -- name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." +- name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." block: - - name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." + - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." - - name: "MEDIUM | WN19-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | import reuseable task." + - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000290' + warn_control_id: 'WN22-00-000290' when: - - wn19_00_000290 + - wn22_00_000290 tags: - - WN19-00-000290 + - WN22-00-000290 - V-205728 - SRG-OS-000191-GPOS-00080 - SV-205728r793217_rule - CCI-001233 - CAT2 -- name: "MEDIUM | WN19-00-000300 | AUDIT | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours." +- name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours." block: - - name: "MEDIUM | WN19-00-000300 | AUDIT | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours." + - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours." - - name: "MEDIUM | WN19-00-000300 | AUDIT | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours. | import reuseable task." + - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000300' + warn_control_id: 'WN22-00-000300' when: - - wn19_00_000300 + - wn22_00_000300 tags: - - WN19-00-000300 + - WN22-00-000300 - V-205624 - SRG-OS-000002-GPOS-00002 - SV-205624r857301_rule - CCI-000016 - CAT2 -- name: "MEDIUM | WN19-00-000310 | AUDIT | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." +- name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." block: - - name: "MEDIUM | WN19-00-000310 | AUDIT | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." + - name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." - - name: "MEDIUM | WN19-00-000310 | AUDIT | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | import reuseable task." + - name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000310' + warn_control_id: 'WN22-00-000310' when: - - wn19_00_000310 + - wn22_00_000310 tags: - - WN19-00-000310 + - WN22-00-000310 - V-205710 - SRG-OS-000123-GPOS-00064 - SV-205710r857303_rule - CCI-001682 - CAT2 -- name: "MEDIUM | WN19-00-000320 | PATCH | Windows Server 2019 must not have the Fax Server role installed." +- name: "MEDIUM | WN22-00-000320 | PATCH | Windows Server 2019 must not have the Fax Server role installed." ansible.windows.win_feature: name: Fax state: absent notify: reboot_windows when: - - wn19_00_000320 + - wn22_00_000320 tags: - - WN19-00-000320 + - WN22-00-000320 - V-205678 - SRG-OS-000095-GPOS-00049 - SV-205678r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-00-000330 | PATCH | Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization." +- name: "MEDIUM | WN22-00-000330 | PATCH | Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization." ansible.windows.win_feature: name: Web-Ftp-Server state: absent notify: reboot_windows when: - - wn19_00_000330 + - wn22_00_000330 tags: - - WN19-00-000330 + - WN22-00-000330 - V-205697 - SRG-OS-000096-GPOS-00050 - SV-205697r569188_rule - CCI-000382 - CAT2 -- name: "MEDIUM | WN19-00-000340 | PATCH | Windows Server 2019 must not have the Peer Name Resolution Protocol installed." +- name: "MEDIUM | WN22-00-000340 | PATCH | Windows Server 2019 must not have the Peer Name Resolution Protocol installed." ansible.windows.win_feature: name: PNRP state: absent notify: reboot_windows when: - - wn19_00_000340 + - wn22_00_000340 tags: - - WN19-00-000340 + - WN22-00-000340 - V-205679 - SRG-OS-000095-GPOS-00049 - SV-205679r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-00-000350 | PATCH | Windows Server 2019 must not have Simple TCP/IP Services installed." +- name: "MEDIUM | WN22-00-000350 | PATCH | Windows Server 2019 must not have Simple TCP/IP Services installed." ansible.windows.win_feature: name: Simple-TCPIP state: absent when: - - wn19_00_000350 + - wn22_00_000350 tags: - - WN19-00-000350 + - WN22-00-000350 - V-205680 - SRG-OS-000095-GPOS-00049 - SV-205680r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-00-000360 | PATCH | Windows Server 2019 must not have the Telnet Client installed." +- name: "MEDIUM | WN22-00-000360 | PATCH | Windows Server 2019 must not have the Telnet Client installed." ansible.windows.win_feature: name: Telnet-Client state: absent when: - - wn19_00_000360 + - wn22_00_000360 tags: - - WN19-00-000360 + - WN22-00-000360 - V-205698 - SRG-OS-000096-GPOS-00050 - SV-205698r569188_rule - CCI-000382 - CAT2 -- name: "MEDIUM | WN19-00-000370 | PATCH | Windows Server 2019 must not have the TFTP Client installed." +- name: "MEDIUM | WN22-00-000370 | PATCH | Windows Server 2019 must not have the TFTP Client installed." ansible.windows.win_feature: name: TFTP-Client state: absent when: - - wn19_00_000370 + - wn22_00_000370 tags: - - WN19-00-000370 + - WN22-00-000370 - V-205681 - SRG-OS-000095-GPOS-00049 - SV-205681r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-00-000380 | PATCH | Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed." +- name: "MEDIUM | WN22-00-000380 | PATCH | Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed." ansible.windows.win_feature: name: FS-SMB1 state: absent notify: reboot_windows when: - - wn19_00_000380 + - wn22_00_000380 tags: - - WN19-00-000380 + - WN22-00-000380 - V-205682 - CAT2 - SRG-OS-000095-GPOS-00049 - SV-205682r819711_rule - CCI-000381 -- name: "MEDIUM | WN19-00-000390 | PATCH | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." +- name: "MEDIUM | WN22-00-000390 | PATCH | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters name: SMB1 @@ -748,16 +748,16 @@ type: dword notify: reboot_windows when: - - wn19_00_000390 + - wn22_00_000390 tags: - - WN19-00-000390 + - WN22-00-000390 - V-205683 - SRG-OS-000095-GPOS-00049 - SV-205683r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-00-000400 | PATCH | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." +- name: "MEDIUM | WN22-00-000400 | PATCH | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 name: Start @@ -765,83 +765,83 @@ type: dword notify: reboot_windows when: - - wn19_00_000400 + - wn22_00_000400 tags: - - WN19-00-000400 + - WN22-00-000400 - V-205684 - SRG-OS-000095-GPOS-00049 - SV-205684r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-00-000410 | PATCH | Windows Server 2019 must not have Windows PowerShell 2.0 installed." +- name: "MEDIUM | WN22-00-000410 | PATCH | Windows Server 2019 must not have Windows PowerShell 2.0 installed." ansible.windows.win_feature: name: PowerShell-V2 state: absent when: - - wn19_00_000410 + - wn22_00_000410 tags: - - WN19-00-000410 + - WN22-00-000410 - V-205685 - SRG-OS-000095-GPOS-00049 - SV-205685r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons." +- name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons." block: - - name: "MEDIUM | WN19-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons." + - name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 FTP servers must be configured to prevent anonymous logons." - - name: "MEDIUM | WN19-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons. | import reuseable task." + - name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000420' + warn_control_id: 'WN22-00-000420' when: - - wn19_00_000420 + - wn22_00_000420 tags: - - WN19-00-000420 + - WN22-00-000420 - V-205853 - SRG-OS-000480-GPOS-00227 - SV-205853r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive." +- name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive." block: - - name: "MEDIUM | WN19-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive." + - name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 FTP servers must be configured to prevent access to the system drive." - - name: "MEDIUM | WN19-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive. | import reuseable task." + - name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000430' + warn_control_id: 'WN22-00-000430' when: - - wn19_00_000430 + - wn22_00_000430 tags: - - WN19-00-000430 + - WN22-00-000430 - V-205854 - SRG-OS-000480-GPOS-00227 - SV-205854r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights" +- name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights" block: - - name: "MEDIUM | WN19-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights" + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights" ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights" - - name: "MEDIUM | WN19-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights | import reuseable task." + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-00-000450' + warn_control_id: 'WN22-00-000450' when: - - wn19_00_000450 + - wn22_00_000450 tags: - - WN19-00-000450 + - WN22-00-000450 - V-205800 - SRG-OS-000480-GPOS-00227 - SV-205855r569188_rule @@ -850,38 +850,38 @@ # https://www.stigviewer.com/stig/windows_server_2016/2019-01-16/finding/V-78127 # THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL BASED SYSTEMS. -- name: "MEDIUM | WN19-AC-000020 | PATCH | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less." +- name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less." block: - - name: "MEDIUM | WN19-AC-000020 | AUDIT | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." + - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn19stig_lockoutbadcount please read" + - "Warning!! You have a invalid number of days set for wn22stig_lockoutbadcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn19stig_lockoutbadcount == 0 or - wn19stig_lockoutbadcount > 3 + - wn22stig_lockoutbadcount == 0 or + wn22stig_lockoutbadcount > 3 - - name: "MEDIUM | WN19-AC-000020 | AUDIT | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Warn Count." + - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-AC-000020' + warn_control_id: 'WN22-AC-000020' when: - - wn19stig_lockoutbadcount == 0 or - wn19stig_lockoutbadcount > 3 + - wn22stig_lockoutbadcount == 0 or + wn22stig_lockoutbadcount > 3 - - name: "MEDIUM | WN19-AC-000020 | PATCH | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Apply Variable." + - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Apply Variable." community.windows.win_security_policy: section: System Access key: LockoutBadCount - value: "{{ wn19stig_lockoutbadcount }}" + value: "{{ wn22stig_lockoutbadcount }}" when: - - wn19stig_lockoutbadcount > 0 - - wn19stig_lockoutbadcount <= 3 + - wn22stig_lockoutbadcount > 0 + - wn22stig_lockoutbadcount <= 3 when: - - wn19_ac_000020 + - wn22_ac_000020 - not win19stig_cloud_based_system tags: - - WN19-AC-000020 + - WN22-AC-000020 - V-205629 - SRG-OS-000021-GPOS-00005 - SV-205629r569188_rule @@ -889,35 +889,35 @@ - CAT2 # below task is dependent on WN16-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" -- name: "MEDIUM | WN19-AC-000030 | PATCH | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." +- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." block: - - name: MEDIUM | WN19-AC-000030 | AUDIT | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn19stig_resetlockoutcount please read" + - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn19stig_resetlockoutcount < 15 + - wn22stig_resetlockoutcount < 15 - - name: MEDIUM | WN19-AC-000030 | AUDIT | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." + - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-AC-000030' + warn_control_id: 'WN22-AC-000030' when: - - wn19stig_resetlockoutcount < 15 + - wn22stig_resetlockoutcount < 15 - - name: "MEDIUM | WN19-AC-000030 | PATCH | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" + - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" community.windows.win_security_policy: section: System Access key: ResetLockoutCount - value: "{{ wn19stig_resetlockoutcount }}" + value: "{{ wn22stig_resetlockoutcount }}" when: - - wn19stig_resetlockoutcount >= 15 + - wn22stig_resetlockoutcount >= 15 when: - - wn19_ac_000030 + - wn22_ac_000030 - not win19stig_cloud_based_system tags: - - WN19-AC-000030 + - WN22-AC-000030 - V-205630 - SRG-OS-000021-GPOS-00005 - SV-205630r569188_rule @@ -925,174 +925,174 @@ - CCI-002238 - CAT2 -# below task is dependent on WN19-AC-000020 and WN19-AC-000030, maybe custom fail when known error if WN19-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" -- name: "MEDIUM | WN19-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater." +# below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" +- name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater." block: - - name: "MEDIUM | WN19-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of minutes set for wn19stig_lockoutduration please read" + - "Warning!! You have a invalid number of minutes set for wn22stig_lockoutduration please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn19stig_lockoutduration < 15 - - wn19stig_lockoutduration > 0 + - wn22stig_lockoutduration < 15 + - wn22stig_lockoutduration > 0 - - name: "MEDIUM | WN19-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Warn Count." + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-AC-000010' + warn_control_id: 'WN22-AC-000010' when: - - wn19stig_lockoutduration < 15 - - wn19stig_lockoutduration > 0 + - wn22stig_lockoutduration < 15 + - wn22stig_lockoutduration > 0 - - name: "MEDIUM | WN19-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Apply Variable." + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Apply Variable." community.windows.win_security_policy: section: System Access key: LockoutDuration - value: "{{ wn19stig_lockoutduration }}" + value: "{{ wn22stig_lockoutduration }}" when: - - wn19stig_lockoutduration == 0 or - wn19stig_lockoutduration >= 15 + - wn22stig_lockoutduration == 0 or + wn22stig_lockoutduration >= 15 when: - - wn19_ac_000010 + - wn22_ac_000010 - not win19stig_cloud_based_system tags: - - WN19-AC-000010 + - WN22-AC-000010 - V-205795 - SRG-OS-000329-GPOS-00128 - SV-205795r569188_rule - CCI-002238 - CAT2 -- name: "MEDIUM | WN19-AC-000040 | PATCH | Windows Server 2019 password history must be configured to 24 passwords remembered." +- name: "MEDIUM | WN22-AC-000040 | PATCH | Windows Server 2019 password history must be configured to 24 passwords remembered." community.windows.win_security_policy: section: System Access key: PasswordHistorySize value: 24 when: - - wn19_ac_000040 + - wn22_ac_000040 tags: - - WN19-AC-000040 + - WN22-AC-000040 - V-205660 - SRG-OS-000077-GPOS-00045 - SV-205660r569188_rule - CCI-000200 - CAT2 -- name: "MEDIUM | WN19-AC-000050 | PATCH | Windows Server 2019 maximum password age must be configured to 60 days or less." +- name: "MEDIUM | WN22-AC-000050 | PATCH | Windows Server 2019 maximum password age must be configured to 60 days or less." block: - - name: "MEDIUM | WN19-AC-000050 | AUDIT | Windows Server 2019 maximum password age must be configured to 60 days or less. | Warning For Bad Variable." + - name: "MEDIUM | WN22-AC-000050 | AUDIT | Windows Server 2019 maximum password age must be configured to 60 days or less. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn19stig_maximumpasswordage please read" + - "Warning!! You have a invalid number of days set for wn22stig_maximumpasswordage please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn19stig_maximumpasswordage == 0 or - wn19stig_maximumpasswordage > 60 + - wn22stig_maximumpasswordage == 0 or + wn22stig_maximumpasswordage > 60 - - name: "MEDIUM | WN19-AC-000050 | AUDIT | Windows Server 2019 maximum password age must be configured to 60 days or less. | Warn Count." + - name: "MEDIUM | WN22-AC-000050 | AUDIT | Windows Server 2019 maximum password age must be configured to 60 days or less. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-AC-000050' + warn_control_id: 'WN22-AC-000050' when: - - wn19stig_maximumpasswordage == 0 or - wn19stig_maximumpasswordage > 60 + - wn22stig_maximumpasswordage == 0 or + wn22stig_maximumpasswordage > 60 - - name: "MEDIUM | WN19-AC-000050 | PATCH | Windows Server 2019 maximum password age must be configured to 60 days or less. | Apply Variable." + - name: "MEDIUM | WN22-AC-000050 | PATCH | Windows Server 2019 maximum password age must be configured to 60 days or less. | Apply Variable." community.windows.win_security_policy: section: System Access key: MaximumPasswordAge - value: "{{ wn19stig_maximumpasswordage }}" + value: "{{ wn22stig_maximumpasswordage }}" when: - - wn19stig_maximumpasswordage > 0 - - wn19stig_maximumpasswordage <= 60 + - wn22stig_maximumpasswordage > 0 + - wn22stig_maximumpasswordage <= 60 when: - - wn19_ac_000050 + - wn22_ac_000050 tags: - - WN19-AC-000050 + - WN22-AC-000050 - V-205659 - SRG-OS-000076-GPOS-00044 - SV-205659r569188_rule - CCI-000199 - CAT2 -- name: "MEDIUM | WN19-AC-000060 | PATCH | Windows Server 2019 minimum password age must be configured to at least one day." +- name: "MEDIUM | WN22-AC-000060 | PATCH | Windows Server 2019 minimum password age must be configured to at least one day." block: - - name: "MEDIUM | WN19-AC-000060 | AUDIT | Windows Server 2019 minimum password age must be configured to at least one day. | Warning For Bad Variable." + - name: "MEDIUM | WN22-AC-000060 | AUDIT | Windows Server 2019 minimum password age must be configured to at least one day. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn19stig_minimumpasswordage please read" + - "Warning!! You have a invalid number of days set for wn22stig_minimumpasswordage please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn19stig_minimumpasswordage == 0 + - wn22stig_minimumpasswordage == 0 - - name: "MEDIUM | WN19-AC-000060 | AUDIT | Windows Server 2019 minimum password age must be configured to at least one day. | Warn Count." + - name: "MEDIUM | WN22-AC-000060 | AUDIT | Windows Server 2019 minimum password age must be configured to at least one day. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-AC-000060' + warn_control_id: 'WN22-AC-000060' when: - wn19stig_minimumpasswordage == 0 + wn22stig_minimumpasswordage == 0 - - name: "MEDIUM | WN19-AC-000060 | PATCH | Windows Server 2019 minimum password age must be configured to at least one day. | Set Variable." + - name: "MEDIUM | WN22-AC-000060 | PATCH | Windows Server 2019 minimum password age must be configured to at least one day. | Set Variable." community.windows.win_security_policy: section: System Access key: MinimumPasswordAge - value: "{{ wn19stig_minimumpasswordage }}" + value: "{{ wn22stig_minimumpasswordage }}" when: - wn19stig_minimumpasswordage > 0 + wn22stig_minimumpasswordage > 0 when: - - wn19_ac_000060 + - wn22_ac_000060 tags: - - WN19-AC-000060 + - WN22-AC-000060 - V-205656 - SRG-OS-000075-GPOS-00043 - SV-205656r569188_rule - CCI-000198 - CAT2 -- name: "MEDIUM | WN19-AC-000070 | PATCH | Windows Server 2019 minimum password length must be configured to 14 characters." +- name: "MEDIUM | WN22-AC-000070 | PATCH | Windows Server 2019 minimum password length must be configured to 14 characters." block: - - name: "MEDIUM | WN19-AC-000070 | AUDIT | Windows Server 2019 minimum password length must be configured to 14 characters. | Warning For Bad Variable." + - name: "MEDIUM | WN22-AC-000070 | AUDIT | Windows Server 2019 minimum password length must be configured to 14 characters. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid password length for wn19stig_minimumpasswordlength please read" + - "Warning!! You have a invalid password length for wn22stig_minimumpasswordlength please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn19stig_minimumpasswordlength < 14 + - wn22stig_minimumpasswordlength < 14 - - name: "MEDIUM | WN19-AC-000070 | AUDIT | Windows Server 2019 minimum password length must be configured to 14 characters. | Warn Count." + - name: "MEDIUM | WN22-AC-000070 | AUDIT | Windows Server 2019 minimum password length must be configured to 14 characters. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-AC-000070' + warn_control_id: 'WN22-AC-000070' when: - - wn19stig_minimumpasswordlength < 14 + - wn22stig_minimumpasswordlength < 14 - - name: "MEDIUM | WN19-AC-000070 | PATCH | Windows Server 2019 minimum password length must be configured to 14 characters. | Apply Variable." + - name: "MEDIUM | WN22-AC-000070 | PATCH | Windows Server 2019 minimum password length must be configured to 14 characters. | Apply Variable." community.windows.win_security_policy: section: System Access key: MinimumPasswordLength - value: "{{ wn19stig_minimumpasswordlength }}" + value: "{{ wn22stig_minimumpasswordlength }}" when: - - wn19stig_minimumpasswordlength >= 14 + - wn22stig_minimumpasswordlength >= 14 when: - - wn19_ac_000070 + - wn22_ac_000070 tags: - - WN19-AC-000070 + - WN22-AC-000070 - V-205662 - SRG-OS-000078-GPOS-00046 - SV-205662r569188_rule - CCI-000205 - CAT2 -- name: "MEDIUM | WN19-AC-000080 | PATCH | Windows Server 2019 must have the built-in Windows password complexity policy enabled." +- name: "MEDIUM | WN22-AC-000080 | PATCH | Windows Server 2019 must have the built-in Windows password complexity policy enabled." community.windows.win_security_policy: section: System Access key: PasswordComplexity value: 1 when: - - wn19_ac_000080 + - wn22_ac_000080 tags: - - WN19-AC-000080 + - WN22-AC-000080 - V-205652 - SRG-OS-000069-GPOS-00037 - SV-205652r569188_rule @@ -1102,40 +1102,40 @@ - CCI-001619 - CAT2 -- name: "MEDIUM | WN19-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited." +- name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited." block: - - name: "MEDIUM | WN19-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited." + - name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 audit records must be backed up to a different system or media than the system being audited." - - name: "MEDIUM | WN19-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited. | import reuseable task." + - name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-AU-000010' + warn_control_id: 'WN22-AU-000010' when: - - wn19_au_000010 + - wn22_au_000010 tags: - - WN19-AU-000010 + - WN22-AU-000010 - V-205799 - SRG-OS-000342-GPOS-00133 - SV-205799r569188_rule - CCI-001851 - CAT2 -- name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." +- name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." block: - - name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." + - name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." - - name: "MEDIUM | WN19-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | import reuseable task." + - name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-AU-000020' + warn_control_id: 'WN22-AU-000020' when: - - wn19_au_000020 + - wn22_au_000020 tags: - - WN19-AU-000020 + - WN22-AU-000020 - V-205843 - SRG-OS-000479-GPOS-00224 - SV-205843r860027_rule @@ -1143,20 +1143,20 @@ - CAT2 # hard one, either need to standardize on say log shipping like splunk or other is set? -- name: "MEDIUM | WN19-AU-000030 | AUDIT | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." +- name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." block: - - name: "MEDIUM | WN19-AU-000030 | AUDIT | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." + - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." - - name: "MEDIUM | WN19-AU-000030 | AUDIT | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts. | import reuseable task." + - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-AU-000030' + warn_control_id: 'WN22-AU-000030' when: - - wn19_au_000030 + - wn22_au_000030 tags: - - WN19-AU-000030 + - WN22-AU-000030 - V-205640 - SRG-OS-000057-GPOS-00027 - SV-205640r569188_rule @@ -1165,20 +1165,20 @@ - CCI-000164 - CAT2 -- name: "MEDIUM | WN19-AU-000040 | AUDIT | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." +- name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." block: - - name: "MEDIUM | WN19-AU-000040 | AUDIT | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." + - name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." - - name: "MEDIUM | WN19-AU-000040 | AUDIT | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts. | import reuseable task." + - name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-AU-000040' + warn_control_id: 'WN22-AU-000040' when: - - wn19_au_000040 + - wn22_au_000040 tags: - - WN19-AU-000040 + - WN22-AU-000040 - V-205641 - SRG-OS-000057-GPOS-00027 - SV-205641r569188_rule @@ -1187,20 +1187,20 @@ - CCI-000164 - CAT2 -- name: "MEDIUM | WN19-AU-000050 | AUDIT | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." +- name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." block: - - name: "MEDIUM | WN19-AU-000050 | AUDIT | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." + - name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." - - name: "MEDIUM | WN19-AU-000050 | AUDIT | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts. | import reuseable task." + - name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-AU-000050' + warn_control_id: 'WN22-AU-000050' when: - - wn19_au_000050 + - wn22_au_000050 tags: - - WN19-AU-000050 + - WN22-AU-000050 - V-205642 - SRG-OS-000057-GPOS-00027 - SV-205642r569188_rule @@ -1209,20 +1209,20 @@ - CCI-000164 - CAT2 -- name: "MEDIUM | WN19-AU-000060 | AUDIT | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." +- name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." block: - - name: "MEDIUM | WN19-AU-000060 | AUDIT | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." + - name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." - - name: "MEDIUM | WN19-AU-000060 | AUDIT | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion. | import reuseable task." + - name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-AU-000060' + warn_control_id: 'WN22-AU-000060' when: - - wn19_au_000060 + - wn22_au_000060 tags: - - WN19-AU-000060 + - WN22-AU-000060 - V-205731 - SRG-OS-000257-GPOS-00098 - SV-205731r569188_rule @@ -1230,66 +1230,66 @@ - CCI-001495 - CAT2 -- name: "MEDIUM | WN19-AU-000070 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." +- name: "MEDIUM | WN22-AU-000070 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." block: - - name: "MEDIUM | WN19-AU-000070 | AUDIT | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." + - name: "MEDIUM | WN22-AU-000070 | AUDIT | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000070_audit + register: wn22_au_000070_audit - - name: "MEDIUM | WN19-AU-000070 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." + - name: "MEDIUM | WN22-AU-000070 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable - when: "'Success' not in wn19_au_000070_audit.stdout" + when: "'Success' not in wn22_au_000070_audit.stdout" when: - - wn19_au_000070 + - wn22_au_000070 tags: - - WN19-AU-000070 + - WN22-AU-000070 - V-205832 - SRG-OS-000470-GPOS-00214 - SV-205832r569188_rule - CCI-000172 - CAT2 -- name: "MEDIUM | WN19-AU-000080 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." +- name: "MEDIUM | WN22-AU-000080 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." block: - - name: "MEDIUM | WN19-AU-000080 | AUDIT | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." + - name: "MEDIUM | WN22-AU-000080 | AUDIT | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000080_audit + register: wn22_au_000080_audit - - name: "MEDIUM | WN19-AU-000080 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." + - name: "MEDIUM | WN22-AU-000080 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable - when: "'Failure' not in wn19_au_000080_audit.stdout" + when: "'Failure' not in wn22_au_000080_audit.stdout" when: - - wn19_au_000080 + - wn22_au_000080 tags: - - WN19-AU-000080 + - WN22-AU-000080 - V-205833 - SRG-OS-000470-GPOS-00214 - SV-205833r569188_rule - CCI-000172 - CAT2 -- name: "MEDIUM | WN19-AU-000090 | PATCH | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." +- name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." block: - - name: "MEDIUM | WN19-AU-000090 | AUDIT | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." + - name: "MEDIUM | WN22-AU-000090 | AUDIT | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000090_audit + register: wn22_au_000090_audit - - name: "MEDIUM | WN19-AU-000090 | PATCH | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." + - name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable - when: "'Success' not in wn19_au_000090_audit.stdout" + when: "'Success' not in wn22_au_000090_audit.stdout" when: - - wn19_au_000090 + - wn22_au_000090 tags: - - WN19-AU-000090 + - WN22-AU-000090 - V-205769 - SRG-OS-000327-GPOS-00127 - SV-205769r569188_rule @@ -1297,22 +1297,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000120 | PATCH | Windows Server 2019 must be configured to audit Account Management - User Account Management failures." +- name: "MEDIUM | WN22-AU-000120 | PATCH | Windows Server 2019 must be configured to audit Account Management - User Account Management failures." block: - - name: "MEDIUM | WN19-AU-000120 | AUDIT | Windows Server 2019 must be configured to audit Account Management - User Account Management failures." + - name: "MEDIUM | WN22-AU-000120 | AUDIT | Windows Server 2019 must be configured to audit Account Management - User Account Management failures." ansible.windows.win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000120_audit + register: wn22_au_000120_audit - - name: "MEDIUM | WN19-AU-000120 | PATCH | Windows Server 2019 must be configured to audit Account Management - User Account Management failures." + - name: "MEDIUM | WN22-AU-000120 | PATCH | Windows Server 2019 must be configured to audit Account Management - User Account Management failures." ansible.windows.win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable - when: "'Failure' not in wn19_au_000120_audit.stdout" + when: "'Failure' not in wn22_au_000120_audit.stdout" when: - - wn19_au_000120 + - wn22_au_000120 tags: - - WN19-AU-000120 + - WN22-AU-000120 - V-205627 - SRG-OS-000004-GPOS-00004 - SV-205627r569188_rule @@ -1324,44 +1324,44 @@ - CCI-002130 - CAT2 -- name: "MEDIUM | WN19-AU-000130 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." +- name: "MEDIUM | WN22-AU-000130 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." block: - - name: "MEDIUM | WN19-AU-000130 | AUDIT | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." + - name: "MEDIUM | WN22-AU-000130 | AUDIT | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000130_audit + register: wn22_au_000130_audit - - name: "MEDIUM | WN19-AU-000130 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." + - name: "MEDIUM | WN22-AU-000130 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable - when: "'Success' not in wn19_au_000130_audit.stdout" + when: "'Success' not in wn22_au_000130_audit.stdout" when: - - wn19_au_000130 + - wn22_au_000130 tags: - - WN19-AU-000130 + - WN22-AU-000130 - V-205839 - SRG-OS-000474-GPOS-00219 - SV-205839r569188_rule - CCI-000172 - CAT2 -- name: "MEDIUM | WN19-AU-000140 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." +- name: "MEDIUM | WN22-AU-000140 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." block: - - name: "MEDIUM | WN19-AU-000140 | AUDIT | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." + - name: "MEDIUM | WN22-AU-000140 | AUDIT | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000140_audit + register: wn22_au_000140_audit - - name: "MEDIUM | WN19-AU-000140 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." + - name: "MEDIUM | WN22-AU-000140 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable - when: "'Success' not in wn19_au_000140_audit.stdout" + when: "'Success' not in wn22_au_000140_audit.stdout" when: - - wn19_au_000140 + - wn22_au_000140 tags: - - WN19-AU-000140 + - WN22-AU-000140 - V-205770 - SRG-OS-000327-GPOS-00127 - SV-205770r569188_rule @@ -1369,22 +1369,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000150 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." +- name: "MEDIUM | WN22-AU-000150 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." block: - - name: "MEDIUM | WN19-AU-000150 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." + - name: "MEDIUM | WN22-AU-000150 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000150_audit + register: wn22_au_000150_audit - - name: "MEDIUM | WN19-AU-000150 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." + - name: "MEDIUM | WN22-AU-000150 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable - when: "'Success' not in wn19_au_000150_audit.stdout" + when: "'Success' not in wn22_au_000150_audit.stdout" when: - - wn19_au_000150 + - wn22_au_000150 tags: - - WN19-AU-000150 + - WN22-AU-000150 - V-205729 - SRG-OS-000240-GPOS-00090 - SV-205729r569188_rule @@ -1392,22 +1392,22 @@ - CCI-001404 - CAT2 -- name: "MEDIUM | WN19-AU-000160 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." +- name: "MEDIUM | WN22-AU-000160 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." block: - - name: "MEDIUM | WN19-AU-000160 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." + - name: "MEDIUM | WN22-AU-000160 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000160_audit + register: wn22_au_000160_audit - - name: "MEDIUM | WN19-AU-000160 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." + - name: "MEDIUM | WN22-AU-000160 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable - when: "'Failure' not in wn19_au_000160_audit.stdout" + when: "'Failure' not in wn22_au_000160_audit.stdout" when: - - wn19_au_000160 + - wn22_au_000160 tags: - - WN19-AU-000160 + - WN22-AU-000160 - V-205730 - SRG-OS-000240-GPOS-00090 - SV-205730r569188_rule @@ -1415,44 +1415,44 @@ - CCI-001404 - CAT2 -- name: "MEDIUM | WN19-AU-000170 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." +- name: "MEDIUM | WN22-AU-000170 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." block: - - name: "MEDIUM | WN19-AU-000170 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." + - name: "MEDIUM | WN22-AU-000170 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000170_audit + register: wn22_au_000170_audit - - name: "MEDIUM | WN19-AU-000170 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." + - name: "MEDIUM | WN22-AU-000170 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable - when: "'Success' not in wn19_au_000170_audit.stdout" + when: "'Success' not in wn22_au_000170_audit.stdout" when: - - wn19_au_000170 + - wn22_au_000170 tags: - - WN19-AU-000170 + - WN22-AU-000170 - V-205834 - SRG-OS-000470-GPOS-00214 - SV-205834r569188_rule - CCI-000172 - CAT2 -- name: "MEDIUM | WN19-AU-000180 | PATCH | Windows Server 2019 must be configured to audit logoff successes." +- name: "MEDIUM | WN22-AU-000180 | PATCH | Windows Server 2019 must be configured to audit logoff successes." block: - - name: "MEDIUM | WN19-AU-000180 | AUDIT | Windows Server 2019 must be configured to audit logoff successes." + - name: "MEDIUM | WN22-AU-000180 | AUDIT | Windows Server 2019 must be configured to audit logoff successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000180_audit + register: wn22_au_000180_audit - - name: "MEDIUM | WN19-AU-000180 | PATCH | Windows Server 2019 must be configured to audit logoff successes." + - name: "MEDIUM | WN22-AU-000180 | PATCH | Windows Server 2019 must be configured to audit logoff successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Logoff" /success:enable - when: "'Success' not in wn19_au_000180_audit.stdout" + when: "'Success' not in wn22_au_000180_audit.stdout" when: - - wn19_au_000180 + - wn22_au_000180 tags: - - WN19-AU-000180 + - WN22-AU-000180 - V-205838 - SRG-OS-000472-GPOS-00217 - SV-205838r569188_rule @@ -1460,22 +1460,22 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-AU-000190 | PATCH | Windows Server 2019 must be configured to audit logon successes." +- name: "MEDIUM | WN22-AU-000190 | PATCH | Windows Server 2019 must be configured to audit logon successes." block: - - name: "MEDIUM | WN19-AU-000190 | AUDIT | Windows Server 2019 must be configured to audit logon successes." + - name: "MEDIUM | WN22-AU-000190 | AUDIT | Windows Server 2019 must be configured to audit logon successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000190_audit + register: wn22_au_000190_audit - - name: "MEDIUM | WN19-AU-000190 | PATCH Windows Server 2019 must be configured to audit logon successes." + - name: "MEDIUM | WN22-AU-000190 | PATCH Windows Server 2019 must be configured to audit logon successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Logon" /success:enable - when: "'Success' not in wn19_au_000190_audit.stdout" + when: "'Success' not in wn22_au_000190_audit.stdout" when: - - wn19_au_000190 + - wn22_au_000190 tags: - - WN19-AU-000190 + - WN22-AU-000190 - V-205634 - SRG-OS-000032-GPOS-00013 - SV-205634r569188_rule @@ -1483,22 +1483,22 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN19-AU-000200 | PATCH | Windows Server 2019 must be configured to audit logon failures" +- name: "MEDIUM | WN22-AU-000200 | PATCH | Windows Server 2019 must be configured to audit logon failures" block: - - name: "MEDIUM | WN19-AU-000200 | AUDIT | Windows Server 2019 must be configured to audit logon failures" + - name: "MEDIUM | WN22-AU-000200 | AUDIT | Windows Server 2019 must be configured to audit logon failures" ansible.windows.win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000200_audit + register: wn22_au_000200_audit - - name: "MEDIUM | WN19-AU-000200 | PATCH | Windows Server 2019 must be configured to audit logon failures" + - name: "MEDIUM | WN22-AU-000200 | PATCH | Windows Server 2019 must be configured to audit logon failures" ansible.windows.win_shell: AuditPol /set /subcategory:"Logon" /failure:enable - when: "'Failure' not in wn19_au_000200_audit.stdout" + when: "'Failure' not in wn22_au_000200_audit.stdout" when: - - wn19_au_000200 + - wn22_au_000200 tags: - - WN19-AU-000200 + - WN22-AU-000200 - V-205635 - SRG-OS-000032-GPOS-00013 - SV-205635r569188_rule @@ -1506,116 +1506,116 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN19-AU-000210 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." +- name: "MEDIUM | WN22-AU-000210 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." block: - - name: "MEDIUM | WN19-AU-000210 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." + - name: "MEDIUM | WN22-AU-000210 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000210_audit + register: wn22_au_000210_audit - - name: "MEDIUM | WN19-AU-000210 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." + - name: "MEDIUM | WN22-AU-000210 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable - when: "'Success' not in wn19_au_000210_audit.stdout" + when: "'Success' not in wn22_au_000210_audit.stdout" when: - - wn19_au_000210 + - wn22_au_000210 tags: - - WN19-AU-000210 + - WN22-AU-000210 - V-205835 - SRG-OS-000470-GPOS-00214 - SV-205835r569188_rule - CCI-000172 - CAT2 -- name: "MEDIUM | WN19-AU-000220 | PATCH | Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes." +- name: "MEDIUM | WN22-AU-000220 | PATCH | Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes." community.windows.win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure when: - - wn19_au_000220 + - wn22_au_000220 tags: - - WN19-AU-000220 + - WN22-AU-000220 - V-205836 - SRG-OS-000470-GPOS-00214 - SV-205836r569188_rule - CCI-000172 - CAT2 -- name: "MEDIUM | WN19-AU-000230 | PATCH | Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures." +- name: "MEDIUM | WN22-AU-000230 | PATCH | Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures." community.windows.win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure when: - - wn19_au_000230 + - wn22_au_000230 tags: - - WN19-AU-000230 + - WN22-AU-000230 - V-205837 - SRG-OS-000470-GPOS-00214 - SV-205837r569188_rule - CCI-000172 - CAT2 -- name: "MEDIUM | WN19-AU-000240 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." +- name: "MEDIUM | WN22-AU-000240 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." block: - - name: "MEDIUM | WN19-AU-000240 | AUDIT | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." + - name: "MEDIUM | WN22-AU-000240 | AUDIT | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000240_audit + register: wn22_au_000240_audit - - name: "MEDIUM | WN19-AU-000240 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." + - name: "MEDIUM | WN22-AU-000240 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable - when: "'Success' not in wn19_au_000240_audit.stdout" + when: "'Success' not in wn22_au_000240_audit.stdout" when: - - wn19_au_000240 + - wn22_au_000240 tags: - - WN19-AU-000240 + - WN22-AU-000240 - V-205840 - SRG-OS-000474-GPOS-00219 - SV-205840r569188_rule - CCI-000172 - CAT2 -- name: "MEDIUM | WN19-AU-000250 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." +- name: "MEDIUM | WN22-AU-000250 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." block: - - name: "MEDIUM | WN19-AU-000250 | AUDIT | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." + - name: "MEDIUM | WN22-AU-000250 | AUDIT | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000250_audit + register: wn22_au_000250_audit - - name: "MEDIUM | WN19-AU-000250 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." + - name: "MEDIUM | WN22-AU-000250 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable - when: "'Failure' not in wn19_au_000250_audit.stdout" + when: "'Failure' not in wn22_au_000250_audit.stdout" when: - - wn19_au_000250 + - wn22_au_000250 tags: - - WN19-AU-000250 + - WN22-AU-000250 - V-205841 - SRG-OS-000474-GPOS-00219 - SV-205841r569188_rule - CCI-000172 - CAT2 -- name: "MEDIUM | WN19-AU-000260 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." +- name: "MEDIUM | WN22-AU-000260 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." block: - - name: "MEDIUM | WN19-AU-000260 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." + - name: "MEDIUM | WN22-AU-000260 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000260_audit + register: wn22_au_000260_audit - - name: "MEDIUM | WN19-AU-000260 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." + - name: "MEDIUM | WN22-AU-000260 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable - when: "'Success' not in wn19_au_000260_audit.stdout" + when: "'Success' not in wn22_au_000260_audit.stdout" when: - - wn19_au_000260 + - wn22_au_000260 tags: - - WN19-AU-000260 + - WN22-AU-000260 - V-205771 - SRG-OS-000327-GPOS-00127 - SV-205771r569188_rule @@ -1623,22 +1623,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000270 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." +- name: "MEDIUM | WN22-AU-000270 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." block: - - name: "MEDIUM | WN19-AU-000270 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." + - name: "MEDIUM | WN22-AU-000270 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000270_audit + register: wn22_au_000270_audit - - name: "MEDIUM | WN19-AU-000270 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." + - name: "MEDIUM | WN22-AU-000270 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Audit Policy Change" /failure:enable - when: "'Failure' not in wn19_au_000270_audit.stdout" + when: "'Failure' not in wn22_au_000270_audit.stdout" when: - - wn19_au_000270 + - wn22_au_000270 tags: - - WN19-AU-000270 + - WN22-AU-000270 - V-205772 - SRG-OS-000327-GPOS-00127 - SV-205772r569188_rule @@ -1646,22 +1646,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000280 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." +- name: "MEDIUM | WN22-AU-000280 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." block: - - name: "MEDIUM | WN19-AU-000280 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." + - name: "MEDIUM | WN22-AU-000280 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000280_audit + register: wn22_au_000280_audit - - name: "MEDIUM | WN19-AU-000280 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." + - name: "MEDIUM | WN22-AU-000280 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable - when: "'Success' not in wn19_au_000280_audit.stdout" + when: "'Success' not in wn22_au_000280_audit.stdout" when: - - wn19_au_000280 + - wn22_au_000280 tags: - - WN19-AU-000280 + - WN22-AU-000280 - V-205773 - SRG-OS-000327-GPOS-00127 - SV-205773r569188_rule @@ -1669,22 +1669,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000290 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." +- name: "MEDIUM | WN22-AU-000290 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." block: - - name: "MEDIUM | WN19-AU-000290 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." + - name: "MEDIUM | WN22-AU-000290 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000290_audit + register: wn22_au_000290_audit - - name: "MEDIUM | WN19-AU-000290 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." + - name: "MEDIUM | WN22-AU-000290 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable - when: "'Success' not in wn19_au_000290_audit.stdout" + when: "'Success' not in wn22_au_000290_audit.stdout" when: - - wn19_au_000290 + - wn22_au_000290 tags: - - WN19-AU-000290 + - WN22-AU-000290 - V-205774 - SRG-OS-000327-GPOS-00127 - SV-205774r569188_rule @@ -1692,22 +1692,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000300 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." +- name: "MEDIUM | WN22-AU-000300 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." block: - - name: "MEDIUM | WN19-AU-000300 | AUDIT | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." + - name: "MEDIUM | WN22-AU-000300 | AUDIT | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000300_audit + register: wn22_au_000300_audit - - name: "MEDIUM | WN19-AU-000300 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." + - name: "MEDIUM | WN22-AU-000300 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable - when: "'Success' not in wn19_au_000300_audit.stdout" + when: "'Success' not in wn22_au_000300_audit.stdout" when: - - wn19_au_000300 + - wn22_au_000300 tags: - - WN19-AU-000300 + - WN22-AU-000300 - V-205775 - SRG-OS-000327-GPOS-00127 - SV-205775r569188_rule @@ -1715,22 +1715,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000310 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." +- name: "MEDIUM | WN22-AU-000310 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." block: - - name: "MEDIUM | WN19-AU-000310 | AUDIT | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." + - name: "MEDIUM | WN22-AU-000310 | AUDIT | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000310_audit + register: wn22_au_000310_audit - - name: "MEDIUM | WN19-AU-000310 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." + - name: "MEDIUM | WN22-AU-000310 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable - when: "'Failure' not in wn19_au_000310_audit.stdout" + when: "'Failure' not in wn22_au_000310_audit.stdout" when: - - wn19_au_000310 + - wn22_au_000310 tags: - - WN19-AU-000310 + - WN22-AU-000310 - V-205776 - SRG-OS-000327-GPOS-00127 - SV-205776r569188_rule @@ -1738,22 +1738,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000320 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver successes." +- name: "MEDIUM | WN22-AU-000320 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver successes." block: - - name: "MEDIUM | WN19-AU-000320 | AUDIT | Windows Server 2019 must be configured to audit System - IPsec Driver successes." + - name: "MEDIUM | WN22-AU-000320 | AUDIT | Windows Server 2019 must be configured to audit System - IPsec Driver successes." ansible.windows.win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000320_audit + register: wn22_au_000320_audit - - name: "MEDIUM | WN19-AU-000320 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver successes." + - name: "MEDIUM | WN22-AU-000320 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver successes." ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable - when: "'Success' not in wn19_au_000320_audit.stdout" + when: "'Success' not in wn22_au_000320_audit.stdout" when: - - wn19_au_000320 + - wn22_au_000320 tags: - - WN19-AU-000320 + - WN22-AU-000320 - V-205777 - SRG-OS-000327-GPOS-00127 - SV-205777r569188_rule @@ -1761,22 +1761,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000330 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver failures." +- name: "MEDIUM | WN22-AU-000330 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver failures." block: - - name: "MEDIUM | WN19-AU-000330 | AUDIT | Windows Server 2019 must be configured to audit System - IPsec Driver failures." + - name: "MEDIUM | WN22-AU-000330 | AUDIT | Windows Server 2019 must be configured to audit System - IPsec Driver failures." ansible.windows.win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000330_audit + register: wn22_au_000330_audit - - name: "MEDIUM | WN19-AU-000330 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver failures." + - name: "MEDIUM | WN22-AU-000330 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver failures." ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable - when: "'Success' not in wn19_au_000330_audit.stdout" + when: "'Success' not in wn22_au_000330_audit.stdout" when: - - wn19_au_000330 + - wn22_au_000330 tags: - - WN19-AU-000330 + - WN22-AU-000330 - V-205778 - SRG-OS-000327-GPOS-00127 - SV-205778r569188_rule @@ -1784,22 +1784,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000340 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events successes." +- name: "MEDIUM | WN22-AU-000340 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events successes." block: - - name: "MEDIUM | WN19-AU-000340 | AUDIT | Windows Server 2019 must be configured to audit System - Other System Events successes." + - name: "MEDIUM | WN22-AU-000340 | AUDIT | Windows Server 2019 must be configured to audit System - Other System Events successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000340_audit + register: wn22_au_000340_audit - - name: "MEDIUM | WN19-AU-000340 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events successes." + - name: "MEDIUM | WN22-AU-000340 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable - when: "'Success' not in wn19_au_000340_audit.stdout" + when: "'Success' not in wn22_au_000340_audit.stdout" when: - - wn19_au_000340 + - wn22_au_000340 tags: - - WN19-AU-000340 + - WN22-AU-000340 - V-205779 - SRG-OS-000327-GPOS-00127 - SV-205779r569188_rule @@ -1807,22 +1807,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000350 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events failures." +- name: "MEDIUM | WN22-AU-000350 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events failures." block: - - name: "MEDIUM | WN19-AU-000350 | AUDIT | Windows Server 2019 must be configured to audit System - Other System Events failures." + - name: "MEDIUM | WN22-AU-000350 | AUDIT | Windows Server 2019 must be configured to audit System - Other System Events failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000350_audit + register: wn22_au_000350_audit - - name: "MEDIUM | WN19-AU-000350 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events failures." + - name: "MEDIUM | WN22-AU-000350 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable - when: "'Failure' not in wn19_au_000350_audit.stdout" + when: "'Failure' not in wn22_au_000350_audit.stdout" when: - - wn19_au_000350 + - wn22_au_000350 tags: - - WN19-AU-000350 + - WN22-AU-000350 - V-205780 - SRG-OS-000327-GPOS-00127 - SV-205780r569188_rule @@ -1830,22 +1830,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000360 | PATCH | Windows Server 2019 must be configured to audit System - Security State Change successes." +- name: "MEDIUM | WN22-AU-000360 | PATCH | Windows Server 2019 must be configured to audit System - Security State Change successes." block: - - name: "MEDIUM | WN19-AU-000360 | AUDIT | Windows Server 2019 must be configured to audit System - Security State Change successes." + - name: "MEDIUM | WN22-AU-000360 | AUDIT | Windows Server 2019 must be configured to audit System - Security State Change successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000360_audit + register: wn22_au_000360_audit - - name: "MEDIUM | WN19-AU-000360 | PATCH | Windows Server 2019 must be configured to audit System - Security State Change successes." + - name: "MEDIUM | WN22-AU-000360 | PATCH | Windows Server 2019 must be configured to audit System - Security State Change successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable - when: "'Success' not in wn19_au_000360_audit.stdout" + when: "'Success' not in wn22_au_000360_audit.stdout" when: - - wn19_au_000360 + - wn22_au_000360 tags: - - WN19-AU-000360 + - WN22-AU-000360 - V-205781 - SRG-OS-000327-GPOS-00127 - SV-205781r569188_rule @@ -1853,22 +1853,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000370 | PATCH | Windows Server 2019 must be configured to audit System - Security System Extension successes." +- name: "MEDIUM | WN22-AU-000370 | PATCH | Windows Server 2019 must be configured to audit System - Security System Extension successes." block: - - name: "MEDIUM | WN19-AU-000370 | AUDIT | Must be configured to audit System - Security System Extension successes." + - name: "MEDIUM | WN22-AU-000370 | AUDIT | Must be configured to audit System - Security System Extension successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000370_audit + register: wn22_au_000370_audit - - name: "MEDIUM | WN19-AU-000370 | PATCH | Must be configured to audit System - Security System Extension successes." + - name: "MEDIUM | WN22-AU-000370 | PATCH | Must be configured to audit System - Security System Extension successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable - when: "'Success' not in wn19_au_000370_audit.stdout" + when: "'Success' not in wn22_au_000370_audit.stdout" when: - - wn19_au_000370 + - wn22_au_000370 tags: - - WN19-AU-000370 + - WN22-AU-000370 - V-205782 - SRG-OS-000327-GPOS-00127 - SV-205782r569188_rule @@ -1876,22 +1876,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000380 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity successes." +- name: "MEDIUM | WN22-AU-000380 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity successes." block: - - name: "MEDIUM | WN19-AU-000380 | AUDIT | Windows Server 2019 must be configured to audit System - System Integrity successes." + - name: "MEDIUM | WN22-AU-000380 | AUDIT | Windows Server 2019 must be configured to audit System - System Integrity successes." ansible.windows.win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000380_audit + register: wn22_au_000380_audit - - name: "MEDIUM | WN19-AU-000380 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity successes." + - name: "MEDIUM | WN22-AU-000380 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity successes." ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable - when: "'Success' not in wn19_au_000380_audit.stdout" + when: "'Success' not in wn22_au_000380_audit.stdout" when: - - wn19_au_000380 + - wn22_au_000380 tags: - - WN19-AU-000380 + - WN22-AU-000380 - V-205783 - SRG-OS-000327-GPOS-00127 - SV-205783r569188_rule @@ -1899,22 +1899,22 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-AU-000390 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity failures." +- name: "MEDIUM | WN22-AU-000390 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity failures." block: - - name: "MEDIUM | WN19-AU-000390 | AUDIT | Windows Server 2019 must be configured to audit System - System Integrity failures." + - name: "MEDIUM | WN22-AU-000390 | AUDIT | Windows Server 2019 must be configured to audit System - System Integrity failures." ansible.windows.win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_au_000390_audit + register: wn22_au_000390_audit - - name: "MEDIUM | WN19-AU-000390 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity failures." + - name: "MEDIUM | WN22-AU-000390 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity failures." ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable - when: "'Failure' not in wn19_au_000390_audit.stdout" + when: "'Failure' not in wn22_au_000390_audit.stdout" when: - - wn19_au_000390 + - wn22_au_000390 tags: - - WN19-AU-000390 + - WN22-AU-000390 - V-205784 - SRG-OS-000327-GPOS-00127 - SV-205784r569188_rule @@ -1923,48 +1923,48 @@ - CAT2 # some versions may be core/no gui, may need a prelim to detect? -- name: "MEDIUM | WN19-CC-000010 | PATCH | Windows Server 2019 must prevent the display of slide shows on the lock screen." +- name: "MEDIUM | WN22-CC-000010 | PATCH | Windows Server 2019 must prevent the display of slide shows on the lock screen." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization value: NoLockScreenSlideshow data: 1 datatype: dword when: - - wn19_cc_000010 + - wn22_cc_000010 tags: - - WN19-CC-000010 + - WN22-CC-000010 - V-205686 - SRG-OS-000095-GPOS-00049 - SV-205686r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-CC-000020 | PATCH | Windows Server 2019 must have WDigest Authentication disabled." +- name: "MEDIUM | WN22-CC-000020 | PATCH | Windows Server 2019 must have WDigest Authentication disabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest value: UseLogonCredential data: 0 datatype: dword when: - - wn19_cc_000020 + - wn22_cc_000020 tags: - - WN19-CC-000020 + - WN22-CC-000020 - V-205687 - SRG-OS-000095-GPOS-00049 - SV-205687r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-CC-000070 | PATCH | Windows Server 2019 insecure logons to an SMB server must be disabled." +- name: "MEDIUM | WN22-CC-000070 | PATCH | Windows Server 2019 insecure logons to an SMB server must be disabled." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation value: AllowInsecureGuestAuth data: 0 datatype: dword when: - - wn19_cc_000070 + - wn22_cc_000070 tags: - - WN19-CC-000070 + - WN22-CC-000070 - V-205861 - SRG-OS-000480-GPOS-00227 - SV-205861r569188_rule @@ -1972,7 +1972,7 @@ - CAT2 # verify if this applies to DC or only MS? -- name: "MEDIUM | WN19-CC-000080 | PATCH | Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the SYSVOL and NETLOGON shares." +- name: "MEDIUM | WN22-CC-000080 | PATCH | Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the SYSVOL and NETLOGON shares." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths value: "{{ item }}" @@ -1982,402 +1982,402 @@ - \\*\SYSVOL - \\*\NETLOGON when: - - wn19_cc_000080 + - wn22_cc_000080 - ansible_windows_domain_member tags: - - WN19-CC-000080 + - WN22-CC-000080 - V-205862 - SRG-OS-000480-GPOS-00227 - 205862r857311_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000090 | PATCH | Windows Server 2019 command line data must be included in process creation events." +- name: "MEDIUM | WN22-CC-000090 | PATCH | Windows Server 2019 command line data must be included in process creation events." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit value: ProcessCreationIncludeCmdLine_Enabled data: 1 datatype: dword when: - - wn19_cc_000090 + - wn22_cc_000090 tags: - - WN19-CC-000090 + - WN22-CC-000090 - V-205638 - SRG-OS-000042-GPOS-00020 - SV-205638r569188_rule - CCI-000135 - CAT2 -- name: "MEDIUM | WN19-CC-000100 | PATCH | Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials." +- name: "MEDIUM | WN22-CC-000100 | PATCH | Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation value: AllowProtectedCreds data: 1 datatype: dword when: - - wn19_cc_000100 + - wn22_cc_000100 tags: - - WN19-CC-000100 + - WN22-CC-000100 - V-205863 - SRG-OS-000480-GPOS-00227 - SV-205863r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000110 | AUDIT | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." +- name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." block: - - name: "MEDIUM | WN19-CC-000110 | AUDIT | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." - - name: "MEDIUM | WN19-CC-000110 | AUDIT | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | import reuseable task." + - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-CC-000110' + warn_control_id: 'WN22-CC-000110' when: - - wn19_cc_000110 + - wn22_cc_000110 - ansible_windows_domain_member tags: - - WN19-CC-000110 + - WN22-CC-000110 - V-205864 - SRG-OS-000480-GPOS-00227 - SV-205864r857313_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000130 | PATCH | Windows Server 2019 early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." +- name: "MEDIUM | WN22-CC-000130 | PATCH | Windows Server 2019 early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch value: DriverLoadPolicy data: 1 datatype: dword when: - - wn19_cc_000130 + - wn22_cc_000130 tags: - - WN19-CC-000130 + - WN22-CC-000130 - V-205865 - SRG-OS-000480-GPOS-00227 - SV-205865r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000140 | PATCH | Windows Server 2019 group policy objects must be reprocessed even if they have not changed." +- name: "MEDIUM | WN22-CC-000140 | PATCH | Windows Server 2019 group policy objects must be reprocessed even if they have not changed." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} value: NoGPOListChanges data: 0 datatype: dword when: - - wn19_cc_000140 + - wn22_cc_000140 tags: - - WN19-CC-000140 + - WN22-CC-000140 - V-205866 - SRG-OS-000480-GPOS-00227 - SV-205866r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000150 | PATCH | Windows Server 2019 downloading print driver packages over HTTP must be turned off." +- name: "MEDIUM | WN22-CC-000150 | PATCH | Windows Server 2019 downloading print driver packages over HTTP must be turned off." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers value: DisableWebPnPDownload data: 1 datatype: dword when: - - wn19_cc_000150 + - wn22_cc_000150 tags: - - WN19-CC-000150 + - WN22-CC-000150 - V-205688 - SRG-OS-000095-GPOS-00049 - SV-205688r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-CC-000160 | PATCH | Windows Server 2019 printing over HTTP must be turned off." +- name: "MEDIUM | WN22-CC-000160 | PATCH | Windows Server 2019 printing over HTTP must be turned off." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers value: DisableHTTPPrinting data: 1 datatype: dword when: - - wn19_cc_000160 + - wn22_cc_000160 tags: - - WN19-CC-000160 + - WN22-CC-000160 - V-205689 - SRG-OS-000095-GPOS-00049 - SV-205689r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-CC-000170 | PATCH | Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen." +- name: "MEDIUM | WN22-CC-000170 | PATCH | Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System value: DontDisplayNetworkSelectionUI data: 1 datatype: dword when: - - wn19_cc_000170 + - wn22_cc_000170 tags: - - WN19-CC-000170 + - WN22-CC-000170 - V-205690 - SRG-OS-000095-GPOS-00049 - SV-205690r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-CC-000180 | PATCH | Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery)." +- name: "MEDIUM | WN22-CC-000180 | PATCH | Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery)." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 value: DCSettingIndex data: 1 datatype: dword when: - - wn19_cc_000180 + - wn22_cc_000180 tags: - - WN19-CC-000180 + - WN22-CC-000180 - V-205867 - SRG-OS-000480-GPOS-00227 - SV-205867r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000190 | PATCH | Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in)." +- name: "MEDIUM | WN22-CC-000190 | PATCH | Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in)." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 value: ACSettingIndex data: 1 datatype: dword when: - - wn19_cc_000190 + - wn22_cc_000190 tags: - - WN19-CC-000190 + - WN22-CC-000190 - V-205868 - SRG-OS-000480-GPOS-00227 - SV-205868r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000240 | PATCH | Windows Server 2019 administrator accounts must not be enumerated during elevation." +- name: "MEDIUM | WN22-CC-000240 | PATCH | Windows Server 2019 administrator accounts must not be enumerated during elevation." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI value: EnumerateAdministrators data: 0 datatype: dword when: - - wn19_cc_000240 + - wn22_cc_000240 tags: - - WN19-CC-000240 + - WN22-CC-000240 - V-205714 - SRG-OS-000134-GPOS-00068 - SV-205714r569188_rule - CCI-001084 - CAT2 -- name: "MEDIUM | WN19-CC-000250 | PATCH | Windows Server 2019 Telemetry must be configured to Security or Basic." +- name: "MEDIUM | WN22-CC-000250 | PATCH | Windows Server 2019 Telemetry must be configured to Security or Basic." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection value: AllowTelemetry data: 0 datatype: dword when: - - wn19_cc_000250 + - wn22_cc_000250 tags: - - WN19-CC-000250 + - WN22-CC-000250 - V-205869 - SRG-OS-000480-GPOS-00227 - SV-205869r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000270 | PATCH | Windows Server 2019 Application event log size must be configured to 32768 KB or greater." +- name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2019 Application event log size must be configured to 32768 KB or greater." block: - - name: "MEDIUM | WN19-CC-000270 | AUDIT | Windows Server 2019 Application event log size must be configured to 32768 KB or greater." + - name: "MEDIUM | WN22-CC-000270 | AUDIT | Windows Server 2019 Application event log size must be configured to 32768 KB or greater." ansible.windows.win_reg_stat: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application name: MaxSize - register: wn19_cc_000270_audit + register: wn22_cc_000270_audit - - name: "MEDIUM | WN19-CC-000270 | PATCH | Windows Server 2019 Application event log size must be configured to 32768 KB or greater." + - name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2019 Application event log size must be configured to 32768 KB or greater." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application value: MaxSize - data: "{{ wn19stig_app_maxsize }}" + data: "{{ wn22stig_app_maxsize }}" datatype: dword when: - - wn19_cc_000270_audit is defined - - not wn19_cc_000270_audit.exists or - wn19_cc_000270_audit.value < 32768 + - wn22_cc_000270_audit is defined + - not wn22_cc_000270_audit.exists or + wn22_cc_000270_audit.value < 32768 when: - - wn19_cc_000270 + - wn22_cc_000270 tags: - - WN19-CC-000270 + - WN22-CC-000270 - V-205796 - SRG-OS-000341-GPOS-00132 - SV-205796r569188_rule - CCI-001849 - CAT2 -- name: "MEDIUM | WN19-CC-000280 | PATCH | Windows Server 2019 Security event log size must be configured to 196608 KB or greater." +- name: "MEDIUM | WN22-CC-000280 | PATCH | Windows Server 2019 Security event log size must be configured to 196608 KB or greater." block: - - name: "MEDIUM | WN19-CC-000280 | AUDIT | Windows Server 2019 Security event log size must be configured to 196608 KB or greater." + - name: "MEDIUM | WN22-CC-000280 | AUDIT | Windows Server 2019 Security event log size must be configured to 196608 KB or greater." ansible.windows.win_reg_stat: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security name: MaxSize - register: wn19_cc_000280_audit + register: wn22_cc_000280_audit - - name: "MEDIUM | WN19-CC-000280 | PATCH | Windows Server 2019 Security event log size must be configured to 196608 KB or greater." + - name: "MEDIUM | WN22-CC-000280 | PATCH | Windows Server 2019 Security event log size must be configured to 196608 KB or greater." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security value: MaxSize - data: "{{ wn19stig_sec_maxsize }}" + data: "{{ wn22stig_sec_maxsize }}" datatype: dword when: - - wn19_cc_000280_audit is defined - - not wn19_cc_000280_audit.exists or - wn19_cc_000280_audit.value < 196608 + - wn22_cc_000280_audit is defined + - not wn22_cc_000280_audit.exists or + wn22_cc_000280_audit.value < 196608 when: - - wn19_cc_000280 + - wn22_cc_000280 tags: - - WN19-CC-000280 + - WN22-CC-000280 - V-205797 - SRG-OS-000341-GPOS-00132 - SV-205797r569188_rule - CCI-001849 - CAT2 -- name: "MEDIUM | WN19-CC-000290 | PATCH | Windows Server 2019 System event log size must be configured to 32768 KB or greater." +- name: "MEDIUM | WN22-CC-000290 | PATCH | Windows Server 2019 System event log size must be configured to 32768 KB or greater." block: - - name: "MEDIUM | WN19-CC-000290 | AUDIT | Windows Server 2019 System event log size must be configured to 32768 KB or greater." + - name: "MEDIUM | WN22-CC-000290 | AUDIT | Windows Server 2019 System event log size must be configured to 32768 KB or greater." ansible.windows.win_reg_stat: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System name: MaxSize - register: wn19_cc_000290_audit + register: wn22_cc_000290_audit - - name: "MEDIUM | WN19-CC-000290 | PATCH | Windows Server 2019 System event log size must be configured to 32768 KB or greater." + - name: "MEDIUM | WN22-CC-000290 | PATCH | Windows Server 2019 System event log size must be configured to 32768 KB or greater." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System value: MaxSize - data: "{{ wn19stig_sys_maxsize }}" + data: "{{ wn22stig_sys_maxsize }}" datatype: dword when: - - wn19_cc_000290_audit is defined - - not wn19_cc_000290_audit.exists or - wn19_cc_000290_audit.value < 32768 + - wn22_cc_000290_audit is defined + - not wn22_cc_000290_audit.exists or + wn22_cc_000290_audit.value < 32768 when: - - wn19_cc_000290 + - wn22_cc_000290 tags: - - WN19-CC-000290 + - WN22-CC-000290 - V-93181 - SRG-OS-000341-GPOS-00132 - SV-103269r1 - CCI-001849 -- name: "MEDIUM | WN19-CC-000300 | PATCH | Windows Server 2019 Windows Defender SmartScreen must be enabled." +- name: "MEDIUM | WN22-CC-000300 | PATCH | Windows Server 2019 Windows Defender SmartScreen must be enabled." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System value: EnableSmartScreen data: 1 datatype: dword when: - - wn19_cc_000300 + - wn22_cc_000300 tags: - - WN19-CC-000300 + - WN22-CC-000300 - V-205798 - SRG-OS-000095-GPOS-00049 - SV-205798r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-CC-000310 | PATCH | Windows Server 2019 Explorer Data Execution Prevention must be enabled." +- name: "MEDIUM | WN22-CC-000310 | PATCH | Windows Server 2019 Explorer Data Execution Prevention must be enabled." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer value: NoDataExecutionPrevention data: 0 datatype: dword when: - - wn19_cc_000310 + - wn22_cc_000310 tags: - - WN19-CC-000310 + - WN22-CC-000310 - V-205830 - SRG-OS-000433-GPOS-00192 - SV-205830r569188_rule - CCI-002824 - CAT2 -- name: "MEDIUM | WN19-CC-000330 | PATCH | Windows Server 2019 File Explorer shell protocol must run in protected mode." +- name: "MEDIUM | WN22-CC-000330 | PATCH | Windows Server 2019 File Explorer shell protocol must run in protected mode." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer value: PreXPSP2ShellProtocolBehavior data: 0 datatype: dword when: - - wn19_cc_000330 + - wn22_cc_000330 tags: - - WN19-CC-000330 + - WN22-CC-000330 - V-205872 - SRG-OS-000480-GPOS-00227 - SV-205872r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000340 | PATCH | Windows Server 2019 must not save passwords in the Remote Desktop Client." +- name: "MEDIUM | WN22-CC-000340 | PATCH | Windows Server 2019 must not save passwords in the Remote Desktop Client." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: DisablePasswordSaving data: 1 datatype: dword when: - - wn19_cc_000340 + - wn22_cc_000340 tags: - - WN19-CC-000340 + - WN22-CC-000340 - V-205808 - SRG-OS-000373-GPOS-00157 - SV-205808r569188_rule - CCI-002038 - CAT2 -- name: "MEDIUM | WN19-CC-000350 | PATCH | Windows Server 2019 Remote Desktop Services must prevent drive redirection." +- name: "MEDIUM | WN22-CC-000350 | PATCH | Windows Server 2019 Remote Desktop Services must prevent drive redirection." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: fDisableCdm data: 1 datatype: dword when: - - wn19_cc_000350 + - wn22_cc_000350 tags: - - WN19-CC-000350 + - WN22-CC-000350 - V-205722 - SRG-OS-000138-GPOS-00069 - SV-205722r569188_rule - CCI-001090 - CAT2 -- name: "MEDIUM | WN19-CC-000360 | PATCH | Windows Server 2019 remote Desktop Services must always prompt a client for passwords upon connection." +- name: "MEDIUM | WN22-CC-000360 | PATCH | Windows Server 2019 remote Desktop Services must always prompt a client for passwords upon connection." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: fPromptForPassword data: 1 datatype: dword when: - - wn19_cc_000360 + - wn22_cc_000360 tags: - - WN19-CC-000360 + - WN22-CC-000360 - V-205809 - SRG-OS-000373-GPOS-00157 - SV-205809r569188_rule - CCI-002038 - CAT2 -- name: "MEDIUM | WN19-CC-000370 | PATCH | Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications." +- name: "MEDIUM | WN22-CC-000370 | PATCH | Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: fEncryptRPCTraffic data: 1 datatype: dword when: - - wn19_cc_000370 + - wn22_cc_000370 tags: - - WN19-CC-000370 + - WN22-CC-000370 - V-92971 - SRG-OS-000033-GPOS-00014 - SV-103059r1 @@ -2385,16 +2385,16 @@ - CCI-001453 - CAT2 -- name: "MEDIUM | WN19-CC-000380 | PATCH | Windows Server 2019 remote Desktop Services must be configured with the client connection encryption set to High Level." +- name: "MEDIUM | WN22-CC-000380 | PATCH | Windows Server 2019 remote Desktop Services must be configured with the client connection encryption set to High Level." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: MinEncryptionLevel data: 3 datatype: dword when: - - wn19_cc_000380 + - wn22_cc_000380 tags: - - WN19-CC-000380 + - WN22-CC-000380 - V-205636 - SRG-OS-000033-GPOS-00014 - SRG-OS-000250-GPOS-00093 @@ -2403,145 +2403,145 @@ - CCI-001453 - CAT2 -- name: "MEDIUM | WN19-CC-000390 | PATCH | Windows Server 2019 must prevent attachments from being downloaded from RSS feeds." +- name: "MEDIUM | WN22-CC-000390 | PATCH | Windows Server 2019 must prevent attachments from being downloaded from RSS feeds." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds value: DisableEnclosureDownload data: 1 datatype: dword when: - - wn19_cc_000390 + - wn22_cc_000390 tags: - - WN19-CC-000390 + - WN22-CC-000390 - V-205873 - SRG-OS-000480-GPOS-00227 - SV-205873r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000400 | PATCH | Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP." +- name: "MEDIUM | WN22-CC-000400 | PATCH | Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds value: AllowBasicAuthInClear data: 0 datatype: dword when: - - wn19_cc_000400 + - wn22_cc_000400 tags: - - WN19-CC-000400 + - WN22-CC-000400 - V-205693 - SRG-OS-000095-GPOS-00049 - SV-205693r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-CC-000410 | PATCH | Windows Server 2019 must prevent Indexing of encrypted files." +- name: "MEDIUM | WN22-CC-000410 | PATCH | Windows Server 2019 must prevent Indexing of encrypted files." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search value: AllowIndexingEncryptedStoresOrItems data: 0 datatype: dword when: - - wn19_cc_000410 + - wn22_cc_000410 tags: - - WN19-CC-000410 + - WN22-CC-000410 - V-205694 - SRG-OS-000095-GPOS-00049 - SV-205694r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-CC-000420 | PATCH | Windows Server 2019 must prevent users from changing installation options." +- name: "MEDIUM | WN22-CC-000420 | PATCH | Windows Server 2019 must prevent users from changing installation options." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer value: EnableUserControl data: 0 datatype: dword when: - - wn19_cc_000420 + - wn22_cc_000420 tags: - - WN19-CC-000420 + - WN22-CC-000420 - V-205801 - SRG-OS-000362-GPOS-00149 - SV-205801r569188_rule - CCI-001812 - CAT2 -- name: "MEDIUM | WN19-CC-000440 | PATCH | Windows Server 2019 users must be notified if a web-based program attempts to install software." +- name: "MEDIUM | WN22-CC-000440 | PATCH | Windows Server 2019 users must be notified if a web-based program attempts to install software." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer value: SafeForScripting data: 0 datatype: dword when: - - wn19_cc_000440 + - wn22_cc_000440 tags: - - WN19-CC-000440 + - WN22-CC-000440 - V-205874 - SRG-OS-000480-GPOS-00227 - SV-205874r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000450 | PATCH | Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart." +- name: "MEDIUM | WN22-CC-000450 | PATCH | Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: DisableAutomaticRestartSignOn data: 1 datatype: dword when: - - wn19_cc_000450 + - wn22_cc_000450 tags: - - WN19-CC-000450 + - WN22-CC-000450 - V-205925 - SRG-OS-000480-GPOS-00229 - SV-205925r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000451 | PATCH | The Windows Explorer Preview pane must be disabled for Windows Server 2019." +- name: "MEDIUM | WN22-CC-000451 | PATCH | The Windows Explorer Preview pane must be disabled for Windows Server 2019." ansible.windows.win_regedit: path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer value: NoPreviewPane data: 1 datatype: dword when: - - wn19_cc_000451 + - wn22_cc_000451 tags: - - WN19-CC-000451 + - WN22-CC-000451 - V-236001 - SRG-OS-000095-GPOS-00049 - SV-236001r641821_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-CC-000460 | PATCH | Windows Server 2019 PowerShell script block logging must be enabled." +- name: "MEDIUM | WN22-CC-000460 | PATCH | Windows Server 2019 PowerShell script block logging must be enabled." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging value: EnableScriptBlockLogging data: 1 datatype: dword when: - - wn19_cc_000460 + - wn22_cc_000460 tags: - - WN19-CC-000460 + - WN22-CC-000460 - V-205639 - SRG-OS-000042-GPOS-00020 - SV-205639r569188_rule - CCI-000135 - CAT2 -- name: "MEDIUM | WN19-CC-000480 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic." +- name: "MEDIUM | WN22-CC-000480 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client value: AllowUnencryptedTraffic data: 0 datatype: dword when: - - wn19_cc_000480 + - wn22_cc_000480 - not win2019stig_skip_for_test tags: - - WN19-CC-000480 + - WN22-CC-000480 - V-205816 - SRG-OS-000393-GPOS-00173 - SV-205816r569188_rule @@ -2549,33 +2549,33 @@ - CCI-003123 - CAT2 -- name: "MEDIUM | WN19-CC-000490 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication." +- name: "MEDIUM | WN22-CC-000490 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client value: AllowDigest data: 0 datatype: dword when: - - wn19_cc_000490 + - wn22_cc_000490 tags: - - WN19-CC-000490 + - WN22-CC-000490 - V-205712 - SRG-OS-000125-GPOS-00065 - SV-205712r569188_rule - CCI-000877 - CAT2 -- name: "MEDIUM | WN19-CC-000510 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic." +- name: "MEDIUM | WN22-CC-000510 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service value: AllowUnencryptedTraffic data: 0 datatype: dword when: - - wn19_cc_000510 + - wn22_cc_000510 - not win2019stig_skip_for_test tags: - - WN19-CC-000510 + - WN22-CC-000510 - V-205817 - SRG-OS-000393-GPOS-00173 - SV-205817r569188_rule @@ -2583,38 +2583,38 @@ - CCI-003123 - CAT2 -- name: "MEDIUM | WN19-CC-000520 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials." +- name: "MEDIUM | WN22-CC-000520 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service value: DisableRunAs data: 1 datatype: dword when: - - wn19_cc_000520 + - wn22_cc_000520 - not win2019stig_skip_for_test tags: - - WN19-CC-000520 + - WN22-CC-000520 - V-205810 - SRG-OS-000373-GPOS-00157 - SV-205810r569188_rule - CCI-002038 - CAT2 -- name: "MEDIUM | WN19-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced." +- name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced." block: - - name: "MEDIUM | WN19-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced." + - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Kerberos user logon restrictions must be enforced." - - name: "MEDIUM | WN19-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced. | import reuseable task." + - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000020' + warn_control_id: 'WN22-DC-000020' when: - - wn19_dc_000020 + - wn22_dc_000020 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000020 + - WN22-DC-000020 - V-205702 - SRG-OS-000112-GPOS-00057 - SV-205702r569188_rule @@ -2622,21 +2622,21 @@ - CCI-001942 - CAT2 -- name: "MEDIUM | WN19-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." +- name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." block: - - name: "MEDIUM | WN19-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." + - name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." - - name: "MEDIUM | WN19-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | import reuseable task." + - name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000030' + warn_control_id: 'WN22-DC-000030' when: - - wn19_dc_000030 + - wn22_dc_000030 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000030 + - WN22-DC-000030 - V-205703 - SRG-OS-000112-GPOS-00057 - SV-205703r569188_rule @@ -2644,21 +2644,21 @@ - CCI-001942 - CAT2 -- name: "MEDIUM | WN19-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less." +- name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less." block: - - name: "MEDIUM | WN19-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less." + - name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less." - - name: "MEDIUM | WN19-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less. | import reuseable task." + - name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000040' + warn_control_id: 'WN22-DC-000040' when: - - wn19_dc_000040 + - wn22_dc_000040 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000040 + - WN22-DC-000040 - V-205704 - SRG-OS-000112-GPOS-00057 - SV-205704r569188_rule @@ -2666,21 +2666,21 @@ - CCI-001942 - CAT2 -- name: "MEDIUM | WN19-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." +- name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." block: - - name: "MEDIUM | WN19-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." + - name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." - - name: "MEDIUM | WN19-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.| import reuseable task." + - name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.| import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000050' + warn_control_id: 'WN22-DC-000050' when: - - wn19_dc_000050 + - wn22_dc_000050 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000050 + - WN22-DC-000050 - V-205705 - SRG-OS-000112-GPOS-00057 - SV-205705r569188_rule @@ -2688,21 +2688,21 @@ - CCI-001942 - CAT2 -- name: "MEDIUM | WN19-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less." +- name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less." block: - - name: "MEDIUM | WN19-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less." + - name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less." - - name: "MEDIUM | WN19-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less. | import reuseable task." + - name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000060' + warn_control_id: 'WN22-DC-000060' when: - - wn19_dc_000060 + - wn22_dc_000060 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000060 + - WN22-DC-000060 - V-205706 - SRG-OS-000112-GPOS-00057 - SV-205706r569188_rule @@ -2710,84 +2710,84 @@ - CCI-001942 - CAT2 -- name: "MEDIUM | WN19-DC-000120 | AUDIT | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files." +- name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files." block: - - name: "MEDIUM | WN19-DC-000120 | AUDIT | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files." + - name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files." - - name: "MEDIUM | WN19-DC-000120 | AUDIT | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files. | import reuseable task." + - name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000120' + warn_control_id: 'WN22-DC-000120' when: - - wn19_dc_000120 + - wn22_dc_000120 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000120 + - WN22-DC-000120 - V-205723 - SRG-OS-000138-GPOS-00069 - SV-205723r569188_rule - CCI-001090 - CAT2 -- name: "MEDIUM | WN19-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function." +- name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function." block: - - name: "MEDIUM | WN19-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function." + - name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 domain controllers must run on a machine dedicated to that function." - - name: "MEDIUM | WN19-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function. | import reuseable task." + - name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000130' + warn_control_id: 'WN22-DC-000130' when: - - wn19_dc_000130 + - wn22_dc_000130 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000130 + - WN22-DC-000130 - V-205695 - SRG-OS-000095-GPOS-00049 - SV-205695r569188_rule - CCI-000381 - CAT2 -- name: "MEDIUM | WN19-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." +- name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." block: - - name: "MEDIUM | WN19-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." + - name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." - - name: "MEDIUM | WN19-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | import reuseable task." + - name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000140' + warn_control_id: 'WN22-DC-000140' when: - - wn19_dc_000140 + - wn22_dc_000140 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000140 + - WN22-DC-000140 - V-205818 - SRG-OS-000396-GPOS-00176 - SV-205818r569188_rule - CCI-002450 - CAT2 -- name: "MEDIUM | WN19-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings." +- name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings." block: - - name: "MEDIUM | WN19-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings." + - name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings." - - name: "MEDIUM | WN19-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000170' + warn_control_id: 'WN22-DC-000170' when: - - wn19_dc_000170 + - wn22_dc_000170 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000170 + - WN22-DC-000170 - V-205785 - SRG-OS-000327-GPOS-00127 - SV-205785r569188_rule @@ -2795,21 +2795,21 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings." +- name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings." block: - - name: "MEDIUM | WN19-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings." + - name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Domain object must be configured with proper audit settings." - - name: "MEDIUM | WN19-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000180' + warn_control_id: 'WN22-DC-000180' when: - - wn19_dc_000180 + - wn22_dc_000180 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000180 + - WN22-DC-000180 - V-205786 - SRG-OS-000327-GPOS-00127 - SV-205786r569188_rule @@ -2817,21 +2817,21 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings." +- name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings." block: - - name: "MEDIUM | WN19-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings." + - name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings." - - name: "MEDIUM | WN19-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000190' + warn_control_id: 'WN22-DC-000190' when: - - wn19_dc_000190 + - wn22_dc_000190 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000190 + - WN22-DC-000190 - V-205787 - SRG-OS-000327-GPOS-00127 - SV-205787r569188_rule @@ -2839,21 +2839,21 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." +- name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." block: - - name: "MEDIUM | WN19-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." + - name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." - - name: "MEDIUM | WN19-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000200' + warn_control_id: 'WN22-DC-000200' when: - - wn19_dc_000200 + - wn22_dc_000200 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000200 + - WN22-DC-000200 - V-205788 - SRG-OS-000327-GPOS-00127 - SV-205788r569188_rule @@ -2861,43 +2861,43 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings." +- name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings." block: - - name: "MEDIUM | WN19-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings." + - name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings." - - name: "MEDIUM | WN19-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000210' + warn_control_id: 'WN22-DC-000210' when: - - wn19_dc_000210 + - wn22_dc_000210 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000210 + - WN22-DC-000210 - V-205789 - SRG-OS-000327-GPOS-00127 - - WN19-DC-000210 + - WN22-DC-000210 - CCI-000172 - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings." +- name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings." block: - - name: "MEDIUM | WN19-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings." + - name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings." - - name: "MEDIUM | WN19-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000220' + warn_control_id: 'WN22-DC-000220' when: - - wn19_dc_000220 + - wn22_dc_000220 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000220 + - WN22-DC-000220 - V-205790 - SRG-OS-000327-GPOS-00127 - SV-205790r569188_rule @@ -2905,23 +2905,23 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN19-DC-000230 | PATCH | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." +- name: "MEDIUM | WN22-DC-000230 | PATCH | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." block: - - name: "MEDIUM | WN19-DC-000230 | AUDIT | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." + - name: "MEDIUM | WN22-DC-000230 | AUDIT | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_dc_000230_audit + register: wn22_dc_000230_audit - - name: "MEDIUM | WN19-DC-000230 | PATCH | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." + - name: "MEDIUM | WN22-DC-000230 | PATCH | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable - when: "'Success' not in wn19_dc_000230_audit.stdout" + when: "'Success' not in wn22_dc_000230_audit.stdout" when: - - wn19_dc_000230 + - wn22_dc_000230 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000230 + - WN22-DC-000230 - V-205628 - SRG-OS-000004-GPOS-00004 - SRG-OS-000239-GPOS-00089 @@ -2938,23 +2938,23 @@ - CCI-002130 - CAT2 -- name: "MEDIUM | WN19-DC-000240 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." +- name: "MEDIUM | WN22-DC-000240 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." block: - - name: "MEDIUM | WN19-DC-000240 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." + - name: "MEDIUM | WN22-DC-000240 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_dc_000240_audit + register: wn22_dc_000240_audit - - name: "MEDIUM | WN19-DC-000240 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." + - name: "MEDIUM | WN22-DC-000240 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable - when: "'Success' not in wn19_dc_000240_audit.stdout" + when: "'Success' not in wn22_dc_000240_audit.stdout" when: - - wn19_dc_000240 + - wn22_dc_000240 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000240 + - WN22-DC-000240 - V-205791 - SRG-OS-000327-GPOS-00127 - SRG-OS-000458-GPOS-00203 @@ -2966,23 +2966,23 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000250 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." +- name: "MEDIUM | WN22-DC-000250 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." block: - - name: "MEDIUM | WN19-DC-000250 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." + - name: "MEDIUM | WN22-DC-000250 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_dc_000250_audit + register: wn22_dc_000250_audit - - name: "MEDIUM | WN19-DC-000250 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." + - name: "MEDIUM | WN22-DC-000250 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Access" /failure:enable - when: "'Failure' not in wn19_dc_000250_audit.stdout" + when: "'Failure' not in wn22_dc_000250_audit.stdout" when: - - wn19_dc_000250 + - wn22_dc_000250 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000250 + - WN22-DC-000250 - V-205792 - SRG-OS-000327-GPOS-00127 - SV-205792r569188_rule @@ -2994,23 +2994,23 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000260 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." +- name: "MEDIUM | WN22-DC-000260 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." block: - - name: "MEDIUM | WN19-DC-000260 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." + - name: "MEDIUM | WN22-DC-000260 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_dc_000260_audit + register: wn22_dc_000260_audit - - name: "MEDIUM | WN19-DC-000260 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." + - name: "MEDIUM | WN22-DC-000260 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable - when: "'Success' not in wn19_dc_000260_audit.stdout" + when: "'Success' not in wn22_dc_000260_audit.stdout" when: - - wn19_dc_000260 + - wn22_dc_000260 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000260 + - WN22-DC-000260 - V-205793 - SRG-OS-000327-GPOS-00127 - SRG-OS-000458-GPOS-00203 @@ -3022,23 +3022,23 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000270 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." +- name: "MEDIUM | WN22-DC-000270 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." block: - - name: "MEDIUM | WN19-DC-000270 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." + - name: "MEDIUM | WN22-DC-000270 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn19_dc_000270_audit + register: wn22_dc_000270_audit - - name: "MEDIUM | WN19-DC-000270 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." + - name: "MEDIUM | WN22-DC-000270 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Changes" /failure:enable - when: "'Failure' not in wn19_dc_000270_audit.stdout" + when: "'Failure' not in wn22_dc_000270_audit.stdout" when: - - wn19_dc_000270 + - wn22_dc_000270 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000270 + - WN22-DC-000270 - V-205794 - SRG-OS-000327-GPOS-00127 - SRG-OS-000458-GPOS-00203 @@ -3050,42 +3050,42 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate." +- name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate." block: - - name: "MEDIUM | WN19-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate." + - name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 domain controllers must have a PKI server certificate." - - name: "MEDIUM | WN19-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate. | import reuseable task." + - name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000280' + warn_control_id: 'WN22-DC-000280' when: - - wn19_dc_000280 + - wn22_dc_000280 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000280 + - WN22-DC-000280 - V-205645 - SRG-OS-000066-GPOS-00034 - SV-205645r569188_rule - CCI-000185 - CAT2 -- name: "MEDIUM | WN19-DC-000310 | AUDIT | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." +- name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." block: - - name: "MEDIUM | WN19-DC-000310 | AUDIT | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." + - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." - - name: "MEDIUM | WN19-DC-000310 | AUDIT | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | import reuseable task." + - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000310' + warn_control_id: 'WN22-DC-000310' when: - - wn19_dc_000310 + - wn22_dc_000310 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000310 + - WN22-DC-000310 - V-205701 - SRG-OS-000105-GPOS-00052 - SRG-OS-000106-GPOS-00053 @@ -3100,17 +3100,17 @@ - CCI-001948 - CAT2 -- name: "MEDIUM | WN19-DC-000320 | PATCH | Windows Server 2019 domain controllers must require LDAP access signing." +- name: "MEDIUM | WN22-DC-000320 | PATCH | Windows Server 2019 domain controllers must require LDAP access signing." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters value: LDAPServerIntegrity data: 2 datatype: dword when: - - wn19_dc_000320 + - wn22_dc_000320 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000320 + - WN22-DC-000320 - V-205820 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 @@ -3120,17 +3120,17 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000330 | PATCH | Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords." +- name: "MEDIUM | WN22-DC-000330 | PATCH | Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: RefusePasswordChange data: 0 datatype: dword when: - - wn19_dc_000330 + - wn22_dc_000330 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000330 + - WN22-DC-000330 - V-205876 - SRG-OS-000480-GPOS-00227 - SV-205876r569188_rule @@ -3138,7 +3138,7 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000340 | PATCH | Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers." +- name: "MEDIUM | WN22-DC-000340 | PATCH | Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers." ansible.windows.win_user_right: name: SeNetworkLogonRight users: @@ -3147,10 +3147,10 @@ - Enterprise Domain Controllers action: set when: - - wn19_dc_000340 + - wn22_dc_000340 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000340 + - WN22-DC-000340 - V-205665 - SRG-OS-000080-GPOS-00048 - SV-205665r569188_rule @@ -3158,16 +3158,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000350 | PATCH | Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers." +- name: "MEDIUM | WN22-DC-000350 | PATCH | Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers." ansible.windows.win_user_right: name: SeMachineAccountPrivilege users: Administrators action: set when: - - wn19_dc_000350 + - wn22_dc_000350 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000350 + - WN22-DC-000350 - V-205744 - SRG-OS-000324-GPOS-00125 - SV-205744r569188_rule @@ -3175,16 +3175,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000360 | PATCH | Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers." +- name: "MEDIUM | WN22-DC-000360 | PATCH | Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers." ansible.windows.win_user_right: name: SeRemoteInteractiveLogonRight users: Administrators action: set when: - - wn19_dc_000360 + - wn22_dc_000360 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000360 + - WN22-DC-000360 - V-205666 - SRG-OS-000080-GPOS-00048 - SV-205666r569188_rule @@ -3192,16 +3192,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000370 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access." +- name: "MEDIUM | WN22-DC-000370 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: name: SeDenyNetworkLogonRight users: Guests action: set when: - - wn19_dc_000370 + - wn22_dc_000370 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000370 + - WN22-DC-000370 - V-205667 - SRG-OS-000080-GPOS-00048 - SV-205667r569188_rule @@ -3209,16 +3209,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000380 | PATCH | Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access." +- name: "MEDIUM | WN22-DC-000380 | PATCH | Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: name: SeDenyBatchLogonRight users: Guests action: set when: - - wn19_dc_000380 + - wn22_dc_000380 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000380 + - WN22-DC-000380 - V-205668 - SRG-OS-000080-GPOS-00048 - SV-205668r569188_rule @@ -3226,16 +3226,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000390 | PATCH | Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers." +- name: "MEDIUM | WN22-DC-000390 | PATCH | Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers." community.windows.win_security_policy: section: Privilege Rights key: SeDenyServiceLogonRight value: "" when: - - wn19_dc_000390 + - wn22_dc_000390 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000390 + - WN22-DC-000390 - V-205669 - SRG-OS-000080-GPOS-00048 - SV-205669r569188_rule @@ -3243,16 +3243,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000400 | PATCH | Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access." +- name: "MEDIUM | WN22-DC-000400 | PATCH | Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: name: SeDenyInteractiveLogonRight users: Guests action: set when: - - wn19_dc_000400 + - wn22_dc_000400 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000400 + - WN22-DC-000400 - V-205670 - SRG-OS-000080-GPOS-00048 - SV-205670r569188_rule @@ -3260,16 +3260,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000410 | PATCH | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access." +- name: "MEDIUM | WN22-DC-000410 | PATCH | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: name: SeDenyRemoteInteractiveLogonRight users: Guests action: set when: - - wn19_dc_000410 + - wn22_dc_000410 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000410 + - WN22-DC-000410 - V-205732 - SRG-OS-000297-GPOS-00115 - SV-205732r569188_rule @@ -3277,16 +3277,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000420 | PATCH | Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers." +- name: "MEDIUM | WN22-DC-000420 | PATCH | Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers." ansible.windows.win_user_right: name: SeEnableDelegationPrivilege users: Administrators action: set when: - - wn19_dc_000420 + - wn22_dc_000420 - ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-DC-000420 + - WN22-DC-000420 - V-205745 - SRG-OS-000324-GPOS-00125 - SV-205745r569188_rule @@ -3294,29 +3294,29 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." +- name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." block: - - name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." - ansible.windows.win_shell: "Get-ADUser krbtgt -Property PasswordLastSet | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn19stig_krbtgt_pass_age }}))} | Select-Object -ExpandProperty PasswordLastSet" + - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." + ansible.windows.win_shell: "Get-ADUser krbtgt -Property PasswordLastSet | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_krbtgt_pass_age }}))} | Select-Object -ExpandProperty PasswordLastSet" changed_when: false failed_when: false check_mode: false - register: wn19_dc_000430_audit + register: wn22_dc_000430_audit - - name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." + - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." ansible.builtin.debug: msg: "Warning!! This is a manual task. The password for the krbtgt account on a domain must be reset at least every 180 days." - - name: "MEDIUM | WN19-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | import reuseable task." + - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-DC-000430' + warn_control_id: 'WN22-DC-000430' when: - - wn19_dc_000430 + - wn22_dc_000430 - ansible_windows_domain_role == "Primary domain controller" - win2019stig_complexity_high tags: - - WN19-DC-000430 + - WN22-DC-000430 - V-205877 - SRG-OS-000480-GPOS-00227 - SV-205877r857315_rule @@ -3324,17 +3324,17 @@ - NeedToTestDomainController - CAT2 -- name: "MEDIUM | WN19-MS-000020 | PATCH | Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." +- name: "MEDIUM | WN22-MS-000020 | PATCH | Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: LocalAccountTokenFilterPolicy data: 0 datatype: dword when: - - wn19_ms_000020 + - wn22_ms_000020 - ansible_windows_domain_role == "Member server" tags: - - WN19-MS-000020 + - WN22-MS-000020 - V-205715 - SRG-OS-000134-GPOS-00068 - SV-205715r857320_rule @@ -3342,17 +3342,17 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN19-MS-000030 | PATCH | Windows Server 2019 local users on domain-joined member servers must not be enumerated." +- name: "MEDIUM | WN22-MS-000030 | PATCH | Windows Server 2019 local users on domain-joined member servers must not be enumerated." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System value: EnumerateLocalUsers data: 0 datatype: dword when: - - wn19_ms_000030 + - wn22_ms_000030 - ansible_windows_domain_role == "Member server" tags: - - WN19-MS-000030 + - WN22-MS-000030 - V-205696 - SRG-OS-000095-GPOS-00049 - SV-205696r857322_rule @@ -3360,58 +3360,58 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN19-MS-000040 | PATCH | Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems." +- name: "MEDIUM | WN22-MS-000040 | PATCH | Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc value: RestrictRemoteClients data: 1 datatype: dword when: - - wn19_ms_000040 + - wn22_ms_000040 - not ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-MS-000040 + - WN22-MS-000040 - V-205814 - SRG-OS-000379-GPOS-00164 - SV-205814r860031_rule - CCI-001967 - CAT2 -- name: "MEDIUM | WN19-MS-000050 | PATCH | Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers." +- name: "MEDIUM | WN22-MS-000050 | PATCH | Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon value: CachedLogonsCount data: 4 datatype: dword when: - - wn19_ms_000050 + - wn22_ms_000050 - ansible_windows_domain_role == "Member server" tags: - - WN19-MS-000050 + - WN22-MS-000050 - V-205906 - SRG-OS-000480-GPOS-00227 - SV-205906r857326_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-MS-000060 | PATCH | Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems." +- name: "MEDIUM | WN22-MS-000060 | PATCH | Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: RestrictRemoteSAM data: O:BAG:BAD:(A;;RC;;;BA) datatype: string when: - - wn19_ms_000060 + - wn22_ms_000060 - not ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-MS-000060 + - WN22-MS-000060 - V-205747 - SRG-OS-000324-GPOS-00125 - SV-205747r860032_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-MS-000070 | PATCH | Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems." +- name: "MEDIUM | WN22-MS-000070 | PATCH | Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems." ansible.windows.win_user_right: name: SeNetworkLogonRight users: @@ -3419,19 +3419,19 @@ - Authenticated Users action: set when: - - wn19_ms_000070 + - wn22_ms_000070 - not ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-MS-000070 + - WN22-MS-000070 - V-205671 - SRG-OS-000080-GPOS-00048 - SV-205671r857331_rule - CCI-000213 - CAT2 -- name: "MEDIUM | WN19-MS-000080 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." +- name: "MEDIUM | WN22-MS-000080 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." block: - - name: "MEDIUM | WN19-MS-000080 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000080 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyNetworkLogonRight users: @@ -3443,17 +3443,17 @@ action: set when: ansible_windows_domain_role == "Member server" - - name: "MEDIUM | WN19-MS-000080 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000080 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyNetworkLogonRight users: Guests action: set when: not ansible_windows_domain_member when: - - wn19_ms_000080 + - wn22_ms_000080 - not ansible_windows_domain_role == "Primary domain controller" tags: - - WN19-MS-000080 + - WN22-MS-000080 - V-205672 - SRG-OS-000080-GPOS-00048 - SV-205672r857333_rule @@ -3461,9 +3461,9 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN19-MS-000090 | PATCH | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." +- name: "MEDIUM | WN22-MS-000090 | PATCH | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." block: - - name: "MEDIUM | WN19-MS-000090 | PATCH | DOMAIN MEMBER | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000090 | PATCH | DOMAIN MEMBER | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyBatchLogonRight users: @@ -3473,7 +3473,7 @@ action: set when: ansible_windows_domain_role == "Member server" - - name: "MEDIUM | WN19-MS-000090 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000090 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyBatchLogonRight users: @@ -3481,9 +3481,9 @@ action: set when: not ansible_windows_domain_member when: - - wn19_ms_000090 + - wn22_ms_000090 tags: - - WN19-MS-000090 + - WN22-MS-000090 - V-205673 - SRG-OS-000080-GPOS-00048 - SV-205673r857335_rule @@ -3491,7 +3491,7 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN19-MS-000100 | PATCH | Windows Server 2019 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right." +- name: "MEDIUM | WN22-MS-000100 | PATCH | Windows Server 2019 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right." ansible.windows.win_user_right: name: SeDenyServiceLogonRight users: @@ -3499,10 +3499,10 @@ - Domain Admins action: set when: - - wn19_ms_000100 + - wn22_ms_000100 - ansible_windows_domain_role == "Member server" tags: - - WN19-MS-000100 + - WN22-MS-000100 - V-205674 - SRG-OS-000080-GPOS-00048 - SV-205674r819709_rule @@ -3510,9 +3510,9 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN19-MS-000110 | PATCH | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." +- name: "MEDIUM | WN22-MS-000110 | PATCH | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." block: - - name: "MEDIUM | WN19-MS-000110 | PATCH | DOMAIN MEMBER | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000110 | PATCH | DOMAIN MEMBER | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyInteractiveLogonRight users: @@ -3522,7 +3522,7 @@ action: set when: ansible_windows_domain_role == "Member server" - - name: "MEDIUM | WN19-MS-000110 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000110 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyInteractiveLogonRight users: @@ -3530,9 +3530,9 @@ action: set when: not ansible_windows_domain_member when: - - wn19_ms_000110 + - wn22_ms_000110 tags: - - WN19-MS-000110 + - WN22-MS-000110 - V-205675 - SRG-OS-000080-GPOS-00048 - SV-205675r857337_rule @@ -3540,9 +3540,9 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN19-MS-000120 | PATCH | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." +- name: "MEDIUM | WN22-MS-000120 | PATCH | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." block: - - name: "MEDIUM | WN19-MS-000120 | PATCH | DOMAIN MEMBER | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000120 | PATCH | DOMAIN MEMBER | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -3553,7 +3553,7 @@ action: set when: ansible_windows_domain_role == "Member server" - - name: "MEDIUM | WN19-MS-000120 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000120 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -3561,9 +3561,9 @@ action: set when: not ansible_windows_domain_member when: - - wn19_ms_000120 + - wn22_ms_000120 tags: - - WN19-MS-000120 + - WN22-MS-000120 - V-205733 - SRG-OS-000297-GPOS-00115 - SV-205733r860033_rule @@ -3571,32 +3571,32 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN19-MS-000130 | PATCH | Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems." +- name: "MEDIUM | WN22-MS-000130 | PATCH | Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems." community.windows.win_security_policy: section: Privilege Rights key: SeEnableDelegationPrivilege value: "" when: - - wn19_ms_000130 + - wn22_ms_000130 tags: - - WN19-MS-000130 + - WN22-MS-000130 - V-205748 - SRG-OS-000324-GPOS-00125 - SV-205748r860034_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-PK-000010 | AUDIT | Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." +- name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." block: - - name: "MEDIUM | WN19-PK-000010 | AUDIT | Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." + - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter changed_when: false check_mode: false - register: wn19_PK_000010_audit + register: wn22_PK_000010_audit when: - - wn19_pk_000010 + - wn22_pk_000010 tags: - - WN19-PK-000010 + - WN22-PK-000010 - V-205648 - SRG-OS-000066-GPOS-00034 - SV-205648r819704_rule @@ -3604,26 +3604,26 @@ - CCI-002470 - CAT2 -- name: "MEDIUM | WN19-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." +- name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." block: - - name: "MEDIUM | WN19-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false check_mode: false - register: wn19_pk_000020_audit + register: wn22_pk_000020_audit - - name: "MEDIUM | WN19-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." - - name: "MEDIUM | WN19-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | import reuseable task." + - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-PK-000020' + warn_control_id: 'WN22-PK-000020' when: - - wn19_pk_000020 + - wn22_pk_000020 tags: - - WN19-PK-000020 + - WN22-PK-000020 - V-205649 - SRG-OS-000066-GPOS-00034 - SV-205649r857346_rule @@ -3631,26 +3631,26 @@ - CCI-002470 - CAT2 -- name: "MEDIUM | WN19-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." +- name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." block: - - name: "MEDIUM | WN19-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false check_mode: false - register: wn19_pk_000030_audit + register: wn22_pk_000030_audit - - name: "MEDIUM | WN19-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." - - name: "MEDIUM | WN19-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. | import reuseable task." + - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-PK-000030' + warn_control_id: 'WN22-PK-000030' when: - - wn19_pk_000030 + - wn22_pk_000030 tags: - - WN19-PK-000030 + - WN22-PK-000030 - V-205650 - SRG-OS-000066-GPOS-00034 - SV-205650r573797_rule @@ -3658,116 +3658,116 @@ - CCI-002470 - CAT2 -- name: "MEDIUM | WN19-SO-000010 | PATCH | Windows Server 2019 must have the built-in guest account disabled." +- name: "MEDIUM | WN22-SO-000010 | PATCH | Windows Server 2019 must have the built-in guest account disabled." community.windows.win_security_policy: section: System Access key: EnableGuestAccount value: 0 when: - - wn19_so_000010 + - wn22_so_000010 tags: - - WN19-SO-000010 + - WN22-SO-000010 - V-205709 - SRG-OS-000121-GPOS-00062 - SV-205709r569188_rule - CCI-000804 - CAT2 -- name: "MEDIUM | WN19-SO-000030 | PATCH | Windows Server 2019 built-in administrator account must be renamed." +- name: "MEDIUM | WN22-SO-000030 | PATCH | Windows Server 2019 built-in administrator account must be renamed." block: - - name: "MEDIUM | WN19-SO-000030 | AUDIT | Windows Server 2019 built-in administrator account must be renamed. | Warning For Bad Variable." + - name: "MEDIUM | WN22-SO-000030 | AUDIT | Windows Server 2019 built-in administrator account must be renamed. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have not changed the default name for wn19stig_newadministratorname, please read" + - "Warning!! You have not changed the default name for wn22stig_newadministratorname, please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - "'adminchangethis' in wn19stig_newadministratorname" + - "'adminchangethis' in wn22stig_newadministratorname" - - name: "MEDIUM | WN19-SO-000030 | AUDIT | Windows Server 2019 built-in administrator account must be renamed. | Warn Count." + - name: "MEDIUM | WN22-SO-000030 | AUDIT | Windows Server 2019 built-in administrator account must be renamed. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-SO-000030' + warn_control_id: 'WN22-SO-000030' when: - - "'adminchangethis' in wn19stig_newadministratorname" + - "'adminchangethis' in wn22stig_newadministratorname" - - name: "MEDIUM | WN19-SO-000030 | PATCH | Windows Server 2019 built-in administrator account must be renamed. | Set Variable." + - name: "MEDIUM | WN22-SO-000030 | PATCH | Windows Server 2019 built-in administrator account must be renamed. | Set Variable." community.windows.win_security_policy: section: System Access key: NewAdministratorName - value: "{{ wn19stig_newadministratorname }}" + value: "{{ wn22stig_newadministratorname }}" when: - - "'adminchangethis' not in wn19stig_newadministratorname" + - "'adminchangethis' not in wn22stig_newadministratorname" when: - - wn19_so_000030 + - wn22_so_000030 tags: - - WN19-SO-000030 + - WN22-SO-000030 - V-205909 - SRG-OS-000480-GPOS-00227 - SV-205909r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-SO-000040 | PATCH | Windows Server 2019 built-in guest account must be renamed." +- name: "MEDIUM | WN22-SO-000040 | PATCH | Windows Server 2019 built-in guest account must be renamed." block: - - name: "MEDIUM | WN19-SO-000040 | AUDIT | Windows Server 2019 built-in guest account must be renamed. | Warning For Bad Variable." + - name: "MEDIUM | WN22-SO-000040 | AUDIT | Windows Server 2019 built-in guest account must be renamed. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have not changed the default name for wn19stig_newguestname, please read" + - "Warning!! You have not changed the default name for wn22stig_newguestname, please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - "'guestchangethis' in wn19stig_newguestname" + - "'guestchangethis' in wn22stig_newguestname" - - name: "MEDIUM | WN19-SO-000040 | AUDIT | Windows Server 2019 built-in guest account must be renamed. | Warn Count." + - name: "MEDIUM | WN22-SO-000040 | AUDIT | Windows Server 2019 built-in guest account must be renamed. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN19-SO-000040' + warn_control_id: 'WN22-SO-000040' when: - - "'guestchangethis' in wn19stig_newguestname" + - "'guestchangethis' in wn22stig_newguestname" - - name: "MEDIUM | WN19-SO-000040 | PATCH | Windows Server 2019 built-in guest account must be renamed. | Set Variable." + - name: "MEDIUM | WN22-SO-000040 | PATCH | Windows Server 2019 built-in guest account must be renamed. | Set Variable." community.windows.win_security_policy: section: System Access key: NewGuestName - value: "{{ wn19stig_newguestname }}" + value: "{{ wn22stig_newguestname }}" when: - - "'guestchangethis' not in wn19stig_newguestname" + - "'guestchangethis' not in wn22stig_newguestname" when: - - wn19_so_000040 + - wn22_so_000040 tags: - - WN19-SO-000040 + - WN22-SO-000040 - V-205910 - SRG-OS-000480-GPOS-00227 - SV-205910r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-SO-000050 | PATCH | Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings." +- name: "MEDIUM | WN22-SO-000050 | PATCH | Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ value: SCENoApplyLegacyAuditPolicy data: 1 datatype: dword when: - - wn19_so_000050 + - wn22_so_000050 tags: - - WN19-SO-000050 + - WN22-SO-000050 - V-205644 - SRG-OS-000062-GPOS-00031 - SV-205644r569188_rule - CCI-000169 - CAT2 -- name: "MEDIUM | WN19-SO-000060 | PATCH | Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." +- name: "MEDIUM | WN22-SO-000060 | PATCH | Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: RequireSignOrSeal data: 1 datatype: dword when: - - wn19_so_000060 + - wn22_so_000060 - ansible_windows_domain_role == "Member server" tags: - - WN19-SO-000060 + - WN22-SO-000060 - V-205821 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 @@ -3777,17 +3777,17 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN19-SO-000080 | PATCH | Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." +- name: "MEDIUM | WN22-SO-000080 | PATCH | Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: SignSecureChannel data: 1 datatype: dword when: - - wn19_so_000080 + - wn22_so_000080 - ansible_windows_domain_role == "Member server" tags: - - WN19-SO-000080 + - WN22-SO-000080 - V-205823 - SRG-OS-000423-GPOS-00187 - SV-205823r569188_rule @@ -3796,48 +3796,48 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN19-SO-000090 | PATCH | Windows Server 2019 computer account password must not be prevented from being reset." +- name: "MEDIUM | WN22-SO-000090 | PATCH | Windows Server 2019 computer account password must not be prevented from being reset." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: DisablePasswordChange data: 0 datatype: dword when: - - wn19_so_000090 + - wn22_so_000090 tags: - - WN19-SO-000090 + - WN22-SO-000090 - V-205815 - SRG-OS-000379-GPOS-00164 - SV-205815r569188_rule - CCI-001967 - CAT2 -- name: "MEDIUM | WN19-SO-000100 | PATCH | Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less." +- name: "MEDIUM | WN22-SO-000100 | PATCH | Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: MaximumPasswordAge data: 30 datatype: dword when: - - wn19_so_000100 + - wn22_so_000100 tags: - - WN19-SO-000100 + - WN22-SO-000100 - V-205911 - SRG-OS-000480-GPOS-00227 - SV-205911r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-SO-000110 | PATCH | Windows Server 2019 must be configured to require a strong session key." +- name: "MEDIUM | WN22-SO-000110 | PATCH | Windows Server 2019 must be configured to require a strong session key." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: RequireStrongKey data: 1 datatype: dword when: - - wn19_so_000110 + - wn22_so_000110 tags: - - WN19-SO-000110 + - WN22-SO-000110 - V-205824 - SRG-OS-000423-GPOS-00187 - SV-205824r569188_rule @@ -3845,16 +3845,16 @@ - CCI-002421 - CAT2 -- name: "MEDIUM | WN19-SO-000120 | PATCH | Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver." +- name: "MEDIUM | WN22-SO-000120 | PATCH | Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: InactivityTimeoutSecs data: 900 datatype: dword when: - - wn19_so_000120 + - wn22_so_000120 tags: - - WN19-SO-000120 + - WN22-SO-000120 - V-205633 - SRG-OS-000028-GPOS-00009 - SV-205633r569188_rule @@ -3863,16 +3863,16 @@ - CCI-000060 - CAT2 -- name: "MEDIUM | WN19-SO-000130 | PATCH | Windows Server 2019 required legal notice must be configured to display before console logon." +- name: "MEDIUM | WN22-SO-000130 | PATCH | Windows Server 2019 required legal notice must be configured to display before console logon." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: LegalNoticeText - data: "{{ wn19stig_legalnoticetext }}" + data: "{{ wn22stig_legalnoticetext }}" datatype: string when: - - wn19_so_000130 + - wn22_so_000130 tags: - - WN19-SO-000130 + - WN22-SO-000130 - V-205631 - SRG-OS-000023-GPOS-00006 - SV-205631r569188_rule @@ -3885,32 +3885,32 @@ - CCI-001388 - CAT2 -- name: "MEDIUM | WN19-SO-000150 | PATCH | Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation." +- name: "MEDIUM | WN22-SO-000150 | PATCH | Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon value: scremoveoption data: 1 datatype: string when: - - wn19_so_000150 + - wn22_so_000150 tags: - - WN19-SO-000150 + - WN22-SO-000150 - V-205912 - SRG-OS-000480-GPOS-00227 - SV-205912r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-SO-000160 | PATCH | Windows Server 2019 etting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." +- name: "MEDIUM | WN22-SO-000160 | PATCH | Windows Server 2019 etting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters value: RequireSecuritySignature data: 1 datatype: dword when: - - wn19_so_000160 + - wn22_so_000160 tags: - - WN19-SO-000160 + - WN22-SO-000160 - V-205825 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 @@ -3919,16 +3919,16 @@ - CCI-002421 - CAT2 -- name: "MEDIUM | WN19-SO-000170 | PATCH | Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." +- name: "MEDIUM | WN22-SO-000170 | PATCH | Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters value: EnableSecuritySignature data: 1 datatype: dword when: - - wn19_so_000170 + - wn22_so_000170 tags: - - WN19-SO-000170 + - WN22-SO-000170 - V-205826 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 @@ -3937,32 +3937,32 @@ - CCI-002418 - CAT2 -- name: "MEDIUM | WN19-SO-000180 | PATCH | Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." +- name: "MEDIUM | WN22-SO-000180 | PATCH | Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters value: EnablePlainTextPassword data: 0 datatype: dword when: - - wn19_so_000180 + - wn22_so_000180 tags: - - WN19-SO-000180 + - WN22-SO-000180 - V-205655 - SRG-OS-000074-GPOS-00042 - SV-205655r569188_rule - CCI-000197 - CAT2 -- name: "MEDIUM | WN19-SO-000190 | PATCH | Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." +- name: "MEDIUM | WN22-SO-000190 | PATCH | Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters value: RequireSecuritySignature data: 1 datatype: dword when: - - wn19_so_000190 + - wn22_so_000190 tags: - - WN19-SO-000190 + - WN22-SO-000190 - V-205827 - SRG-OS-000423-GPOS-00187 - SV-205827r569188_rule @@ -3970,16 +3970,16 @@ - CCI-002421 - CAT2 -- name: "MEDIUM | WN19-SO-000200 | PATCH | Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." +- name: "MEDIUM | WN22-SO-000200 | PATCH | Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters value: EnableSecuritySignature data: 1 datatype: dword when: - - wn19_so_000200 + - wn22_so_000200 tags: - - WN19-SO-000200 + - WN22-SO-000200 - V-205828 - SRG-OS-000423-GPOS-00187 - SV-205828r569188_rule @@ -3987,176 +3987,176 @@ - CCI-002421 - CAT2 -- name: "MEDIUM | WN19-SO-000240 | PATCH | Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group." +- name: "MEDIUM | WN22-SO-000240 | PATCH | Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: EveryoneIncludesAnonymous data: 0 datatype: dword when: - - wn19_so_000240 + - wn22_so_000240 tags: - - WN19-SO-000240 + - WN22-SO-000240 - V-205915 - SRG-OS-000480-GPOS-00227 - SV-205915r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-SO-000260 | PATCH | Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." +- name: "MEDIUM | WN22-SO-000260 | PATCH | Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: UseMachineId data: 1 datatype: dword when: - - wn19_so_000260 + - wn22_so_000260 tags: - - WN19-SO-000260 + - WN22-SO-000260 - V-205916 - SRG-OS-000480-GPOS-00227 - SV-205916r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-SO-000270 | PATCH | Windows Server 2019 must prevent NTLM from falling back to a Null session." +- name: "MEDIUM | WN22-SO-000270 | PATCH | Windows Server 2019 must prevent NTLM from falling back to a Null session." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 value: allownullsessionfallback data: 0 datatype: dword when: - - wn19_so_000270 + - wn22_so_000270 tags: - - WN19-SO-000270 + - WN22-SO-000270 - V-205917 - SRG-OS-000480-GPOS-00227 - SV-205917r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-SO-000280 | PATCH | Windows Server 2019 Must prevent PKU2U authentication using online identities." +- name: "MEDIUM | WN22-SO-000280 | PATCH | Windows Server 2019 Must prevent PKU2U authentication using online identities." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\pku2u value: AllowOnlineID data: 0 datatype: dword when: - - wn19_so_000280 + - wn22_so_000280 tags: - - WN19-SO-000280 + - WN22-SO-000280 - V-205918 - SRG-OS-000480-GPOS-00227 - SV-205918r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-SO-000290 | PATCH | Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." +- name: "MEDIUM | WN22-SO-000290 | PATCH | Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters value: SupportedEncryptionTypes data: 2147483640 datatype: dword when: - - wn19_so_000290 + - wn22_so_000290 tags: - - WN19-SO-000290 + - WN22-SO-000290 - V-205708 - SRG-OS-000120-GPOS-00061 - - WN19-SO-000290 + - WN22-SO-000290 - CCI-000803 - CAT2 -- name: "MEDIUM | WN19-SO-000320 | PATCH | Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing." +- name: "MEDIUM | WN22-SO-000320 | PATCH | Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP value: LDAPClientIntegrity data: 1 datatype: dword when: - - wn19_so_000320 + - wn22_so_000320 tags: - - WN19-SO-000320 + - WN22-SO-000320 - V-205920 - SRG-OS-000480-GPOS-00227 - SV-205920r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-SO-000330 | PATCH | Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." +- name: "MEDIUM | WN22-SO-000330 | PATCH | Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 value: NTLMMinClientSec data: 537395200 datatype: dword when: - - wn19_so_000330 + - wn22_so_000330 tags: - - WN19-SO-000330 + - WN22-SO-000330 - V-205921 - SRG-OS-000480-GPOS-00227 - SV-205921r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-SO-000340 | PATCH | Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." +- name: "MEDIUM | WN22-SO-000340 | PATCH | Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 value: NTLMMinServerSec data: 537395200 datatype: dword when: - - wn19_so_000340 + - wn22_so_000340 tags: - - WN19-SO-000340 + - WN22-SO-000340 - V-205922 - SRG-OS-000480-GPOS-00227 - SV-205922r569188_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN19-SO-000350 | PATCH | Windows Server 2019 users must be required to enter a password to access private keys stored on the computer." +- name: "MEDIUM | WN22-SO-000350 | PATCH | Windows Server 2019 users must be required to enter a password to access private keys stored on the computer." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography value: ForceKeyProtection data: 2 datatype: dword when: - - wn19_so_000350 + - wn22_so_000350 tags: - - WN19-SO-000350 + - WN22-SO-000350 - V-205651 - SRG-OS-000067-GPOS-00035 - SV-205651r569188_rule - CCI-000186 - CAT2 -- name: "MEDIUM | WN19-SO-000360 | PATCH | Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." +- name: "MEDIUM | WN22-SO-000360 | PATCH | Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager value: ProtectionMode data: 1 datatype: dword when: - - wn19_so_000360 + - wn22_so_000360 tags: - - WN19-SO-000360 + - WN22-SO-000360 - V-205842 - SRG-OS-000480-GPOS-00227 - SV-205842r569188_rule - CCI-002450 - CAT2 -- name: "MEDIUM | WN19-SO-000380 | PATCH | Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled." +- name: "MEDIUM | WN22-SO-000380 | PATCH | Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: FilterAdministratorToken data: 1 datatype: dword when: - - wn19_so_000380 + - wn22_so_000380 tags: - - WN19-SO-000380 + - WN22-SO-000380 - V-205811 - SRG-OS-000373-GPOS-00157 - SV-205811r569188_rule @@ -4164,39 +4164,39 @@ - CAT2 # - exclusions for server core? think its NA there -- name: "MEDIUM | WN19-SO-000390 | PATCH | Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." +- name: "MEDIUM | WN22-SO-000390 | PATCH | Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableUIADesktopToggle data: 0 datatype: dword when: - - wn19_so_000390 + - wn22_so_000390 tags: - - WN19-SO-000390 + - WN22-SO-000390 - V-205716 - SRG-OS-000134-GPOS-00068 - SV-205716r569188_rule - CCI-001084 - CAT2 -- name: "MEDIUM | WN19-SO-000400 | PATCH | Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop." +- name: "MEDIUM | WN22-SO-000400 | PATCH | Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: ConsentPromptBehaviorAdmin data: 2 datatype: dword when: - - wn19_so_000400 + - wn22_so_000400 tags: - - WN19-SO-000400 + - WN22-SO-000400 - V-205717 - SRG-OS-000134-GPOS-00068 - SV-205717r569188_rule - CCI-001084 - CAT2 -- name: "MEDIUM | WN19-SO-000410 | PATCH | Windows Server 2019 User Account Control must automatically deny standard user requests for elevation." +- name: "MEDIUM | WN22-SO-000410 | PATCH | Windows Server 2019 User Account Control must automatically deny standard user requests for elevation." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System state: present @@ -4204,89 +4204,89 @@ data: 0 datatype: dword when: - - wn19_so_000410 + - wn22_so_000410 tags: - - WN19-SO-000410 + - WN22-SO-000410 - V-205812 - SRG-OS-000373-GPOS-00157 - SV-205812r569188_rule - CCI-002038 - CAT2 -- name: "MEDIUM | WN19-SO-000420 | PATCH | Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation." +- name: "MEDIUM | WN22-SO-000420 | PATCH | Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableInstallerDetection data: 1 datatype: dword when: - - wn19_so_000420 + - wn22_so_000420 tags: - - WN19-SO-000420 + - WN22-SO-000420 - V-205718 - SRG-OS-000134-GPOS-00068 - SV-205718r569188_rule - CCI-001084 - CAT2 -- name: "MEDIUM | WN19-SO-000430 | PATCH | Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations." +- name: "MEDIUM | WN22-SO-000430 | PATCH | Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableSecureUIAPaths data: 1 datatype: dword when: - - wn19_so_000430 + - wn22_so_000430 tags: - - WN19-SO-000430 + - WN22-SO-000430 - V-205719 - SRG-OS-000134-GPOS-00068 - SV-205719r569188_rule - CCI-001084 - CAT2 -- name: "MEDIUM | WN19-SO-000440 | PATCH | Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC." +- name: "MEDIUM | WN22-SO-000440 | PATCH | Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableLUA data: 1 datatype: dword when: - - wn19_so_000440 + - wn22_so_000440 tags: - - WN19-SO-000440 + - WN22-SO-000440 - V-205813 - SRG-OS-000373-GPOS-00157 - SV-205813r569188_rule - CCI-002038 - CAT2 -- name: "MEDIUM | WN19-SO-000450 | PATCH | Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations." +- name: "MEDIUM | WN22-SO-000450 | PATCH | Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableVirtualization data: 1 datatype: dword when: - - wn19_so_000450 + - wn22_so_000450 tags: - - WN19-SO-000450 + - WN22-SO-000450 - V-205720 - SRG-OS-000134-GPOS-00068 - SV-205720r569188_rule - CCI-001084 - CAT2 -- name: "MEDIUM | WN19-UC-000010 | PATCH | Windows Server 2019 must preserve zone information when saving attachments." +- name: "MEDIUM | WN22-UC-000010 | PATCH | Windows Server 2019 must preserve zone information when saving attachments." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments value: SaveZoneInformation data: 2 datatype: dword when: - - wn19_uc_000010 + - wn22_uc_000010 tags: - - WN19-UC-000010 + - WN22-UC-000010 - V-205924 - SRG-OS-000480-GPOS-00227 - SV-205924r569188_rule @@ -4294,67 +4294,67 @@ - CAT2 # [WARNING]: Using this module to edit rights and privileges is error-prone, use the win_user_right module instead -- name: "MEDIUM | WN19-UR-000010 | PATCH | Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." +- name: "MEDIUM | WN22-UR-000010 | PATCH | Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." community.windows.win_security_policy: section: Privilege Rights key: SeTrustedCredManAccessPrivilege value: "" when: - - wn19_ur_000010 + - wn22_ur_000010 tags: - - WN19-UR-000010 + - WN22-UR-000010 - V-205749 - SRG-OS-000324-GPOS-00125 - SV-205749r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000030 | PATCH | Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000030 | PATCH | Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeInteractiveLogonRight users: Administrators action: set when: - - wn19_ur_000030 + - wn22_ur_000030 tags: - - WN19-UR-000030 + - WN22-UR-000030 - V-205676 - SRG-OS-000080-GPOS-00048 - SV-205676r569188_rule - CCI-000213 - CAT2 -- name: "MEDIUM | WN19-UR-000040 | PATCH | Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000040 | PATCH | Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeBackupPrivilege users: Administrators action: set when: - - wn19_ur_000040 + - wn22_ur_000040 tags: - - WN19-UR-000040 + - WN22-UR-000040 - V-205751 - SRG-OS-000324-GPOS-00125 - SV-205751r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000050 | PATCH | Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000050 | PATCH | Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeCreatePagefilePrivilege users: Administrators action: set when: - - wn19_ur_000050 + - wn22_ur_000050 tags: - - WN19-UR-000050 + - WN22-UR-000050 - V-205752 - SRG-OS-000324-GPOS-00125 - SV-205752r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000070 | PATCH | Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." +- name: "MEDIUM | WN22-UR-000070 | PATCH | Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." ansible.windows.win_user_right: name: SeCreateGlobalPrivilege users: @@ -4364,61 +4364,61 @@ - Network Service action: set when: - - wn19_ur_000070 + - wn22_ur_000070 tags: - - WN19-UR-000070 + - WN22-UR-000070 - V-205754 - SRG-OS-000324-GPOS-00125 - SV-205754r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000080 | PATCH | Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts." +- name: "MEDIUM | WN22-UR-000080 | PATCH | Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts." community.windows.win_security_policy: section: Privilege Rights key: SeCreatePermanentPrivilege value: "" when: - - wn19_ur_000080 + - wn22_ur_000080 tags: - - WN19-UR-000080 + - WN22-UR-000080 - V-205755 - SRG-OS-000324-GPOS-00125 - SV-205755r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000090 | PATCH | Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000090 | PATCH | Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeCreateSymbolicLinkPrivilege users: Administrators action: set when: - - wn19_ur_000090 + - wn22_ur_000090 tags: - - WN19-UR-000090 + - WN22-UR-000090 - V-205756 - SRG-OS-000324-GPOS-00125 - SV-205756r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000110 | PATCH | Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000110 | PATCH | Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeRemoteShutdownPrivilege users: Administrators action: set when: - - wn19_ur_000110 + - wn22_ur_000110 tags: - - WN19-UR-000110 + - WN22-UR-000110 - V-205758 - SRG-OS-000324-GPOS-00125 - SV-205758r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000120 | PATCH | Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service." +- name: "MEDIUM | WN22-UR-000120 | PATCH | Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service." ansible.windows.win_user_right: name: SeAuditPrivilege users: @@ -4426,16 +4426,16 @@ - Network Service action: set when: - - wn19_ur_000120 + - wn22_ur_000120 tags: - - WN19-UR-000120 + - WN22-UR-000120 - V-205759 - SRG-OS-000324-GPOS-00125 - SV-205759r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000130 | PATCH | Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." +- name: "MEDIUM | WN22-UR-000130 | PATCH | Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." ansible.windows.win_user_right: name: SeImpersonatePrivilege users: @@ -4445,69 +4445,69 @@ - Network Service action: set when: - - wn19_ur_000130 + - wn22_ur_000130 tags: - - WN19-UR-000130 + - WN22-UR-000130 - V-205760 - SRG-OS-000324-GPOS-00125 - SV-205760r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000140 | PATCH | Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000140 | PATCH | Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeIncreaseBasePriorityPrivilege users: Administrators action: set when: - - wn19_ur_000140 + - wn22_ur_000140 tags: - - WN19-UR-000140 + - WN22-UR-000140 - V-205761 - SRG-OS-000324-GPOS-00125 - SV-205761r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000150 | PATCH | Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000150 | PATCH | Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeLoadDriverPrivilege users: Administrators action: set when: - - wn19_ur_000150 + - wn22_ur_000150 tags: - - WN19-UR-000150 + - WN22-UR-000150 - V-205762 - SRG-OS-000324-GPOS-00125 - SV-205762r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000160 | PATCH | Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts." +- name: "MEDIUM | WN22-UR-000160 | PATCH | Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts." community.windows.win_security_policy: section: Privilege Rights key: SeLockMemoryPrivilege value: "" when: - - wn19_ur_000160 + - wn22_ur_000160 tags: - - WN19-UR-000160 + - WN22-UR-000160 - V-205763 - SRG-OS-000324-GPOS-00125 - SV-205763r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000170 | PATCH | Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000170 | PATCH | Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeSecurityPrivilege users: Administrators action: set when: - - wn19_ur_000170 + - wn22_ur_000170 tags: - - WN19-UR-000170 + - WN22-UR-000170 - V-205643 - SRG-OS-000057-GPOS-00027 - SV-205643r569188_rule @@ -4518,75 +4518,75 @@ - CCI-001914 - CAT2 -- name: "MEDIUM | WN19-UR-000180 | PATCH | Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000180 | PATCH | Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeSystemEnvironmentPrivilege users: Administrators action: set when: - - wn19_ur_000180 + - wn22_ur_000180 tags: - - WN19-UR-000180 + - WN22-UR-000180 - V-205764 - SRG-OS-000324-GPOS-00125 - SV-205764r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000190 | PATCH | Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000190 | PATCH | Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeManageVolumePrivilege users: Administrators action: set when: - - wn19_ur_000190 + - wn22_ur_000190 tags: - - WN19-UR-000190 + - WN22-UR-000190 - V-205765 - SRG-OS-000324-GPOS-00125 - SV-205765r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000200 | PATCH | Windows Server 2019 Profile single process user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000200 | PATCH | Windows Server 2019 Profile single process user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeProfileSingleProcessPrivilege users: Administrators action: set when: - - wn19_ur_000200 + - wn22_ur_000200 tags: - - WN19-UR-000200 + - WN22-UR-000200 - V-205766 - SRG-OS-000324-GPOS-00125 - SV-205766r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000210 | PATCH | Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000210 | PATCH | Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeRestorePrivilege users: Administrators action: set when: - - wn19_ur_000210 + - wn22_ur_000210 tags: - - WN19-UR-000210 + - WN22-UR-000210 - V-205767 - SRG-OS-000324-GPOS-00125 - SV-205767r569188_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN19-UR-000220 | PATCH | Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000220 | PATCH | Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeTakeOwnershipPrivilege users: Administrators action: set when: - - wn19_ur_000220 + - wn22_ur_000220 tags: - - WN19-UR-000220 + - WN22-UR-000220 - V-205768 - SRG-OS-000324-GPOS-00125 - SV-205768r569188_rule From 1c66f9c5412286e44ca5d040d3ed911d07366cd2 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 23 Jun 2023 16:18:31 -0400 Subject: [PATCH 18/95] update cat2+3-5 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 1002 ++++++++++++++++++++++++------------------------ 1 file changed, 501 insertions(+), 501 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index fe85e0c..95ce78c 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1,9 +1,9 @@ --- # enumerating on DC is different than standalone -- name: "MEDIUM | WN22-00-000020 | AUDIT | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." +- name: "MEDIUM | WN22-00-000020 | AUDIT | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." block: - - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." + - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." ansible.windows.win_shell: "Get-ADUser -Filter * -Property PasswordLastSet | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_pass_age }}))} | Select Name,PasswordLastSet" # win_shell: "Get-ADUser krbtgt -Property PasswordLastSet | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_krbtgt_pass_age }}))} | Select-Object -ExpandProperty PasswordLastSet" changed_when: false @@ -11,7 +11,7 @@ register: wn22_00_000020_audit_dc when: "'controller' in ansible_windows_domain_role" - - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." + - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." ansible.builtin.debug: msg: - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn22stig_pass_age }}" @@ -20,13 +20,13 @@ - not wn22_00_000020_audit_dc is skipped - wn22_00_000020_audit_dc.stdout != "" - - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." + - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." ansible.windows.win_shell: "Get-Localuser -Name * | Select * | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_pass_age }}))} | Select Name,PasswordLastSet" changed_when: false check_mode: false register: wn22_00_000020_audit_dm_sa - - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." + - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." ansible.builtin.debug: msg: - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn22stig_pass_age }}" @@ -56,15 +56,15 @@ - audit - CAT2 -- name: "MEDIUM | WN22-00-000040 | AUDIT | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." +- name: "MEDIUM | WN22-00-000040 | AUDIT | Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." block: - - name: "MEDIUM | WN22-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." + - name: "MEDIUM | WN22-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." ansible.windows.win_shell: Get-LocalGroupMember -Name 'Backup Operators' changed_when: false check_mode: false register: wn22_00_000040_audit - - name: "MEDIUM | WN22-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." + - name: "MEDIUM | WN22-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." ansible.builtin.debug: msg: - The accounts listed are members of the Backup Operators group @@ -74,7 +74,7 @@ - wn22_00_000040_audit.stdout != "" changed_when: false - - name: "MEDIUM | WN22-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2019 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. | Warn Count." + - name: "MEDIUM | WN22-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000040' @@ -93,13 +93,13 @@ - audit - CAT2 -- name: "MEDIUM | WN22-00-000050 | AUDIT | Windows Server 2019 manually managed application account passwords must be at least 15 characters in length." +- name: "MEDIUM | WN22-00-000050 | AUDIT | Windows Server 2022 manually managed application account passwords must be at least 15 characters in length." block: - - name: "MEDIUM | WN22-00-000050 | AUDIT | Windows Server 2019 manually managed application account passwords must be at least 15 characters in length. | Message out" + - name: "MEDIUM | WN22-00-000050 | AUDIT | Windows Server 2022 manually managed application account passwords must be at least 15 characters in length. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 manually managed application account passwords must be at least 15 characters in length." + msg: "Warning!! This is a manual task. Windows Server 2022 manually managed application account passwords must be at least 15 characters in length." - - name: "MEDIUM | WN22-00-000050 | AUDIT | Windows Server 2019 manually managed application account passwords must be at least 15 characters in length. | Warn Count." + - name: "MEDIUM | WN22-00-000050 | AUDIT | Windows Server 2022 manually managed application account passwords must be at least 15 characters in length. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000050' @@ -113,13 +113,13 @@ - CCI-000205 - CAT2 -- name: "MEDIUM | WN22-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." +- name: "MEDIUM | WN22-00-000060 | AUDIT | Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." block: - - name: "MEDIUM | WN22-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | Message out" + - name: "MEDIUM | WN22-00-000060 | AUDIT | Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." + msg: "Warning!! This is a manual task. Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." - - name: "MEDIUM | WN22-00-000060 | AUDIT | Windows Server 2019 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | import reuseable task." + - name: "MEDIUM | WN22-00-000060 | AUDIT | Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000060' @@ -134,13 +134,13 @@ - CAT2 # how to make this list? -- name: "MEDIUM | WN22-00-000070 | AUDIT | Windows Server 2019 shared user accounts must not be permitted." +- name: "MEDIUM | WN22-00-000070 | AUDIT | Windows Server 2022 shared user accounts must not be permitted." block: - - name: "MEDIUM | WN22-00-000070 | Windows Server 2019 shared user accounts must not be permitted. | Message out" + - name: "MEDIUM | WN22-00-000070 | Windows Server 2022 shared user accounts must not be permitted. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 shared user accounts must not be permitted." + msg: "Warning!! This is a manual task. Windows Server 2022 shared user accounts must not be permitted." - - name: "MEDIUM | WN22-00-000070 | AUDIT | Windows Server 2019 shared user accounts must not be permitted. | import reuseable task." + - name: "MEDIUM | WN22-00-000070 | AUDIT | Windows Server 2022 shared user accounts must not be permitted. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000070' @@ -154,13 +154,13 @@ - CCI-000764 - CAT2 -- name: "MEDIUM | WN22-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." +- name: "MEDIUM | WN22-00-000080 | AUDIT | Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." block: - - name: "MEDIUM | WN22-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Message out" + - name: "MEDIUM | WN22-00-000080 | AUDIT | Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." + msg: "Warning!! This is a manual task. Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." - - name: "MEDIUM | WN22-00-000080 | AUDIT | Windows Server 2019 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | import reuseable task." + - name: "MEDIUM | WN22-00-000080 | AUDIT | Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000080' @@ -176,13 +176,13 @@ # Get-AppLockerPolicy -Effective # Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. -- name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." +- name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." block: - - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Message out" + - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." + msg: "Warning!! This is a manual task. Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." - - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2019 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | import reuseable task." + - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000090' @@ -198,13 +198,13 @@ # wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * # if not enabled see "No Instance(s) Available." ? -- name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system." +- name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2022 must have a host-based intrusion detection or prevention system." block: - - name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system. | Message out" + - name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2022 must have a host-based intrusion detection or prevention system. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must have a host-based intrusion detection or prevention system." + msg: "Warning!! This is a manual task. Windows Server 2022 must have a host-based intrusion detection or prevention system." - - name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2019 must have a host-based intrusion detection or prevention system. | import reuseable task." + - name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2022 must have a host-based intrusion detection or prevention system. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000120' @@ -219,13 +219,13 @@ - CAT2 # think this is mcafee but need install and figure out paths for AV vs HIDS and/or running services? -- name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements." +- name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2022 permissions for the system drive root directory usually C:\ must conform to minimum requirements." block: - - name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | Message out" + - name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2022 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements." + msg: "Warning!! This is a manual task. Windows Server 2022 permissions for the system drive root directory usually C:\ must conform to minimum requirements." - - name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2019 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | import reuseable task." + - name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2022 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000140' @@ -239,13 +239,13 @@ - CCI-002165 - CAT2 -- name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements." +- name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2022 permissions for program file directories must conform to minimum requirements." block: - - name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements. | Message out" + - name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2022 permissions for program file directories must conform to minimum requirements. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 permissions for program file directories must conform to minimum requirements." + msg: "Warning!! This is a manual task. Windows Server 2022 permissions for program file directories must conform to minimum requirements." - - name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2019 permissions for program file directories must conform to minimum requirements. | import reuseable task." + - name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2022 permissions for program file directories must conform to minimum requirements. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000150' @@ -259,13 +259,13 @@ - CCI-002165 - CAT2 -- name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements." +- name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements." block: - - name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements. | Message out" + - name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements." + msg: "Warning!! This is a manual task. Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements." - - name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2019 permissions for the Windows installation directory must conform to minimum requirements. | import reuseable task." + - name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000160' @@ -279,13 +279,13 @@ - CCI-002165 - CAT2 -- name: "MEDIUM | WN22-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." +- name: "MEDIUM | WN22-00-000170 | AUDIT | Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." block: - - name: "MEDIUM | WN22-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | Message out" + - name: "MEDIUM | WN22-00-000170 | AUDIT | Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." + msg: "Warning!! This is a manual task. Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." - - name: "MEDIUM | WN22-00-000170 | AUDIT | Windows Server 2019 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | import reuseable task." + - name: "MEDIUM | WN22-00-000170 | AUDIT | Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000170' @@ -299,13 +299,13 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2019 outdated or unused accounts must be removed from the system or disabled." +- name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2022 outdated or unused accounts must be removed from the system or disabled." block: - - name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2019 outdated or unused accounts must be removed from the system or disabled. | Message out" + - name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2022 outdated or unused accounts must be removed from the system or disabled. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 outdated or unused accounts must be removed from the system or disabled." + msg: "Warning!! This is a manual task. Windows Server 2022 outdated or unused accounts must be removed from the system or disabled." - - name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2019 outdated or unused accounts must be removed from the system or disabled. | import reuseable task." + - name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2022 outdated or unused accounts must be removed from the system or disabled. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000190' @@ -319,9 +319,9 @@ - CCI-000795 - CAT2 -- name: "MEDIUM | WN22-00-000200 | AUDIT | Windows Server 2019 accounts must require passwords." +- name: "MEDIUM | WN22-00-000200 | AUDIT | Windows Server 2022 accounts must require passwords." block: - - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 accounts must require passwords." + - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 accounts must require passwords." ansible.windows.win_shell: Get-Aduser -Filter "(Passwordnotrequired -eq 'True') -and (Enabled -eq 'True')" | Select Name,Passwordnotrequired,Enabled changed_when: false failed_when: false @@ -329,7 +329,7 @@ register: wn22_00_000200_audit_dc when: ansible_windows_domain_role == "Primary domain controller" - - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN CONTROLLER | Windows Server 2019 accounts must require passwords." + - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 accounts must require passwords." ansible.builtin.debug: msg: - The accounts listed are do not require a password and are currently enabled @@ -338,7 +338,7 @@ - not wn22_00_000200_audit_dc is skipped - wn22_00_000200_audit_dc.stdout != "" - - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 accounts must require passwords." + - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 accounts must require passwords." ansible.windows.win_shell: Get-LocalUser | Where-Object {($_.PasswordRequired -ne 'True' -and $_.Enabled -eq 'True')} | Select Name,PasswordRequired,Enabled changed_when: false failed_when: false @@ -346,7 +346,7 @@ register: wn22_00_000200_audit_dm_sa when: not ansible_windows_domain_role == "Primary domain controller" - - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2019 accounts must require passwords." + - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 accounts must require passwords." ansible.builtin.debug: msg: - The accounts listed are do not require a password and are currently enabled @@ -375,9 +375,9 @@ - audit - CAT2 -- name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire." +- name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire." block: - - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire." + - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire." ansible.windows.win_shell: | Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | Where-Object -FilterScript {$_.PasswordExpires -EQ $False -AND $_.Disabled -EQ $False} | @@ -387,11 +387,11 @@ check_mode: false register: wn22_00_000210_audit - - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire.| Message out" + - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire.| Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 passwords must be configured to expire." + msg: "Warning!! This is a manual task. Windows Server 2022 passwords must be configured to expire." - - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2019 passwords must be configured to expire.| import reuseable task." + - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire.| import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000210' @@ -405,13 +405,13 @@ - CAT2 - CCI-000199 -- name: "MEDIUM | WN22-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes." +- name: "MEDIUM | WN22-00-000220 | AUDIT | Windows Server 2022 system files must be monitored for unauthorized changes." block: - - name: "MEDIUM | WN22-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes. | Message out" + - name: "MEDIUM | WN22-00-000220 | AUDIT | Windows Server 2022 system files must be monitored for unauthorized changes. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 system files must be monitored for unauthorized changes." + msg: "Warning!! This is a manual task. Windows Server 2022 system files must be monitored for unauthorized changes." - - name: "MEDIUM | WN22-00-000220 | AUDIT | Windows Server 2019 system files must be monitored for unauthorized changes. | import reuseable task." + - name: "MEDIUM | WN22-00-000220 | AUDIT | Windows Server 2022 system files must be monitored for unauthorized changes. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000220' @@ -426,20 +426,20 @@ - CAT2 # Some third party software to monitor files -- name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." +- name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2022 non-system-created file shares on a system must limit access to groups that require it." block: - - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." + - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2022 non-system-created file shares on a system must limit access to groups that require it." ansible.windows.win_shell: Get-SmbShare | Where-Object -FilterScript {$_.Special -EQ $False} changed_when: false failed_when: false check_mode: false register: wn22_00_000230_audit - - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." + - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2022 non-system-created file shares on a system must limit access to groups that require it." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it." + msg: "Warning!! This is a manual task. Windows Server 2022 non-system-created file shares on a system must limit access to groups that require it." - - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2019 non-system-created file shares on a system must limit access to groups that require it. | import reuseable task." + - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2022 non-system-created file shares on a system must limit access to groups that require it. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000230' @@ -454,9 +454,9 @@ - CAT2 # https://stackoverflow.com/questions/31049454/how-to-retrieve-recursively-any-files-with-a-specific-extensions-in-powershell/31049571 -- name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed." +- name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed." block: - - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed." + - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed." ansible.windows.win_find: paths: c:\ patterns: ['*.p12', '*.pfx'] @@ -467,11 +467,11 @@ register: wn22_00_000240_audit when: long_running - - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed." + - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must have software certificate installation files removed." + msg: "Warning!! This is a manual task. Windows Server 2022 must have software certificate installation files removed." - - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2019 must have software certificate installation files removed. | import reuseable task." + - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000240' @@ -487,13 +487,13 @@ # do we need async; its very long running to search filesystems # get an array of drive letters to search? -- name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." +- name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." block: - - name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." + - name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." + msg: "Warning!! This is a manual task. Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." - - name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2019 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | import reuseable task." + - name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000250' @@ -509,13 +509,13 @@ - CCI-002476 - CAT2 -- name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." +- name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." block: - - name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." + - name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." + msg: "Warning!! This is a manual task. Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." - - name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2019 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | import reuseable task." + - name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000260' @@ -530,20 +530,20 @@ - CCI-002422 - CAT2 -- name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented." +- name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2022 must have the roles and features required by the system documented." block: - - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2019 bust have the roles and features required by the system documented." + - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2022 bust have the roles and features required by the system documented." ansible.windows.win_shell: Get-WindowsFeature | Where-Object -FilterScript {$_.Installed -EQ $True} changed_when: false failed_when: false check_mode: false register: wn22_00_000270_audit - - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented." + - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2022 must have the roles and features required by the system documented." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must have the roles and features required by the system documented." + msg: "Warning!! This is a manual task. Windows Server 2022 must have the roles and features required by the system documented." - - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2019 must have the roles and features required by the system documented. | import reuseable task." + - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2022 must have the roles and features required by the system documented. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000270' @@ -557,13 +557,13 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2019 must have a host-based firewall installed and enabled." +- name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2022 must have a host-based firewall installed and enabled." block: - - name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2019 must have a host-based firewall installed and enabled." + - name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2022 must have a host-based firewall installed and enabled." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must have a host-based firewall installed and enabled." + msg: "Warning!! This is a manual task. Windows Server 2022 must have a host-based firewall installed and enabled." - - name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2019 must have a host-based firewall installed and enabled. | import reuseable task." + - name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2022 must have a host-based firewall installed and enabled. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000280' @@ -578,13 +578,13 @@ - CCI-002080 - CAT2 -- name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." +- name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." block: - - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." + - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." + msg: "Warning!! This is a manual task. Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." - - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2019 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | import reuseable task." + - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000290' @@ -598,13 +598,13 @@ - CCI-001233 - CAT2 -- name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours." +- name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours." block: - - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours." + - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours." + msg: "Warning!! This is a manual task. Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours." - - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2019 must automatically remove or disable temporary user accounts after 72 hours. | import reuseable task." + - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000300' @@ -618,13 +618,13 @@ - CCI-000016 - CAT2 -- name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." +- name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." block: - - name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." + - name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." + msg: "Warning!! This is a manual task. Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." - - name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2019 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | import reuseable task." + - name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000310' @@ -638,7 +638,7 @@ - CCI-001682 - CAT2 -- name: "MEDIUM | WN22-00-000320 | PATCH | Windows Server 2019 must not have the Fax Server role installed." +- name: "MEDIUM | WN22-00-000320 | PATCH | Windows Server 2022 must not have the Fax Server role installed." ansible.windows.win_feature: name: Fax state: absent @@ -653,7 +653,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-00-000330 | PATCH | Windows Server 2019 must not have the Microsoft FTP service installed unless required by the organization." +- name: "MEDIUM | WN22-00-000330 | PATCH | Windows Server 2022 must not have the Microsoft FTP service installed unless required by the organization." ansible.windows.win_feature: name: Web-Ftp-Server state: absent @@ -668,7 +668,7 @@ - CCI-000382 - CAT2 -- name: "MEDIUM | WN22-00-000340 | PATCH | Windows Server 2019 must not have the Peer Name Resolution Protocol installed." +- name: "MEDIUM | WN22-00-000340 | PATCH | Windows Server 2022 must not have the Peer Name Resolution Protocol installed." ansible.windows.win_feature: name: PNRP state: absent @@ -683,7 +683,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-00-000350 | PATCH | Windows Server 2019 must not have Simple TCP/IP Services installed." +- name: "MEDIUM | WN22-00-000350 | PATCH | Windows Server 2022 must not have Simple TCP/IP Services installed." ansible.windows.win_feature: name: Simple-TCPIP state: absent @@ -697,7 +697,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-00-000360 | PATCH | Windows Server 2019 must not have the Telnet Client installed." +- name: "MEDIUM | WN22-00-000360 | PATCH | Windows Server 2022 must not have the Telnet Client installed." ansible.windows.win_feature: name: Telnet-Client state: absent @@ -711,7 +711,7 @@ - CCI-000382 - CAT2 -- name: "MEDIUM | WN22-00-000370 | PATCH | Windows Server 2019 must not have the TFTP Client installed." +- name: "MEDIUM | WN22-00-000370 | PATCH | Windows Server 2022 must not have the TFTP Client installed." ansible.windows.win_feature: name: TFTP-Client state: absent @@ -725,7 +725,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-00-000380 | PATCH | Windows Server 2019 must not have the Server Message Block (SMB) v1 protocol installed." +- name: "MEDIUM | WN22-00-000380 | PATCH | Windows Server 2022 must not have the Server Message Block (SMB) v1 protocol installed." ansible.windows.win_feature: name: FS-SMB1 state: absent @@ -740,7 +740,7 @@ - SV-205682r819711_rule - CCI-000381 -- name: "MEDIUM | WN22-00-000390 | PATCH | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." +- name: "MEDIUM | WN22-00-000390 | PATCH | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters name: SMB1 @@ -757,7 +757,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-00-000400 | PATCH | Windows Server 2019 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." +- name: "MEDIUM | WN22-00-000400 | PATCH | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 name: Start @@ -774,7 +774,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-00-000410 | PATCH | Windows Server 2019 must not have Windows PowerShell 2.0 installed." +- name: "MEDIUM | WN22-00-000410 | PATCH | Windows Server 2022 must not have Windows PowerShell 2.0 installed." ansible.windows.win_feature: name: PowerShell-V2 state: absent @@ -788,13 +788,13 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons." +- name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent anonymous logons." block: - - name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons." + - name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent anonymous logons." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 FTP servers must be configured to prevent anonymous logons." + msg: "Warning!! This is a manual task. Windows Server 2022 FTP servers must be configured to prevent anonymous logons." - - name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent anonymous logons. | import reuseable task." + - name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent anonymous logons. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000420' @@ -808,13 +808,13 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive." +- name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent access to the system drive." block: - - name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive." + - name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent access to the system drive." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 FTP servers must be configured to prevent access to the system drive." + msg: "Warning!! This is a manual task. Windows Server 2022 FTP servers must be configured to prevent access to the system drive." - - name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2019 FTP servers must be configured to prevent access to the system drive. | import reuseable task." + - name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent access to the system drive. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000430' @@ -828,13 +828,13 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights" +- name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights" block: - - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights" + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights" + msg: "Warning!! This is a manual task. Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights" - - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights | import reuseable task." + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000450' @@ -847,12 +847,12 @@ - SV-205855r569188_rule - CCI-000366 - CAT2 - # https://www.stigviewer.com/stig/windows_server_2016/2019-01-16/finding/V-78127 + # https://www.stigviewer.com/stig/windows_server_2016/2022-01-16/finding/V-78127 # THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL BASED SYSTEMS. -- name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less." +- name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less." block: - - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." + - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." ansible.builtin.debug: msg: - "Warning!! You have a invalid number of days set for wn22stig_lockoutbadcount please read" @@ -861,7 +861,7 @@ - wn22stig_lockoutbadcount == 0 or wn22stig_lockoutbadcount > 3 - - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Warn Count." + - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000020' @@ -869,7 +869,7 @@ - wn22stig_lockoutbadcount == 0 or wn22stig_lockoutbadcount > 3 - - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. | Apply Variable." + - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Apply Variable." community.windows.win_security_policy: section: System Access key: LockoutBadCount @@ -889,9 +889,9 @@ - CAT2 # below task is dependent on WN16-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" -- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." +- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." block: - - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." ansible.builtin.debug: msg: - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" @@ -899,14 +899,14 @@ when: - wn22stig_resetlockoutcount < 15 - - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." + - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000030' when: - wn22stig_resetlockoutcount < 15 - - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" + - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" community.windows.win_security_policy: section: System Access key: ResetLockoutCount @@ -926,9 +926,9 @@ - CAT2 # below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" -- name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater." +- name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater." block: - - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." ansible.builtin.debug: msg: - "Warning!! You have a invalid number of minutes set for wn22stig_lockoutduration please read" @@ -937,7 +937,7 @@ - wn22stig_lockoutduration < 15 - wn22stig_lockoutduration > 0 - - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Warn Count." + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000010' @@ -945,7 +945,7 @@ - wn22stig_lockoutduration < 15 - wn22stig_lockoutduration > 0 - - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. | Apply Variable." + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Apply Variable." community.windows.win_security_policy: section: System Access key: LockoutDuration @@ -964,7 +964,7 @@ - CCI-002238 - CAT2 -- name: "MEDIUM | WN22-AC-000040 | PATCH | Windows Server 2019 password history must be configured to 24 passwords remembered." +- name: "MEDIUM | WN22-AC-000040 | PATCH | Windows Server 2022 password history must be configured to 24 passwords remembered." community.windows.win_security_policy: section: System Access key: PasswordHistorySize @@ -979,9 +979,9 @@ - CCI-000200 - CAT2 -- name: "MEDIUM | WN22-AC-000050 | PATCH | Windows Server 2019 maximum password age must be configured to 60 days or less." +- name: "MEDIUM | WN22-AC-000050 | PATCH | Windows Server 2022 maximum password age must be configured to 60 days or less." block: - - name: "MEDIUM | WN22-AC-000050 | AUDIT | Windows Server 2019 maximum password age must be configured to 60 days or less. | Warning For Bad Variable." + - name: "MEDIUM | WN22-AC-000050 | AUDIT | Windows Server 2022 maximum password age must be configured to 60 days or less. | Warning For Bad Variable." ansible.builtin.debug: msg: - "Warning!! You have a invalid number of days set for wn22stig_maximumpasswordage please read" @@ -990,7 +990,7 @@ - wn22stig_maximumpasswordage == 0 or wn22stig_maximumpasswordage > 60 - - name: "MEDIUM | WN22-AC-000050 | AUDIT | Windows Server 2019 maximum password age must be configured to 60 days or less. | Warn Count." + - name: "MEDIUM | WN22-AC-000050 | AUDIT | Windows Server 2022 maximum password age must be configured to 60 days or less. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000050' @@ -998,7 +998,7 @@ - wn22stig_maximumpasswordage == 0 or wn22stig_maximumpasswordage > 60 - - name: "MEDIUM | WN22-AC-000050 | PATCH | Windows Server 2019 maximum password age must be configured to 60 days or less. | Apply Variable." + - name: "MEDIUM | WN22-AC-000050 | PATCH | Windows Server 2022 maximum password age must be configured to 60 days or less. | Apply Variable." community.windows.win_security_policy: section: System Access key: MaximumPasswordAge @@ -1016,9 +1016,9 @@ - CCI-000199 - CAT2 -- name: "MEDIUM | WN22-AC-000060 | PATCH | Windows Server 2019 minimum password age must be configured to at least one day." +- name: "MEDIUM | WN22-AC-000060 | PATCH | Windows Server 2022 minimum password age must be configured to at least one day." block: - - name: "MEDIUM | WN22-AC-000060 | AUDIT | Windows Server 2019 minimum password age must be configured to at least one day. | Warning For Bad Variable." + - name: "MEDIUM | WN22-AC-000060 | AUDIT | Windows Server 2022 minimum password age must be configured to at least one day. | Warning For Bad Variable." ansible.builtin.debug: msg: - "Warning!! You have a invalid number of days set for wn22stig_minimumpasswordage please read" @@ -1026,14 +1026,14 @@ when: - wn22stig_minimumpasswordage == 0 - - name: "MEDIUM | WN22-AC-000060 | AUDIT | Windows Server 2019 minimum password age must be configured to at least one day. | Warn Count." + - name: "MEDIUM | WN22-AC-000060 | AUDIT | Windows Server 2022 minimum password age must be configured to at least one day. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000060' when: wn22stig_minimumpasswordage == 0 - - name: "MEDIUM | WN22-AC-000060 | PATCH | Windows Server 2019 minimum password age must be configured to at least one day. | Set Variable." + - name: "MEDIUM | WN22-AC-000060 | PATCH | Windows Server 2022 minimum password age must be configured to at least one day. | Set Variable." community.windows.win_security_policy: section: System Access key: MinimumPasswordAge @@ -1050,9 +1050,9 @@ - CCI-000198 - CAT2 -- name: "MEDIUM | WN22-AC-000070 | PATCH | Windows Server 2019 minimum password length must be configured to 14 characters." +- name: "MEDIUM | WN22-AC-000070 | PATCH | Windows Server 2022 minimum password length must be configured to 14 characters." block: - - name: "MEDIUM | WN22-AC-000070 | AUDIT | Windows Server 2019 minimum password length must be configured to 14 characters. | Warning For Bad Variable." + - name: "MEDIUM | WN22-AC-000070 | AUDIT | Windows Server 2022 minimum password length must be configured to 14 characters. | Warning For Bad Variable." ansible.builtin.debug: msg: - "Warning!! You have a invalid password length for wn22stig_minimumpasswordlength please read" @@ -1060,14 +1060,14 @@ when: - wn22stig_minimumpasswordlength < 14 - - name: "MEDIUM | WN22-AC-000070 | AUDIT | Windows Server 2019 minimum password length must be configured to 14 characters. | Warn Count." + - name: "MEDIUM | WN22-AC-000070 | AUDIT | Windows Server 2022 minimum password length must be configured to 14 characters. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000070' when: - wn22stig_minimumpasswordlength < 14 - - name: "MEDIUM | WN22-AC-000070 | PATCH | Windows Server 2019 minimum password length must be configured to 14 characters. | Apply Variable." + - name: "MEDIUM | WN22-AC-000070 | PATCH | Windows Server 2022 minimum password length must be configured to 14 characters. | Apply Variable." community.windows.win_security_policy: section: System Access key: MinimumPasswordLength @@ -1084,7 +1084,7 @@ - CCI-000205 - CAT2 -- name: "MEDIUM | WN22-AC-000080 | PATCH | Windows Server 2019 must have the built-in Windows password complexity policy enabled." +- name: "MEDIUM | WN22-AC-000080 | PATCH | Windows Server 2022 must have the built-in Windows password complexity policy enabled." community.windows.win_security_policy: section: System Access key: PasswordComplexity @@ -1102,13 +1102,13 @@ - CCI-001619 - CAT2 -- name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited." +- name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2022 audit records must be backed up to a different system or media than the system being audited." block: - - name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited." + - name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2022 audit records must be backed up to a different system or media than the system being audited." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 audit records must be backed up to a different system or media than the system being audited." + msg: "Warning!! This is a manual task. Windows Server 2022 audit records must be backed up to a different system or media than the system being audited." - - name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2019 audit records must be backed up to a different system or media than the system being audited. | import reuseable task." + - name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2022 audit records must be backed up to a different system or media than the system being audited. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AU-000010' @@ -1122,13 +1122,13 @@ - CCI-001851 - CAT2 -- name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." +- name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." block: - - name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." + - name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." + msg: "Warning!! This is a manual task. Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." - - name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2019 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | import reuseable task." + - name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AU-000020' @@ -1143,13 +1143,13 @@ - CAT2 # hard one, either need to standardize on say log shipping like splunk or other is set? -- name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." +- name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2022 permissions for the Application event log must prevent access by non-privileged accounts." block: - - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." + - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2022 permissions for the Application event log must prevent access by non-privileged accounts." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts." + msg: "Warning!! This is a manual task. Windows Server 2022 permissions for the Application event log must prevent access by non-privileged accounts." - - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2019 permissions for the Application event log must prevent access by non-privileged accounts. | import reuseable task." + - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2022 permissions for the Application event log must prevent access by non-privileged accounts. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AU-000030' @@ -1165,13 +1165,13 @@ - CCI-000164 - CAT2 -- name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." +- name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2022 permissions for the Security event log must prevent access by non-privileged accounts." block: - - name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." + - name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2022 permissions for the Security event log must prevent access by non-privileged accounts." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts." + msg: "Warning!! This is a manual task. Windows Server 2022 permissions for the Security event log must prevent access by non-privileged accounts." - - name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2019 permissions for the Security event log must prevent access by non-privileged accounts. | import reuseable task." + - name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2022 permissions for the Security event log must prevent access by non-privileged accounts. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AU-000040' @@ -1187,13 +1187,13 @@ - CCI-000164 - CAT2 -- name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." +- name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2022 permissions for the System event log must prevent access by non-privileged accounts." block: - - name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." + - name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2022 permissions for the System event log must prevent access by non-privileged accounts." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts." + msg: "Warning!! This is a manual task. Windows Server 2022 permissions for the System event log must prevent access by non-privileged accounts." - - name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2019 permissions for the System event log must prevent access by non-privileged accounts. | import reuseable task." + - name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2022 permissions for the System event log must prevent access by non-privileged accounts. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AU-000050' @@ -1209,13 +1209,13 @@ - CCI-000164 - CAT2 -- name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." +- name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion." block: - - name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." + - name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion." + msg: "Warning!! This is a manual task. Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion." - - name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2019 Event Viewer must be protected from unauthorized modification and deletion. | import reuseable task." + - name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AU-000060' @@ -1230,16 +1230,16 @@ - CCI-001495 - CAT2 -- name: "MEDIUM | WN22-AU-000070 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." +- name: "MEDIUM | WN22-AU-000070 | PATCH | Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes." block: - - name: "MEDIUM | WN22-AU-000070 | AUDIT | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." + - name: "MEDIUM | WN22-AU-000070 | AUDIT | Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000070_audit - - name: "MEDIUM | WN22-AU-000070 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation successes." + - name: "MEDIUM | WN22-AU-000070 | PATCH | Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable when: "'Success' not in wn22_au_000070_audit.stdout" when: @@ -1252,16 +1252,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000080 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." +- name: "MEDIUM | WN22-AU-000080 | PATCH | Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures." block: - - name: "MEDIUM | WN22-AU-000080 | AUDIT | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." + - name: "MEDIUM | WN22-AU-000080 | AUDIT | Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000080_audit - - name: "MEDIUM | WN22-AU-000080 | PATCH | Windows Server 2019 must be configured to audit Account Logon - Credential Validation failures." + - name: "MEDIUM | WN22-AU-000080 | PATCH | Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable when: "'Failure' not in wn22_au_000080_audit.stdout" when: @@ -1274,16 +1274,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." +- name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." block: - - name: "MEDIUM | WN22-AU-000090 | AUDIT | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." + - name: "MEDIUM | WN22-AU-000090 | AUDIT | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000090_audit - - name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2019 must be configured to audit Account Management - Other Account Management Events successes." + - name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable when: "'Success' not in wn22_au_000090_audit.stdout" when: @@ -1297,16 +1297,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000120 | PATCH | Windows Server 2019 must be configured to audit Account Management - User Account Management failures." +- name: "MEDIUM | WN22-AU-000120 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management failures." block: - - name: "MEDIUM | WN22-AU-000120 | AUDIT | Windows Server 2019 must be configured to audit Account Management - User Account Management failures." + - name: "MEDIUM | WN22-AU-000120 | AUDIT | Windows Server 2022 must be configured to audit Account Management - User Account Management failures." ansible.windows.win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000120_audit - - name: "MEDIUM | WN22-AU-000120 | PATCH | Windows Server 2019 must be configured to audit Account Management - User Account Management failures." + - name: "MEDIUM | WN22-AU-000120 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management failures." ansible.windows.win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable when: "'Failure' not in wn22_au_000120_audit.stdout" when: @@ -1324,16 +1324,16 @@ - CCI-002130 - CAT2 -- name: "MEDIUM | WN22-AU-000130 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." +- name: "MEDIUM | WN22-AU-000130 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes." block: - - name: "MEDIUM | WN22-AU-000130 | AUDIT | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." + - name: "MEDIUM | WN22-AU-000130 | AUDIT | Windows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000130_audit - - name: "MEDIUM | WN22-AU-000130 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Plug and Play Events successes." + - name: "MEDIUM | WN22-AU-000130 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable when: "'Success' not in wn22_au_000130_audit.stdout" when: @@ -1346,16 +1346,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000140 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." +- name: "MEDIUM | WN22-AU-000140 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes." block: - - name: "MEDIUM | WN22-AU-000140 | AUDIT | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." + - name: "MEDIUM | WN22-AU-000140 | AUDIT | Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000140_audit - - name: "MEDIUM | WN22-AU-000140 | PATCH | Windows Server 2019 must be configured to audit Detailed Tracking - Process Creation successes." + - name: "MEDIUM | WN22-AU-000140 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable when: "'Success' not in wn22_au_000140_audit.stdout" when: @@ -1369,16 +1369,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000150 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." +- name: "MEDIUM | WN22-AU-000150 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout successes." block: - - name: "MEDIUM | WN22-AU-000150 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." + - name: "MEDIUM | WN22-AU-000150 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000150_audit - - name: "MEDIUM | WN22-AU-000150 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout successes." + - name: "MEDIUM | WN22-AU-000150 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable when: "'Success' not in wn22_au_000150_audit.stdout" when: @@ -1392,16 +1392,16 @@ - CCI-001404 - CAT2 -- name: "MEDIUM | WN22-AU-000160 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." +- name: "MEDIUM | WN22-AU-000160 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures." block: - - name: "MEDIUM | WN22-AU-000160 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." + - name: "MEDIUM | WN22-AU-000160 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000160_audit - - name: "MEDIUM | WN22-AU-000160 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Account Lockout failures." + - name: "MEDIUM | WN22-AU-000160 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable when: "'Failure' not in wn22_au_000160_audit.stdout" when: @@ -1415,16 +1415,16 @@ - CCI-001404 - CAT2 -- name: "MEDIUM | WN22-AU-000170 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." +- name: "MEDIUM | WN22-AU-000170 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes." block: - - name: "MEDIUM | WN22-AU-000170 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." + - name: "MEDIUM | WN22-AU-000170 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000170_audit - - name: "MEDIUM | WN22-AU-000170 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Group Membership successes." + - name: "MEDIUM | WN22-AU-000170 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable when: "'Success' not in wn22_au_000170_audit.stdout" when: @@ -1437,16 +1437,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000180 | PATCH | Windows Server 2019 must be configured to audit logoff successes." +- name: "MEDIUM | WN22-AU-000180 | PATCH | Windows Server 2022 must be configured to audit logoff successes." block: - - name: "MEDIUM | WN22-AU-000180 | AUDIT | Windows Server 2019 must be configured to audit logoff successes." + - name: "MEDIUM | WN22-AU-000180 | AUDIT | Windows Server 2022 must be configured to audit logoff successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000180_audit - - name: "MEDIUM | WN22-AU-000180 | PATCH | Windows Server 2019 must be configured to audit logoff successes." + - name: "MEDIUM | WN22-AU-000180 | PATCH | Windows Server 2022 must be configured to audit logoff successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Logoff" /success:enable when: "'Success' not in wn22_au_000180_audit.stdout" when: @@ -1460,16 +1460,16 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-AU-000190 | PATCH | Windows Server 2019 must be configured to audit logon successes." +- name: "MEDIUM | WN22-AU-000190 | PATCH | Windows Server 2022 must be configured to audit logon successes." block: - - name: "MEDIUM | WN22-AU-000190 | AUDIT | Windows Server 2019 must be configured to audit logon successes." + - name: "MEDIUM | WN22-AU-000190 | AUDIT | Windows Server 2022 must be configured to audit logon successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000190_audit - - name: "MEDIUM | WN22-AU-000190 | PATCH Windows Server 2019 must be configured to audit logon successes." + - name: "MEDIUM | WN22-AU-000190 | PATCH Windows Server 2022 must be configured to audit logon successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Logon" /success:enable when: "'Success' not in wn22_au_000190_audit.stdout" when: @@ -1483,16 +1483,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000200 | PATCH | Windows Server 2019 must be configured to audit logon failures" +- name: "MEDIUM | WN22-AU-000200 | PATCH | Windows Server 2022 must be configured to audit logon failures" block: - - name: "MEDIUM | WN22-AU-000200 | AUDIT | Windows Server 2019 must be configured to audit logon failures" + - name: "MEDIUM | WN22-AU-000200 | AUDIT | Windows Server 2022 must be configured to audit logon failures" ansible.windows.win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000200_audit - - name: "MEDIUM | WN22-AU-000200 | PATCH | Windows Server 2019 must be configured to audit logon failures" + - name: "MEDIUM | WN22-AU-000200 | PATCH | Windows Server 2022 must be configured to audit logon failures" ansible.windows.win_shell: AuditPol /set /subcategory:"Logon" /failure:enable when: "'Failure' not in wn22_au_000200_audit.stdout" when: @@ -1506,16 +1506,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000210 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." +- name: "MEDIUM | WN22-AU-000210 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes." block: - - name: "MEDIUM | WN22-AU-000210 | AUDIT | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." + - name: "MEDIUM | WN22-AU-000210 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000210_audit - - name: "MEDIUM | WN22-AU-000210 | PATCH | Windows Server 2019 must be configured to audit Logon/Logoff - Special Logon successes." + - name: "MEDIUM | WN22-AU-000210 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable when: "'Success' not in wn22_au_000210_audit.stdout" when: @@ -1528,7 +1528,7 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000220 | PATCH | Windows Server 2019 must be configured to audit Object Access - Other Object Access Events successes." +- name: "MEDIUM | WN22-AU-000220 | PATCH | Windows Server 2022 must be configured to audit Object Access - Other Object Access Events successes." community.windows.win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure @@ -1542,7 +1542,7 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000230 | PATCH | Windows Server 2019 must be configured to audit Object Access - Other Object Access Events failures." +- name: "MEDIUM | WN22-AU-000230 | PATCH | Windows Server 2022 must be configured to audit Object Access - Other Object Access Events failures." community.windows.win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure @@ -1556,16 +1556,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000240 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." +- name: "MEDIUM | WN22-AU-000240 | PATCH | Windows Server 2022 must be configured to audit Object Access - Removable Storage successes." block: - - name: "MEDIUM | WN22-AU-000240 | AUDIT | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." + - name: "MEDIUM | WN22-AU-000240 | AUDIT | Windows Server 2022 must be configured to audit Object Access - Removable Storage successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000240_audit - - name: "MEDIUM | WN22-AU-000240 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage successes." + - name: "MEDIUM | WN22-AU-000240 | PATCH | Windows Server 2022 must be configured to audit Object Access - Removable Storage successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable when: "'Success' not in wn22_au_000240_audit.stdout" when: @@ -1578,16 +1578,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000250 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." +- name: "MEDIUM | WN22-AU-000250 | PATCH | Windows Server 2022 must be configured to audit Object Access - Removable Storage failures." block: - - name: "MEDIUM | WN22-AU-000250 | AUDIT | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." + - name: "MEDIUM | WN22-AU-000250 | AUDIT | Windows Server 2022 must be configured to audit Object Access - Removable Storage failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000250_audit - - name: "MEDIUM | WN22-AU-000250 | PATCH | Windows Server 2019 must be configured to audit Object Access - Removable Storage failures." + - name: "MEDIUM | WN22-AU-000250 | PATCH | Windows Server 2022 must be configured to audit Object Access - Removable Storage failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable when: "'Failure' not in wn22_au_000250_audit.stdout" when: @@ -1600,16 +1600,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000260 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." +- name: "MEDIUM | WN22-AU-000260 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes." block: - - name: "MEDIUM | WN22-AU-000260 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." + - name: "MEDIUM | WN22-AU-000260 | AUDIT | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000260_audit - - name: "MEDIUM | WN22-AU-000260 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change successes." + - name: "MEDIUM | WN22-AU-000260 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable when: "'Success' not in wn22_au_000260_audit.stdout" when: @@ -1623,16 +1623,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000270 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." +- name: "MEDIUM | WN22-AU-000270 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures." block: - - name: "MEDIUM | WN22-AU-000270 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." + - name: "MEDIUM | WN22-AU-000270 | AUDIT | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000270_audit - - name: "MEDIUM | WN22-AU-000270 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Audit Policy Change failures." + - name: "MEDIUM | WN22-AU-000270 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Audit Policy Change" /failure:enable when: "'Failure' not in wn22_au_000270_audit.stdout" when: @@ -1646,16 +1646,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000280 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." +- name: "MEDIUM | WN22-AU-000280 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes." block: - - name: "MEDIUM | WN22-AU-000280 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." + - name: "MEDIUM | WN22-AU-000280 | AUDIT | Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000280_audit - - name: "MEDIUM | WN22-AU-000280 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authentication Policy Change successes." + - name: "MEDIUM | WN22-AU-000280 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable when: "'Success' not in wn22_au_000280_audit.stdout" when: @@ -1669,16 +1669,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000290 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." +- name: "MEDIUM | WN22-AU-000290 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes." block: - - name: "MEDIUM | WN22-AU-000290 | AUDIT | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." + - name: "MEDIUM | WN22-AU-000290 | AUDIT | Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000290_audit - - name: "MEDIUM | WN22-AU-000290 | PATCH | Windows Server 2019 must be configured to audit Policy Change - Authorization Policy Change successes." + - name: "MEDIUM | WN22-AU-000290 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable when: "'Success' not in wn22_au_000290_audit.stdout" when: @@ -1692,16 +1692,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000300 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." +- name: "MEDIUM | WN22-AU-000300 | PATCH | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes." block: - - name: "MEDIUM | WN22-AU-000300 | AUDIT | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." + - name: "MEDIUM | WN22-AU-000300 | AUDIT | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000300_audit - - name: "MEDIUM | WN22-AU-000300 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use successes." + - name: "MEDIUM | WN22-AU-000300 | PATCH | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable when: "'Success' not in wn22_au_000300_audit.stdout" when: @@ -1715,16 +1715,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000310 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." +- name: "MEDIUM | WN22-AU-000310 | PATCH | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures." block: - - name: "MEDIUM | WN22-AU-000310 | AUDIT | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." + - name: "MEDIUM | WN22-AU-000310 | AUDIT | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000310_audit - - name: "MEDIUM | WN22-AU-000310 | PATCH | Windows Server 2019 must be configured to audit Privilege Use - Sensitive Privilege Use failures." + - name: "MEDIUM | WN22-AU-000310 | PATCH | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable when: "'Failure' not in wn22_au_000310_audit.stdout" when: @@ -1738,16 +1738,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000320 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver successes." +- name: "MEDIUM | WN22-AU-000320 | PATCH | Windows Server 2022 must be configured to audit System - IPsec Driver successes." block: - - name: "MEDIUM | WN22-AU-000320 | AUDIT | Windows Server 2019 must be configured to audit System - IPsec Driver successes." + - name: "MEDIUM | WN22-AU-000320 | AUDIT | Windows Server 2022 must be configured to audit System - IPsec Driver successes." ansible.windows.win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000320_audit - - name: "MEDIUM | WN22-AU-000320 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver successes." + - name: "MEDIUM | WN22-AU-000320 | PATCH | Windows Server 2022 must be configured to audit System - IPsec Driver successes." ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable when: "'Success' not in wn22_au_000320_audit.stdout" when: @@ -1761,16 +1761,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000330 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver failures." +- name: "MEDIUM | WN22-AU-000330 | PATCH | Windows Server 2022 must be configured to audit System - IPsec Driver failures." block: - - name: "MEDIUM | WN22-AU-000330 | AUDIT | Windows Server 2019 must be configured to audit System - IPsec Driver failures." + - name: "MEDIUM | WN22-AU-000330 | AUDIT | Windows Server 2022 must be configured to audit System - IPsec Driver failures." ansible.windows.win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000330_audit - - name: "MEDIUM | WN22-AU-000330 | PATCH | Windows Server 2019 must be configured to audit System - IPsec Driver failures." + - name: "MEDIUM | WN22-AU-000330 | PATCH | Windows Server 2022 must be configured to audit System - IPsec Driver failures." ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable when: "'Success' not in wn22_au_000330_audit.stdout" when: @@ -1784,16 +1784,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000340 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events successes." +- name: "MEDIUM | WN22-AU-000340 | PATCH | Windows Server 2022 must be configured to audit System - Other System Events successes." block: - - name: "MEDIUM | WN22-AU-000340 | AUDIT | Windows Server 2019 must be configured to audit System - Other System Events successes." + - name: "MEDIUM | WN22-AU-000340 | AUDIT | Windows Server 2022 must be configured to audit System - Other System Events successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000340_audit - - name: "MEDIUM | WN22-AU-000340 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events successes." + - name: "MEDIUM | WN22-AU-000340 | PATCH | Windows Server 2022 must be configured to audit System - Other System Events successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable when: "'Success' not in wn22_au_000340_audit.stdout" when: @@ -1807,16 +1807,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000350 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events failures." +- name: "MEDIUM | WN22-AU-000350 | PATCH | Windows Server 2022 must be configured to audit System - Other System Events failures." block: - - name: "MEDIUM | WN22-AU-000350 | AUDIT | Windows Server 2019 must be configured to audit System - Other System Events failures." + - name: "MEDIUM | WN22-AU-000350 | AUDIT | Windows Server 2022 must be configured to audit System - Other System Events failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000350_audit - - name: "MEDIUM | WN22-AU-000350 | PATCH | Windows Server 2019 must be configured to audit System - Other System Events failures." + - name: "MEDIUM | WN22-AU-000350 | PATCH | Windows Server 2022 must be configured to audit System - Other System Events failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable when: "'Failure' not in wn22_au_000350_audit.stdout" when: @@ -1830,16 +1830,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000360 | PATCH | Windows Server 2019 must be configured to audit System - Security State Change successes." +- name: "MEDIUM | WN22-AU-000360 | PATCH | Windows Server 2022 must be configured to audit System - Security State Change successes." block: - - name: "MEDIUM | WN22-AU-000360 | AUDIT | Windows Server 2019 must be configured to audit System - Security State Change successes." + - name: "MEDIUM | WN22-AU-000360 | AUDIT | Windows Server 2022 must be configured to audit System - Security State Change successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000360_audit - - name: "MEDIUM | WN22-AU-000360 | PATCH | Windows Server 2019 must be configured to audit System - Security State Change successes." + - name: "MEDIUM | WN22-AU-000360 | PATCH | Windows Server 2022 must be configured to audit System - Security State Change successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable when: "'Success' not in wn22_au_000360_audit.stdout" when: @@ -1853,7 +1853,7 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000370 | PATCH | Windows Server 2019 must be configured to audit System - Security System Extension successes." +- name: "MEDIUM | WN22-AU-000370 | PATCH | Windows Server 2022 must be configured to audit System - Security System Extension successes." block: - name: "MEDIUM | WN22-AU-000370 | AUDIT | Must be configured to audit System - Security System Extension successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" @@ -1876,16 +1876,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000380 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity successes." +- name: "MEDIUM | WN22-AU-000380 | PATCH | Windows Server 2022 must be configured to audit System - System Integrity successes." block: - - name: "MEDIUM | WN22-AU-000380 | AUDIT | Windows Server 2019 must be configured to audit System - System Integrity successes." + - name: "MEDIUM | WN22-AU-000380 | AUDIT | Windows Server 2022 must be configured to audit System - System Integrity successes." ansible.windows.win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000380_audit - - name: "MEDIUM | WN22-AU-000380 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity successes." + - name: "MEDIUM | WN22-AU-000380 | PATCH | Windows Server 2022 must be configured to audit System - System Integrity successes." ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable when: "'Success' not in wn22_au_000380_audit.stdout" when: @@ -1899,16 +1899,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000390 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity failures." +- name: "MEDIUM | WN22-AU-000390 | PATCH | Windows Server 2022 must be configured to audit System - System Integrity failures." block: - - name: "MEDIUM | WN22-AU-000390 | AUDIT | Windows Server 2019 must be configured to audit System - System Integrity failures." + - name: "MEDIUM | WN22-AU-000390 | AUDIT | Windows Server 2022 must be configured to audit System - System Integrity failures." ansible.windows.win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000390_audit - - name: "MEDIUM | WN22-AU-000390 | PATCH | Windows Server 2019 must be configured to audit System - System Integrity failures." + - name: "MEDIUM | WN22-AU-000390 | PATCH | Windows Server 2022 must be configured to audit System - System Integrity failures." ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable when: "'Failure' not in wn22_au_000390_audit.stdout" when: @@ -1923,7 +1923,7 @@ - CAT2 # some versions may be core/no gui, may need a prelim to detect? -- name: "MEDIUM | WN22-CC-000010 | PATCH | Windows Server 2019 must prevent the display of slide shows on the lock screen." +- name: "MEDIUM | WN22-CC-000010 | PATCH | Windows Server 2022 must prevent the display of slide shows on the lock screen." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization value: NoLockScreenSlideshow @@ -1939,7 +1939,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-CC-000020 | PATCH | Windows Server 2019 must have WDigest Authentication disabled." +- name: "MEDIUM | WN22-CC-000020 | PATCH | Windows Server 2022 must have WDigest Authentication disabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest value: UseLogonCredential @@ -1955,7 +1955,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-CC-000070 | PATCH | Windows Server 2019 insecure logons to an SMB server must be disabled." +- name: "MEDIUM | WN22-CC-000070 | PATCH | Windows Server 2022 insecure logons to an SMB server must be disabled." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation value: AllowInsecureGuestAuth @@ -1972,7 +1972,7 @@ - CAT2 # verify if this applies to DC or only MS? -- name: "MEDIUM | WN22-CC-000080 | PATCH | Windows Server 2019 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the SYSVOL and NETLOGON shares." +- name: "MEDIUM | WN22-CC-000080 | PATCH | Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the SYSVOL and NETLOGON shares." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths value: "{{ item }}" @@ -1992,7 +1992,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000090 | PATCH | Windows Server 2019 command line data must be included in process creation events." +- name: "MEDIUM | WN22-CC-000090 | PATCH | Windows Server 2022 command line data must be included in process creation events." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit value: ProcessCreationIncludeCmdLine_Enabled @@ -2008,7 +2008,7 @@ - CCI-000135 - CAT2 -- name: "MEDIUM | WN22-CC-000100 | PATCH | Windows Server 2019 must be configured to enable Remote host allows delegation of non-exportable credentials." +- name: "MEDIUM | WN22-CC-000100 | PATCH | Windows Server 2022 must be configured to enable Remote host allows delegation of non-exportable credentials." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation value: AllowProtectedCreds @@ -2024,13 +2024,13 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." +- name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." block: - - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + msg: "Warning!! This is a manual task. Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." - - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2019 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | import reuseable task." + - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-CC-000110' @@ -2045,7 +2045,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000130 | PATCH | Windows Server 2019 early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." +- name: "MEDIUM | WN22-CC-000130 | PATCH | Windows Server 2022 early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch value: DriverLoadPolicy @@ -2061,7 +2061,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000140 | PATCH | Windows Server 2019 group policy objects must be reprocessed even if they have not changed." +- name: "MEDIUM | WN22-CC-000140 | PATCH | Windows Server 2022 group policy objects must be reprocessed even if they have not changed." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} value: NoGPOListChanges @@ -2077,7 +2077,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000150 | PATCH | Windows Server 2019 downloading print driver packages over HTTP must be turned off." +- name: "MEDIUM | WN22-CC-000150 | PATCH | Windows Server 2022 downloading print driver packages over HTTP must be turned off." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers value: DisableWebPnPDownload @@ -2093,7 +2093,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-CC-000160 | PATCH | Windows Server 2019 printing over HTTP must be turned off." +- name: "MEDIUM | WN22-CC-000160 | PATCH | Windows Server 2022 printing over HTTP must be turned off." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers value: DisableHTTPPrinting @@ -2109,7 +2109,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-CC-000170 | PATCH | Windows Server 2019 network selection user interface (UI) must not be displayed on the logon screen." +- name: "MEDIUM | WN22-CC-000170 | PATCH | Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System value: DontDisplayNetworkSelectionUI @@ -2125,7 +2125,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-CC-000180 | PATCH | Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (on battery)." +- name: "MEDIUM | WN22-CC-000180 | PATCH | Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery)." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 value: DCSettingIndex @@ -2141,7 +2141,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000190 | PATCH | Windows Server 2019 users must be prompted to authenticate when the system wakes from sleep (plugged in)." +- name: "MEDIUM | WN22-CC-000190 | PATCH | Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in)." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 value: ACSettingIndex @@ -2157,7 +2157,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000240 | PATCH | Windows Server 2019 administrator accounts must not be enumerated during elevation." +- name: "MEDIUM | WN22-CC-000240 | PATCH | Windows Server 2022 administrator accounts must not be enumerated during elevation." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI value: EnumerateAdministrators @@ -2173,7 +2173,7 @@ - CCI-001084 - CAT2 -- name: "MEDIUM | WN22-CC-000250 | PATCH | Windows Server 2019 Telemetry must be configured to Security or Basic." +- name: "MEDIUM | WN22-CC-000250 | PATCH | Windows Server 2022 Telemetry must be configured to Security or Basic." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection value: AllowTelemetry @@ -2189,15 +2189,15 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2019 Application event log size must be configured to 32768 KB or greater." +- name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2022 Application event log size must be configured to 32768 KB or greater." block: - - name: "MEDIUM | WN22-CC-000270 | AUDIT | Windows Server 2019 Application event log size must be configured to 32768 KB or greater." + - name: "MEDIUM | WN22-CC-000270 | AUDIT | Windows Server 2022 Application event log size must be configured to 32768 KB or greater." ansible.windows.win_reg_stat: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application name: MaxSize register: wn22_cc_000270_audit - - name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2019 Application event log size must be configured to 32768 KB or greater." + - name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2022 Application event log size must be configured to 32768 KB or greater." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application value: MaxSize @@ -2217,15 +2217,15 @@ - CCI-001849 - CAT2 -- name: "MEDIUM | WN22-CC-000280 | PATCH | Windows Server 2019 Security event log size must be configured to 196608 KB or greater." +- name: "MEDIUM | WN22-CC-000280 | PATCH | Windows Server 2022 Security event log size must be configured to 196608 KB or greater." block: - - name: "MEDIUM | WN22-CC-000280 | AUDIT | Windows Server 2019 Security event log size must be configured to 196608 KB or greater." + - name: "MEDIUM | WN22-CC-000280 | AUDIT | Windows Server 2022 Security event log size must be configured to 196608 KB or greater." ansible.windows.win_reg_stat: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security name: MaxSize register: wn22_cc_000280_audit - - name: "MEDIUM | WN22-CC-000280 | PATCH | Windows Server 2019 Security event log size must be configured to 196608 KB or greater." + - name: "MEDIUM | WN22-CC-000280 | PATCH | Windows Server 2022 Security event log size must be configured to 196608 KB or greater." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security value: MaxSize @@ -2245,15 +2245,15 @@ - CCI-001849 - CAT2 -- name: "MEDIUM | WN22-CC-000290 | PATCH | Windows Server 2019 System event log size must be configured to 32768 KB or greater." +- name: "MEDIUM | WN22-CC-000290 | PATCH | Windows Server 2022 System event log size must be configured to 32768 KB or greater." block: - - name: "MEDIUM | WN22-CC-000290 | AUDIT | Windows Server 2019 System event log size must be configured to 32768 KB or greater." + - name: "MEDIUM | WN22-CC-000290 | AUDIT | Windows Server 2022 System event log size must be configured to 32768 KB or greater." ansible.windows.win_reg_stat: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System name: MaxSize register: wn22_cc_000290_audit - - name: "MEDIUM | WN22-CC-000290 | PATCH | Windows Server 2019 System event log size must be configured to 32768 KB or greater." + - name: "MEDIUM | WN22-CC-000290 | PATCH | Windows Server 2022 System event log size must be configured to 32768 KB or greater." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System value: MaxSize @@ -2272,7 +2272,7 @@ - SV-103269r1 - CCI-001849 -- name: "MEDIUM | WN22-CC-000300 | PATCH | Windows Server 2019 Windows Defender SmartScreen must be enabled." +- name: "MEDIUM | WN22-CC-000300 | PATCH | Windows Server 2022 Windows Defender SmartScreen must be enabled." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System value: EnableSmartScreen @@ -2288,7 +2288,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-CC-000310 | PATCH | Windows Server 2019 Explorer Data Execution Prevention must be enabled." +- name: "MEDIUM | WN22-CC-000310 | PATCH | Windows Server 2022 Explorer Data Execution Prevention must be enabled." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer value: NoDataExecutionPrevention @@ -2304,7 +2304,7 @@ - CCI-002824 - CAT2 -- name: "MEDIUM | WN22-CC-000330 | PATCH | Windows Server 2019 File Explorer shell protocol must run in protected mode." +- name: "MEDIUM | WN22-CC-000330 | PATCH | Windows Server 2022 File Explorer shell protocol must run in protected mode." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer value: PreXPSP2ShellProtocolBehavior @@ -2320,7 +2320,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000340 | PATCH | Windows Server 2019 must not save passwords in the Remote Desktop Client." +- name: "MEDIUM | WN22-CC-000340 | PATCH | Windows Server 2022 must not save passwords in the Remote Desktop Client." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: DisablePasswordSaving @@ -2336,7 +2336,7 @@ - CCI-002038 - CAT2 -- name: "MEDIUM | WN22-CC-000350 | PATCH | Windows Server 2019 Remote Desktop Services must prevent drive redirection." +- name: "MEDIUM | WN22-CC-000350 | PATCH | Windows Server 2022 Remote Desktop Services must prevent drive redirection." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: fDisableCdm @@ -2352,7 +2352,7 @@ - CCI-001090 - CAT2 -- name: "MEDIUM | WN22-CC-000360 | PATCH | Windows Server 2019 remote Desktop Services must always prompt a client for passwords upon connection." +- name: "MEDIUM | WN22-CC-000360 | PATCH | Windows Server 2022 remote Desktop Services must always prompt a client for passwords upon connection." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: fPromptForPassword @@ -2368,7 +2368,7 @@ - CCI-002038 - CAT2 -- name: "MEDIUM | WN22-CC-000370 | PATCH | Windows Server 2019 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications." +- name: "MEDIUM | WN22-CC-000370 | PATCH | Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: fEncryptRPCTraffic @@ -2385,7 +2385,7 @@ - CCI-001453 - CAT2 -- name: "MEDIUM | WN22-CC-000380 | PATCH | Windows Server 2019 remote Desktop Services must be configured with the client connection encryption set to High Level." +- name: "MEDIUM | WN22-CC-000380 | PATCH | Windows Server 2022 remote Desktop Services must be configured with the client connection encryption set to High Level." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services value: MinEncryptionLevel @@ -2403,7 +2403,7 @@ - CCI-001453 - CAT2 -- name: "MEDIUM | WN22-CC-000390 | PATCH | Windows Server 2019 must prevent attachments from being downloaded from RSS feeds." +- name: "MEDIUM | WN22-CC-000390 | PATCH | Windows Server 2022 must prevent attachments from being downloaded from RSS feeds." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds value: DisableEnclosureDownload @@ -2419,7 +2419,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000400 | PATCH | Windows Server 2019 must disable Basic authentication for RSS feeds over HTTP." +- name: "MEDIUM | WN22-CC-000400 | PATCH | Windows Server 2022 must disable Basic authentication for RSS feeds over HTTP." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds value: AllowBasicAuthInClear @@ -2435,7 +2435,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-CC-000410 | PATCH | Windows Server 2019 must prevent Indexing of encrypted files." +- name: "MEDIUM | WN22-CC-000410 | PATCH | Windows Server 2022 must prevent Indexing of encrypted files." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search value: AllowIndexingEncryptedStoresOrItems @@ -2451,7 +2451,7 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-CC-000420 | PATCH | Windows Server 2019 must prevent users from changing installation options." +- name: "MEDIUM | WN22-CC-000420 | PATCH | Windows Server 2022 must prevent users from changing installation options." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer value: EnableUserControl @@ -2467,7 +2467,7 @@ - CCI-001812 - CAT2 -- name: "MEDIUM | WN22-CC-000440 | PATCH | Windows Server 2019 users must be notified if a web-based program attempts to install software." +- name: "MEDIUM | WN22-CC-000440 | PATCH | Windows Server 2022 users must be notified if a web-based program attempts to install software." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer value: SafeForScripting @@ -2483,7 +2483,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000450 | PATCH | Windows Server 2019 must disable automatically signing in the last interactive user after a system-initiated restart." +- name: "MEDIUM | WN22-CC-000450 | PATCH | Windows Server 2022 must disable automatically signing in the last interactive user after a system-initiated restart." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: DisableAutomaticRestartSignOn @@ -2499,7 +2499,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000451 | PATCH | The Windows Explorer Preview pane must be disabled for Windows Server 2019." +- name: "MEDIUM | WN22-CC-000451 | PATCH | The Windows Explorer Preview pane must be disabled for Windows Server 2022." ansible.windows.win_regedit: path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer value: NoPreviewPane @@ -2515,7 +2515,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000460 | PATCH | Windows Server 2019 PowerShell script block logging must be enabled." +- name: "MEDIUM | WN22-CC-000460 | PATCH | Windows Server 2022 PowerShell script block logging must be enabled." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging value: EnableScriptBlockLogging @@ -2531,7 +2531,7 @@ - CCI-000135 - CAT2 -- name: "MEDIUM | WN22-CC-000480 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) client must not allow unencrypted traffic." +- name: "MEDIUM | WN22-CC-000480 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client value: AllowUnencryptedTraffic @@ -2539,7 +2539,7 @@ datatype: dword when: - wn22_cc_000480 - - not win2019stig_skip_for_test + - not win2022stig_skip_for_test tags: - WN22-CC-000480 - V-205816 @@ -2549,7 +2549,7 @@ - CCI-003123 - CAT2 -- name: "MEDIUM | WN22-CC-000490 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) client must not use Digest authentication." +- name: "MEDIUM | WN22-CC-000490 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client value: AllowDigest @@ -2565,7 +2565,7 @@ - CCI-000877 - CAT2 -- name: "MEDIUM | WN22-CC-000510 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) service must not allow unencrypted traffic." +- name: "MEDIUM | WN22-CC-000510 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service value: AllowUnencryptedTraffic @@ -2573,7 +2573,7 @@ datatype: dword when: - wn22_cc_000510 - - not win2019stig_skip_for_test + - not win2022stig_skip_for_test tags: - WN22-CC-000510 - V-205817 @@ -2583,7 +2583,7 @@ - CCI-003123 - CAT2 -- name: "MEDIUM | WN22-CC-000520 | PATCH | Windows Server 2019 Windows Remote Management (WinRM) service must not store RunAs credentials." +- name: "MEDIUM | WN22-CC-000520 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service value: DisableRunAs @@ -2591,7 +2591,7 @@ datatype: dword when: - wn22_cc_000520 - - not win2019stig_skip_for_test + - not win2022stig_skip_for_test tags: - WN22-CC-000520 - V-205810 @@ -2600,13 +2600,13 @@ - CCI-002038 - CAT2 -- name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced." +- name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2022 Kerberos user logon restrictions must be enforced." block: - - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced." + - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2022 Kerberos user logon restrictions must be enforced." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 Kerberos user logon restrictions must be enforced." + msg: "Warning!! This is a manual task. Windows Server 2022 Kerberos user logon restrictions must be enforced." - - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2019 Kerberos user logon restrictions must be enforced. | import reuseable task." + - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2022 Kerberos user logon restrictions must be enforced. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000020' @@ -2622,13 +2622,13 @@ - CCI-001942 - CAT2 -- name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." +- name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." block: - - name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." + - name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." + msg: "Warning!! This is a manual task. Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." - - name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2019 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | import reuseable task." + - name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000030' @@ -2644,13 +2644,13 @@ - CCI-001942 - CAT2 -- name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less." +- name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less." block: - - name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less." + - name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less." + msg: "Warning!! This is a manual task. Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less." - - name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2019 Kerberos user ticket lifetime must be limited to 10 hours or less. | import reuseable task." + - name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000040' @@ -2666,13 +2666,13 @@ - CCI-001942 - CAT2 -- name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." +- name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." block: - - name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." + - name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." + msg: "Warning!! This is a manual task. Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." - - name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2019 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.| import reuseable task." + - name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.| import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000050' @@ -2688,13 +2688,13 @@ - CCI-001942 - CAT2 -- name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less." +- name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2022 computer clock synchronization tolerance must be limited to 5 minutes or less." block: - - name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less." + - name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2022 computer clock synchronization tolerance must be limited to 5 minutes or less." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less." + msg: "Warning!! This is a manual task. Windows Server 2022 computer clock synchronization tolerance must be limited to 5 minutes or less." - - name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2019 computer clock synchronization tolerance must be limited to 5 minutes or less. | import reuseable task." + - name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2022 computer clock synchronization tolerance must be limited to 5 minutes or less. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000060' @@ -2710,13 +2710,13 @@ - CCI-001942 - CAT2 -- name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files." +- name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files." block: - - name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files." + - name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files." + msg: "Warning!! This is a manual task. Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files." - - name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2019 data files owned by users must be on a different logical partition from the directory server data files. | import reuseable task." + - name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000120' @@ -2731,13 +2731,13 @@ - CCI-001090 - CAT2 -- name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function." +- name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2022 domain controllers must run on a machine dedicated to that function." block: - - name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function." + - name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2022 domain controllers must run on a machine dedicated to that function." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 domain controllers must run on a machine dedicated to that function." + msg: "Warning!! This is a manual task. Windows Server 2022 domain controllers must run on a machine dedicated to that function." - - name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2019 domain controllers must run on a machine dedicated to that function. | import reuseable task." + - name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2022 domain controllers must run on a machine dedicated to that function. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000130' @@ -2752,13 +2752,13 @@ - CCI-000381 - CAT2 -- name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." +- name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." block: - - name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." + - name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." + msg: "Warning!! This is a manual task. Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." - - name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2019 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | import reuseable task." + - name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000140' @@ -2773,13 +2773,13 @@ - CCI-002450 - CAT2 -- name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings." +- name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings." block: - - name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings." + - name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings." + msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings." - - name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2019 Active Directory Group Policy objects must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000170' @@ -2795,13 +2795,13 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings." +- name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2022 Active Directory Domain object must be configured with proper audit settings." block: - - name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings." + - name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2022 Active Directory Domain object must be configured with proper audit settings." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Domain object must be configured with proper audit settings." + msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory Domain object must be configured with proper audit settings." - - name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2019 Active Directory Domain object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2022 Active Directory Domain object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000180' @@ -2817,13 +2817,13 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings." +- name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings." block: - - name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings." + - name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings." + msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings." - - name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2019 Active Directory Infrastructure object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000190' @@ -2839,13 +2839,13 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." +- name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." block: - - name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." + - name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." + msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." - - name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2019 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000200' @@ -2861,13 +2861,13 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings." +- name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings." block: - - name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings." + - name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings." + msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings." - - name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2019 Active Directory AdminSDHolder object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000210' @@ -2883,13 +2883,13 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings." +- name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings." block: - - name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings." + - name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings." + msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings." - - name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2019 Active Directory RID Manager$ object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000220' @@ -2905,16 +2905,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-DC-000230 | PATCH | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." +- name: "MEDIUM | WN22-DC-000230 | PATCH | Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes." block: - - name: "MEDIUM | WN22-DC-000230 | AUDIT | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." + - name: "MEDIUM | WN22-DC-000230 | AUDIT | Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_dc_000230_audit - - name: "MEDIUM | WN22-DC-000230 | PATCH | Windows Server 2019 must be configured to audit Account Management - Computer Account Management successes." + - name: "MEDIUM | WN22-DC-000230 | PATCH | Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable when: "'Success' not in wn22_dc_000230_audit.stdout" when: @@ -2938,16 +2938,16 @@ - CCI-002130 - CAT2 -- name: "MEDIUM | WN22-DC-000240 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." +- name: "MEDIUM | WN22-DC-000240 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes." block: - - name: "MEDIUM | WN22-DC-000240 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." + - name: "MEDIUM | WN22-DC-000240 | AUDIT | Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_dc_000240_audit - - name: "MEDIUM | WN22-DC-000240 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access successes." + - name: "MEDIUM | WN22-DC-000240 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable when: "'Success' not in wn22_dc_000240_audit.stdout" when: @@ -2966,16 +2966,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000250 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." +- name: "MEDIUM | WN22-DC-000250 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures." block: - - name: "MEDIUM | WN22-DC-000250 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." + - name: "MEDIUM | WN22-DC-000250 | AUDIT | Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_dc_000250_audit - - name: "MEDIUM | WN22-DC-000250 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Access failures." + - name: "MEDIUM | WN22-DC-000250 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Access" /failure:enable when: "'Failure' not in wn22_dc_000250_audit.stdout" when: @@ -2994,16 +2994,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000260 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." +- name: "MEDIUM | WN22-DC-000260 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes." block: - - name: "MEDIUM | WN22-DC-000260 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." + - name: "MEDIUM | WN22-DC-000260 | AUDIT | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_dc_000260_audit - - name: "MEDIUM | WN22-DC-000260 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes successes." + - name: "MEDIUM | WN22-DC-000260 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable when: "'Success' not in wn22_dc_000260_audit.stdout" when: @@ -3022,16 +3022,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000270 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." +- name: "MEDIUM | WN22-DC-000270 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes failures." block: - - name: "MEDIUM | WN22-DC-000270 | AUDIT | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." + - name: "MEDIUM | WN22-DC-000270 | AUDIT | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_dc_000270_audit - - name: "MEDIUM | WN22-DC-000270 | PATCH | Windows Server 2019 must be configured to audit DS Access - Directory Service Changes failures." + - name: "MEDIUM | WN22-DC-000270 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Changes" /failure:enable when: "'Failure' not in wn22_dc_000270_audit.stdout" when: @@ -3050,13 +3050,13 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate." +- name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2022 domain controllers must have a PKI server certificate." block: - - name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate." + - name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2022 domain controllers must have a PKI server certificate." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 domain controllers must have a PKI server certificate." + msg: "Warning!! This is a manual task. Windows Server 2022 domain controllers must have a PKI server certificate." - - name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2019 domain controllers must have a PKI server certificate. | import reuseable task." + - name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2022 domain controllers must have a PKI server certificate. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000280' @@ -3071,13 +3071,13 @@ - CCI-000185 - CAT2 -- name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." +- name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." block: - - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." + - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." + msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." - - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2019 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | import reuseable task." + - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000310' @@ -3100,7 +3100,7 @@ - CCI-001948 - CAT2 -- name: "MEDIUM | WN22-DC-000320 | PATCH | Windows Server 2019 domain controllers must require LDAP access signing." +- name: "MEDIUM | WN22-DC-000320 | PATCH | Windows Server 2022 domain controllers must require LDAP access signing." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters value: LDAPServerIntegrity @@ -3120,7 +3120,7 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000330 | PATCH | Windows Server 2019 domain controllers must be configured to allow reset of machine account passwords." +- name: "MEDIUM | WN22-DC-000330 | PATCH | Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: RefusePasswordChange @@ -3138,7 +3138,7 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000340 | PATCH | Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers." +- name: "MEDIUM | WN22-DC-000340 | PATCH | Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers." ansible.windows.win_user_right: name: SeNetworkLogonRight users: @@ -3158,7 +3158,7 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000350 | PATCH | Windows Server 2019 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers." +- name: "MEDIUM | WN22-DC-000350 | PATCH | Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers." ansible.windows.win_user_right: name: SeMachineAccountPrivilege users: Administrators @@ -3175,7 +3175,7 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000360 | PATCH | Windows Server 2019 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers." +- name: "MEDIUM | WN22-DC-000360 | PATCH | Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers." ansible.windows.win_user_right: name: SeRemoteInteractiveLogonRight users: Administrators @@ -3192,7 +3192,7 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000370 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access." +- name: "MEDIUM | WN22-DC-000370 | PATCH | Windows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: name: SeDenyNetworkLogonRight users: Guests @@ -3209,7 +3209,7 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000380 | PATCH | Windows Server 2019 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access." +- name: "MEDIUM | WN22-DC-000380 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: name: SeDenyBatchLogonRight users: Guests @@ -3226,7 +3226,7 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000390 | PATCH | Windows Server 2019 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers." +- name: "MEDIUM | WN22-DC-000390 | PATCH | Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers." community.windows.win_security_policy: section: Privilege Rights key: SeDenyServiceLogonRight @@ -3243,7 +3243,7 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000400 | PATCH | Windows Server 2019 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access." +- name: "MEDIUM | WN22-DC-000400 | PATCH | Windows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: name: SeDenyInteractiveLogonRight users: Guests @@ -3260,7 +3260,7 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000410 | PATCH | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access." +- name: "MEDIUM | WN22-DC-000410 | PATCH | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: name: SeDenyRemoteInteractiveLogonRight users: Guests @@ -3277,7 +3277,7 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000420 | PATCH | Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers." +- name: "MEDIUM | WN22-DC-000420 | PATCH | Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers." ansible.windows.win_user_right: name: SeEnableDelegationPrivilege users: Administrators @@ -3314,7 +3314,7 @@ when: - wn22_dc_000430 - ansible_windows_domain_role == "Primary domain controller" - - win2019stig_complexity_high + - win2022stig_complexity_high tags: - WN22-DC-000430 - V-205877 @@ -3324,7 +3324,7 @@ - NeedToTestDomainController - CAT2 -- name: "MEDIUM | WN22-MS-000020 | PATCH | Windows Server 2019 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." +- name: "MEDIUM | WN22-MS-000020 | PATCH | Windows Server 2022 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: LocalAccountTokenFilterPolicy @@ -3342,7 +3342,7 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN22-MS-000030 | PATCH | Windows Server 2019 local users on domain-joined member servers must not be enumerated." +- name: "MEDIUM | WN22-MS-000030 | PATCH | Windows Server 2022 local users on domain-joined member servers must not be enumerated." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System value: EnumerateLocalUsers @@ -3360,7 +3360,7 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN22-MS-000040 | PATCH | Windows Server 2019 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems." +- name: "MEDIUM | WN22-MS-000040 | PATCH | Windows Server 2022 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc value: RestrictRemoteClients @@ -3377,7 +3377,7 @@ - CCI-001967 - CAT2 -- name: "MEDIUM | WN22-MS-000050 | PATCH | Windows Server 2019 must limit the caching of logon credentials to four or less on domain-joined member servers." +- name: "MEDIUM | WN22-MS-000050 | PATCH | Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon value: CachedLogonsCount @@ -3394,7 +3394,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-MS-000060 | PATCH | Windows Server 2019 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems." +- name: "MEDIUM | WN22-MS-000060 | PATCH | Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: RestrictRemoteSAM @@ -3411,7 +3411,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-MS-000070 | PATCH | Windows Server 2019 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems." +- name: "MEDIUM | WN22-MS-000070 | PATCH | Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems." ansible.windows.win_user_right: name: SeNetworkLogonRight users: @@ -3429,9 +3429,9 @@ - CCI-000213 - CAT2 -- name: "MEDIUM | WN22-MS-000080 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." +- name: "MEDIUM | WN22-MS-000080 | PATCH | Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." block: - - name: "MEDIUM | WN22-MS-000080 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000080 | PATCH | Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyNetworkLogonRight users: @@ -3443,7 +3443,7 @@ action: set when: ansible_windows_domain_role == "Member server" - - name: "MEDIUM | WN22-MS-000080 | PATCH | Windows Server 2019 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000080 | PATCH | Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyNetworkLogonRight users: Guests @@ -3461,9 +3461,9 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN22-MS-000090 | PATCH | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." +- name: "MEDIUM | WN22-MS-000090 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." block: - - name: "MEDIUM | WN22-MS-000090 | PATCH | DOMAIN MEMBER | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000090 | PATCH | DOMAIN MEMBER | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyBatchLogonRight users: @@ -3473,7 +3473,7 @@ action: set when: ansible_windows_domain_role == "Member server" - - name: "MEDIUM | WN22-MS-000090 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000090 | PATCH | STAND-ALONE | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyBatchLogonRight users: @@ -3491,7 +3491,7 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN22-MS-000100 | PATCH | Windows Server 2019 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right." +- name: "MEDIUM | WN22-MS-000100 | PATCH | Windows Server 2022 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right." ansible.windows.win_user_right: name: SeDenyServiceLogonRight users: @@ -3510,9 +3510,9 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN22-MS-000110 | PATCH | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." +- name: "MEDIUM | WN22-MS-000110 | PATCH | Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." block: - - name: "MEDIUM | WN22-MS-000110 | PATCH | DOMAIN MEMBER | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000110 | PATCH | DOMAIN MEMBER | Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyInteractiveLogonRight users: @@ -3522,7 +3522,7 @@ action: set when: ansible_windows_domain_role == "Member server" - - name: "MEDIUM | WN22-MS-000110 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000110 | PATCH | STAND-ALONE | Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyInteractiveLogonRight users: @@ -3540,9 +3540,9 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN22-MS-000120 | PATCH | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." +- name: "MEDIUM | WN22-MS-000120 | PATCH | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." block: - - name: "MEDIUM | WN22-MS-000120 | PATCH | DOMAIN MEMBER | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000120 | PATCH | DOMAIN MEMBER | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -3553,7 +3553,7 @@ action: set when: ansible_windows_domain_role == "Member server" - - name: "MEDIUM | WN22-MS-000120 | PATCH | STAND-ALONE | Windows Server 2019 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000120 | PATCH | STAND-ALONE | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -3571,7 +3571,7 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN22-MS-000130 | PATCH | Windows Server 2019 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems." +- name: "MEDIUM | WN22-MS-000130 | PATCH | Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems." community.windows.win_security_policy: section: Privilege Rights key: SeEnableDelegationPrivilege @@ -3586,9 +3586,9 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." +- name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." block: - - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2019 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." + - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter changed_when: false check_mode: false @@ -3604,19 +3604,19 @@ - CCI-002470 - CAT2 -- name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." +- name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." block: - - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false check_mode: false register: wn22_pk_000020_audit - - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + msg: "Warning!! This is a manual task. Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." - - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2019 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | import reuseable task." + - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-PK-000020' @@ -3631,19 +3631,19 @@ - CCI-002470 - CAT2 -- name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." +- name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." block: - - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false check_mode: false register: wn22_pk_000030_audit - - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + msg: "Warning!! This is a manual task. Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." - - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2019 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. | import reuseable task." + - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-PK-000030' @@ -3658,7 +3658,7 @@ - CCI-002470 - CAT2 -- name: "MEDIUM | WN22-SO-000010 | PATCH | Windows Server 2019 must have the built-in guest account disabled." +- name: "MEDIUM | WN22-SO-000010 | PATCH | Windows Server 2022 must have the built-in guest account disabled." community.windows.win_security_policy: section: System Access key: EnableGuestAccount @@ -3673,9 +3673,9 @@ - CCI-000804 - CAT2 -- name: "MEDIUM | WN22-SO-000030 | PATCH | Windows Server 2019 built-in administrator account must be renamed." +- name: "MEDIUM | WN22-SO-000030 | PATCH | Windows Server 2022 built-in administrator account must be renamed." block: - - name: "MEDIUM | WN22-SO-000030 | AUDIT | Windows Server 2019 built-in administrator account must be renamed. | Warning For Bad Variable." + - name: "MEDIUM | WN22-SO-000030 | AUDIT | Windows Server 2022 built-in administrator account must be renamed. | Warning For Bad Variable." ansible.builtin.debug: msg: - "Warning!! You have not changed the default name for wn22stig_newadministratorname, please read" @@ -3683,14 +3683,14 @@ when: - "'adminchangethis' in wn22stig_newadministratorname" - - name: "MEDIUM | WN22-SO-000030 | AUDIT | Windows Server 2019 built-in administrator account must be renamed. | Warn Count." + - name: "MEDIUM | WN22-SO-000030 | AUDIT | Windows Server 2022 built-in administrator account must be renamed. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-SO-000030' when: - "'adminchangethis' in wn22stig_newadministratorname" - - name: "MEDIUM | WN22-SO-000030 | PATCH | Windows Server 2019 built-in administrator account must be renamed. | Set Variable." + - name: "MEDIUM | WN22-SO-000030 | PATCH | Windows Server 2022 built-in administrator account must be renamed. | Set Variable." community.windows.win_security_policy: section: System Access key: NewAdministratorName @@ -3707,9 +3707,9 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-SO-000040 | PATCH | Windows Server 2019 built-in guest account must be renamed." +- name: "MEDIUM | WN22-SO-000040 | PATCH | Windows Server 2022 built-in guest account must be renamed." block: - - name: "MEDIUM | WN22-SO-000040 | AUDIT | Windows Server 2019 built-in guest account must be renamed. | Warning For Bad Variable." + - name: "MEDIUM | WN22-SO-000040 | AUDIT | Windows Server 2022 built-in guest account must be renamed. | Warning For Bad Variable." ansible.builtin.debug: msg: - "Warning!! You have not changed the default name for wn22stig_newguestname, please read" @@ -3717,14 +3717,14 @@ when: - "'guestchangethis' in wn22stig_newguestname" - - name: "MEDIUM | WN22-SO-000040 | AUDIT | Windows Server 2019 built-in guest account must be renamed. | Warn Count." + - name: "MEDIUM | WN22-SO-000040 | AUDIT | Windows Server 2022 built-in guest account must be renamed. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-SO-000040' when: - "'guestchangethis' in wn22stig_newguestname" - - name: "MEDIUM | WN22-SO-000040 | PATCH | Windows Server 2019 built-in guest account must be renamed. | Set Variable." + - name: "MEDIUM | WN22-SO-000040 | PATCH | Windows Server 2022 built-in guest account must be renamed. | Set Variable." community.windows.win_security_policy: section: System Access key: NewGuestName @@ -3741,7 +3741,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-SO-000050 | PATCH | Windows Server 2019 must force audit policy subcategory settings to override audit policy category settings." +- name: "MEDIUM | WN22-SO-000050 | PATCH | Windows Server 2022 must force audit policy subcategory settings to override audit policy category settings." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ value: SCENoApplyLegacyAuditPolicy @@ -3757,7 +3757,7 @@ - CCI-000169 - CAT2 -- name: "MEDIUM | WN22-SO-000060 | PATCH | Windows Server 2019 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." +- name: "MEDIUM | WN22-SO-000060 | PATCH | Windows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: RequireSignOrSeal @@ -3777,7 +3777,7 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN22-SO-000080 | PATCH | Windows Server 2019 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." +- name: "MEDIUM | WN22-SO-000080 | PATCH | Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: SignSecureChannel @@ -3796,7 +3796,7 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN22-SO-000090 | PATCH | Windows Server 2019 computer account password must not be prevented from being reset." +- name: "MEDIUM | WN22-SO-000090 | PATCH | Windows Server 2022 computer account password must not be prevented from being reset." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: DisablePasswordChange @@ -3812,7 +3812,7 @@ - CCI-001967 - CAT2 -- name: "MEDIUM | WN22-SO-000100 | PATCH | Windows Server 2019 maximum age for machine account passwords must be configured to 30 days or less." +- name: "MEDIUM | WN22-SO-000100 | PATCH | Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: MaximumPasswordAge @@ -3828,7 +3828,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-SO-000110 | PATCH | Windows Server 2019 must be configured to require a strong session key." +- name: "MEDIUM | WN22-SO-000110 | PATCH | Windows Server 2022 must be configured to require a strong session key." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: RequireStrongKey @@ -3845,7 +3845,7 @@ - CCI-002421 - CAT2 -- name: "MEDIUM | WN22-SO-000120 | PATCH | Windows Server 2019 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver." +- name: "MEDIUM | WN22-SO-000120 | PATCH | Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: InactivityTimeoutSecs @@ -3863,7 +3863,7 @@ - CCI-000060 - CAT2 -- name: "MEDIUM | WN22-SO-000130 | PATCH | Windows Server 2019 required legal notice must be configured to display before console logon." +- name: "MEDIUM | WN22-SO-000130 | PATCH | Windows Server 2022 required legal notice must be configured to display before console logon." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: LegalNoticeText @@ -3885,7 +3885,7 @@ - CCI-001388 - CAT2 -- name: "MEDIUM | WN22-SO-000150 | PATCH | Windows Server 2019 Smart Card removal option must be configured to Force Logoff or Lock Workstation." +- name: "MEDIUM | WN22-SO-000150 | PATCH | Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon value: scremoveoption @@ -3901,7 +3901,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-SO-000160 | PATCH | Windows Server 2019 etting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." +- name: "MEDIUM | WN22-SO-000160 | PATCH | Windows Server 2022 etting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters value: RequireSecuritySignature @@ -3919,7 +3919,7 @@ - CCI-002421 - CAT2 -- name: "MEDIUM | WN22-SO-000170 | PATCH | Windows Server 2019 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." +- name: "MEDIUM | WN22-SO-000170 | PATCH | Windows Server 2022 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters value: EnableSecuritySignature @@ -3937,7 +3937,7 @@ - CCI-002418 - CAT2 -- name: "MEDIUM | WN22-SO-000180 | PATCH | Windows Server 2019 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." +- name: "MEDIUM | WN22-SO-000180 | PATCH | Windows Server 2022 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters value: EnablePlainTextPassword @@ -3953,7 +3953,7 @@ - CCI-000197 - CAT2 -- name: "MEDIUM | WN22-SO-000190 | PATCH | Windows Server 2019 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." +- name: "MEDIUM | WN22-SO-000190 | PATCH | Windows Server 2022 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters value: RequireSecuritySignature @@ -3970,7 +3970,7 @@ - CCI-002421 - CAT2 -- name: "MEDIUM | WN22-SO-000200 | PATCH | Windows Server 2019 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." +- name: "MEDIUM | WN22-SO-000200 | PATCH | Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters value: EnableSecuritySignature @@ -3987,7 +3987,7 @@ - CCI-002421 - CAT2 -- name: "MEDIUM | WN22-SO-000240 | PATCH | Windows Server 2019 must be configured to prevent anonymous users from having the same permissions as the Everyone group." +- name: "MEDIUM | WN22-SO-000240 | PATCH | Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: EveryoneIncludesAnonymous @@ -4003,7 +4003,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-SO-000260 | PATCH | Windows Server 2019 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." +- name: "MEDIUM | WN22-SO-000260 | PATCH | Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: UseMachineId @@ -4019,7 +4019,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-SO-000270 | PATCH | Windows Server 2019 must prevent NTLM from falling back to a Null session." +- name: "MEDIUM | WN22-SO-000270 | PATCH | Windows Server 2022 must prevent NTLM from falling back to a Null session." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 value: allownullsessionfallback @@ -4035,7 +4035,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-SO-000280 | PATCH | Windows Server 2019 Must prevent PKU2U authentication using online identities." +- name: "MEDIUM | WN22-SO-000280 | PATCH | Windows Server 2022 Must prevent PKU2U authentication using online identities." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\pku2u value: AllowOnlineID @@ -4051,7 +4051,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-SO-000290 | PATCH | Windows Server 2019 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." +- name: "MEDIUM | WN22-SO-000290 | PATCH | Windows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters value: SupportedEncryptionTypes @@ -4067,7 +4067,7 @@ - CCI-000803 - CAT2 -- name: "MEDIUM | WN22-SO-000320 | PATCH | Windows Server 2019 must be configured to at least negotiate signing for LDAP client signing." +- name: "MEDIUM | WN22-SO-000320 | PATCH | Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LDAP value: LDAPClientIntegrity @@ -4083,7 +4083,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-SO-000330 | PATCH | Windows Server 2019 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." +- name: "MEDIUM | WN22-SO-000330 | PATCH | Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 value: NTLMMinClientSec @@ -4099,7 +4099,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-SO-000340 | PATCH | Windows Server 2019 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." +- name: "MEDIUM | WN22-SO-000340 | PATCH | Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 value: NTLMMinServerSec @@ -4115,7 +4115,7 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-SO-000350 | PATCH | Windows Server 2019 users must be required to enter a password to access private keys stored on the computer." +- name: "MEDIUM | WN22-SO-000350 | PATCH | Windows Server 2022 users must be required to enter a password to access private keys stored on the computer." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Cryptography value: ForceKeyProtection @@ -4131,7 +4131,7 @@ - CCI-000186 - CAT2 -- name: "MEDIUM | WN22-SO-000360 | PATCH | Windows Server 2019 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." +- name: "MEDIUM | WN22-SO-000360 | PATCH | Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager value: ProtectionMode @@ -4147,7 +4147,7 @@ - CCI-002450 - CAT2 -- name: "MEDIUM | WN22-SO-000380 | PATCH | Windows Server 2019 User Account Control approval mode for the built-in Administrator must be enabled." +- name: "MEDIUM | WN22-SO-000380 | PATCH | Windows Server 2022 User Account Control approval mode for the built-in Administrator must be enabled." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: FilterAdministratorToken @@ -4164,7 +4164,7 @@ - CAT2 # - exclusions for server core? think its NA there -- name: "MEDIUM | WN22-SO-000390 | PATCH | Windows Server 2019 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." +- name: "MEDIUM | WN22-SO-000390 | PATCH | Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableUIADesktopToggle @@ -4180,7 +4180,7 @@ - CCI-001084 - CAT2 -- name: "MEDIUM | WN22-SO-000400 | PATCH | Windows Server 2019 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop." +- name: "MEDIUM | WN22-SO-000400 | PATCH | Windows Server 2022 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: ConsentPromptBehaviorAdmin @@ -4196,7 +4196,7 @@ - CCI-001084 - CAT2 -- name: "MEDIUM | WN22-SO-000410 | PATCH | Windows Server 2019 User Account Control must automatically deny standard user requests for elevation." +- name: "MEDIUM | WN22-SO-000410 | PATCH | Windows Server 2022 User Account Control must automatically deny standard user requests for elevation." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System state: present @@ -4213,7 +4213,7 @@ - CCI-002038 - CAT2 -- name: "MEDIUM | WN22-SO-000420 | PATCH | Windows Server 2019 User Account Control must be configured to detect application installations and prompt for elevation." +- name: "MEDIUM | WN22-SO-000420 | PATCH | Windows Server 2022 User Account Control must be configured to detect application installations and prompt for elevation." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableInstallerDetection @@ -4229,7 +4229,7 @@ - CCI-001084 - CAT2 -- name: "MEDIUM | WN22-SO-000430 | PATCH | Windows Server 2019 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations." +- name: "MEDIUM | WN22-SO-000430 | PATCH | Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableSecureUIAPaths @@ -4245,7 +4245,7 @@ - CCI-001084 - CAT2 -- name: "MEDIUM | WN22-SO-000440 | PATCH | Windows Server 2019 User Account Control must run all administrators in Admin Approval Mode, enabling UAC." +- name: "MEDIUM | WN22-SO-000440 | PATCH | Windows Server 2022 User Account Control must run all administrators in Admin Approval Mode, enabling UAC." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableLUA @@ -4261,7 +4261,7 @@ - CCI-002038 - CAT2 -- name: "MEDIUM | WN22-SO-000450 | PATCH | Windows Server 2019 User Account Control (UAC) must virtualize file and registry write failures to per-user locations." +- name: "MEDIUM | WN22-SO-000450 | PATCH | Windows Server 2022 User Account Control (UAC) must virtualize file and registry write failures to per-user locations." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System value: EnableVirtualization @@ -4277,7 +4277,7 @@ - CCI-001084 - CAT2 -- name: "MEDIUM | WN22-UC-000010 | PATCH | Windows Server 2019 must preserve zone information when saving attachments." +- name: "MEDIUM | WN22-UC-000010 | PATCH | Windows Server 2022 must preserve zone information when saving attachments." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments value: SaveZoneInformation @@ -4294,7 +4294,7 @@ - CAT2 # [WARNING]: Using this module to edit rights and privileges is error-prone, use the win_user_right module instead -- name: "MEDIUM | WN22-UR-000010 | PATCH | Windows Server 2019 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." +- name: "MEDIUM | WN22-UR-000010 | PATCH | Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." community.windows.win_security_policy: section: Privilege Rights key: SeTrustedCredManAccessPrivilege @@ -4309,7 +4309,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000030 | PATCH | Windows Server 2019 Allow log on locally user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000030 | PATCH | Windows Server 2022 Allow log on locally user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeInteractiveLogonRight users: Administrators @@ -4324,7 +4324,7 @@ - CCI-000213 - CAT2 -- name: "MEDIUM | WN22-UR-000040 | PATCH | Windows Server 2019 Back up files and directories user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000040 | PATCH | Windows Server 2022 Back up files and directories user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeBackupPrivilege users: Administrators @@ -4339,7 +4339,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000050 | PATCH | Windows Server 2019 Create a pagefile user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000050 | PATCH | Windows Server 2022 Create a pagefile user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeCreatePagefilePrivilege users: Administrators @@ -4354,7 +4354,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000070 | PATCH | Windows Server 2019 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." +- name: "MEDIUM | WN22-UR-000070 | PATCH | Windows Server 2022 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." ansible.windows.win_user_right: name: SeCreateGlobalPrivilege users: @@ -4373,7 +4373,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000080 | PATCH | Windows Server 2019 Create permanent shared objects user right must not be assigned to any groups or accounts." +- name: "MEDIUM | WN22-UR-000080 | PATCH | Windows Server 2022 Create permanent shared objects user right must not be assigned to any groups or accounts." community.windows.win_security_policy: section: Privilege Rights key: SeCreatePermanentPrivilege @@ -4388,7 +4388,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000090 | PATCH | Windows Server 2019 Create symbolic links user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000090 | PATCH | Windows Server 2022 Create symbolic links user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeCreateSymbolicLinkPrivilege users: Administrators @@ -4403,7 +4403,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000110 | PATCH | Windows Server 2019 Force shutdown from a remote system user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000110 | PATCH | Windows Server 2022 Force shutdown from a remote system user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeRemoteShutdownPrivilege users: Administrators @@ -4418,7 +4418,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000120 | PATCH | Windows Server 2019 Generate security audits user right must only be assigned to Local Service and Network Service." +- name: "MEDIUM | WN22-UR-000120 | PATCH | Windows Server 2022 Generate security audits user right must only be assigned to Local Service and Network Service." ansible.windows.win_user_right: name: SeAuditPrivilege users: @@ -4435,7 +4435,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000130 | PATCH | Windows Server 2019 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." +- name: "MEDIUM | WN22-UR-000130 | PATCH | Windows Server 2022 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." ansible.windows.win_user_right: name: SeImpersonatePrivilege users: @@ -4454,7 +4454,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000140 | PATCH | Windows Server 2019 Increase scheduling priority: user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000140 | PATCH | Windows Server 2022 Increase scheduling priority: user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeIncreaseBasePriorityPrivilege users: Administrators @@ -4469,7 +4469,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000150 | PATCH | Windows Server 2019 Load and unload device drivers user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000150 | PATCH | Windows Server 2022 Load and unload device drivers user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeLoadDriverPrivilege users: Administrators @@ -4484,7 +4484,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000160 | PATCH | Windows Server 2019 Lock pages in memory user right must not be assigned to any groups or accounts." +- name: "MEDIUM | WN22-UR-000160 | PATCH | Windows Server 2022 Lock pages in memory user right must not be assigned to any groups or accounts." community.windows.win_security_policy: section: Privilege Rights key: SeLockMemoryPrivilege @@ -4499,7 +4499,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000170 | PATCH | Windows Server 2019 Manage auditing and security log user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000170 | PATCH | Windows Server 2022 Manage auditing and security log user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeSecurityPrivilege users: Administrators @@ -4518,7 +4518,7 @@ - CCI-001914 - CAT2 -- name: "MEDIUM | WN22-UR-000180 | PATCH | Windows Server 2019 Modify firmware environment values user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000180 | PATCH | Windows Server 2022 Modify firmware environment values user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeSystemEnvironmentPrivilege users: Administrators @@ -4533,7 +4533,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000190 | PATCH | Windows Server 2019 Perform volume maintenance tasks user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000190 | PATCH | Windows Server 2022 Perform volume maintenance tasks user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeManageVolumePrivilege users: Administrators @@ -4548,7 +4548,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000200 | PATCH | Windows Server 2019 Profile single process user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000200 | PATCH | Windows Server 2022 Profile single process user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeProfileSingleProcessPrivilege users: Administrators @@ -4563,7 +4563,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000210 | PATCH | Windows Server 2019 Restore files and directories user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000210 | PATCH | Windows Server 2022 Restore files and directories user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeRestorePrivilege users: Administrators @@ -4578,7 +4578,7 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000220 | PATCH | Windows Server 2019 Take ownership of files or other objects user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000220 | PATCH | Windows Server 2022 Take ownership of files or other objects user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeTakeOwnershipPrivilege users: Administrators From 40bec94adaa407708b4e78e2b0d6400a2bf347ea Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 23 Jun 2023 16:25:33 -0400 Subject: [PATCH 19/95] update cat2+3-6 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 95ce78c..0647756 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -879,7 +879,7 @@ - wn22stig_lockoutbadcount <= 3 when: - wn22_ac_000020 - - not win19stig_cloud_based_system + - not win22stig_cloud_based_system tags: - WN22-AC-000020 - V-205629 @@ -915,7 +915,7 @@ - wn22stig_resetlockoutcount >= 15 when: - wn22_ac_000030 - - not win19stig_cloud_based_system + - not win22stig_cloud_based_system tags: - WN22-AC-000030 - V-205630 @@ -955,7 +955,7 @@ wn22stig_lockoutduration >= 15 when: - wn22_ac_000010 - - not win19stig_cloud_based_system + - not win22stig_cloud_based_system tags: - WN22-AC-000010 - V-205795 From 73cd3ae9115a7a2fcd5d520e092b8e4d08363c2a Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 23 Jun 2023 16:40:23 -0400 Subject: [PATCH 20/95] update cat2+3-7 Signed-off-by: Frederick Witty --- defaults/main.yml | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9652b2c..841936f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -330,53 +330,55 @@ wn22_so_000370: true # CAT 2 defaults # WN22-00-000020 -# Windows Server 2019 passwords for the built-in Administrator account must be changed at least every 60 days. +# Windows Server 2022 passwords for the built-in Administrator account must be changed at least every 60 days. # If the PasswordLastSet date is greater than wn22stig_pass_age days old, this is a finding. wn22stig_pass_age: 60 # WN22-AC-000010 -# Windows Server 2019 account lockout duration must be configured to 15 minutes or greater. +# Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. # Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding. # Valid Variables are 15 or more or 0. wn22stig_lockoutduration: 15 # WN22-AC-000020 -# Windows Server 2019 must have the number of allowed bad logon attempts configured to three or less. +# Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. # and may not be set to 0. wn22stig_lockoutbadcount: 3 +win22stig_cloud_based_system: true + # WN22-AC-000030 -# Windows Server 2019 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. +# Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. # wn22stig_resetlockoutcount is the Reset account lockout counter after value in mintues. wn22stig_resetlockoutcount: 15 # WN22-AC-000050 -# Windows Server 2019 maximum password age must be configured to 60 days or less and cannot be 0. +# Windows Server 2022 maximum password age must be configured to 60 days or less and cannot be 0. # wn22stig_maximumpasswordage is the Maximum password age value in days. wn22stig_maximumpasswordage: 60 # WN22-AC-000060 -# Windows Server 2019 minimum password age must be configured to at least one day and cannot be set to 0. +# Windows Server 2022 minimum password age must be configured to at least one day and cannot be set to 0. # wn22stig_minimumpasswordage is the Minimum password age value in days. wn22stig_minimumpasswordage: 1 # WN22-AC-000070 -# Windows Server 2019 minimum password length must be configured to 14 characters or more. +# Windows Server 2022 minimum password length must be configured to 14 characters or more. # wn22stig_minimumpasswordlength is the Minimum password characters length value. wn22stig_minimumpasswordlength: 14 # WN22-SO-000030 -# Windows Server 2019 built-in administrator account must be renamed. +# Windows Server 2022 built-in administrator account must be renamed. # wn22stig_newadministratorname is the non-default name for the Administror Account. wn22stig_newadministratorname: adminchangethis # WN22-SO-000040 -# Windows Server 2019 built-in guest account must be renamed. +# Windows Server 2022 built-in guest account must be renamed. # wn22stig_newguestname is the non-default name for the guest Account. wn22stig_newguestname: guestchangethis # WN22-SO-000130 -# Windows Server 2019 required legal notice must be configured to display before console logon. +# Windows Server 2022 required legal notice must be configured to display before console logon. # wn22stig_legalnoticetext is the LegalNoticeText for Win logon. wn22stig_legalnoticetext: | You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. @@ -394,17 +396,17 @@ wn22stig_legalnoticetext: | -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. # WN22-CC-000270 -# Windows Server 2019 Application event log size must be configured to 32768 KB or greater. +# Windows Server 2022 Application event log size must be configured to 32768 KB or greater. # wn22stig_app_maxsize is the EventLog Application max log size value in KB. wn22stig_app_maxsize: 32768 # WN22-CC-000280 -# Windows Server 2019 Security event log size must be configured to 196608 KB or greater. +# Windows Server 2022 Security event log size must be configured to 196608 KB or greater. # wn22stig_sec_maxsize is the EventLog Security max log size value in KB. wn22stig_sec_maxsize: 196608 # WN22-CC-000290 -# Windows Server 2019 System event log size must be configured to 32768 KB or greater. +# Windows Server 2022 System event log size must be configured to 32768 KB or greater. # wn22stig_sys_maxsize is the EventLog System max log size value in KB. wn22stig_sys_maxsize: 32768 @@ -416,6 +418,6 @@ wn22stig_krbtgt_pass_age: 180 # CAT 3 defaults # WN22-SO-000140 -# Windows Server 2019 title for legal banner dialog box must be configured with the appropriate text. +# Windows Server 2022 title for legal banner dialog box must be configured with the appropriate text. # wn22stig_legalnoticecaption is the DoD Notice and Consent Banner text. wn22stig_legalnoticecaption: "DoD Notice and Consent Banner" From 08593a20db9cc7506dbac4eec97f2be1b01d164e Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 26 Jun 2023 11:18:11 -0400 Subject: [PATCH 21/95] update cat2+3-8 Signed-off-by: Frederick Witty --- handlers/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/handlers/main.yml b/handlers/main.yml index 3a979e9..333da18 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,6 +1,6 @@ --- # handlers file for Windows-2022-STIG -- name: Reboot_Windows +- name: reboot_windows ansible.windows.win_reboot: reboot_timeout: 3600 From 03e0cf5f282e83ec5a5a368cf631c76adc5997ca Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 26 Jun 2023 15:32:25 -0400 Subject: [PATCH 22/95] update cat2+3-9 Signed-off-by: Frederick Witty --- tasks/main.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tasks/main.yml b/tasks/main.yml index ef09f5d..d088364 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -75,3 +75,8 @@ - "You have {{ warn_count }} Warning(s) that require investigation(s). Their ID's are listed below:" - "{{ warn_control_list }}" when: warn_count != 0 + +- name: Reboot Now + ansible.windows.win_shell: shutdown -r -t 1 + changed_when: false + check_mode: false From 41198f3e2f2058bfbb44aaa4c13227185ca979b1 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 26 Jun 2023 16:26:52 -0400 Subject: [PATCH 23/95] update ac00010-1 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 74 +++++++++++++++++++++++++------------------------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 0647756..aad132a 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -888,43 +888,6 @@ - CCI-000044 - CAT2 -# below task is dependent on WN16-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" -- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." - block: - - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." - ansible.builtin.debug: - msg: - - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" - - "the notes for the variable and make the necessary change to the variable to be in compliance." - when: - - wn22stig_resetlockoutcount < 15 - - - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: 'WN22-AC-000030' - when: - - wn22stig_resetlockoutcount < 15 - - - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" - community.windows.win_security_policy: - section: System Access - key: ResetLockoutCount - value: "{{ wn22stig_resetlockoutcount }}" - when: - - wn22stig_resetlockoutcount >= 15 - when: - - wn22_ac_000030 - - not win22stig_cloud_based_system - tags: - - WN22-AC-000030 - - V-205630 - - SRG-OS-000021-GPOS-00005 - - SV-205630r569188_rule - - CCI-000044 - - CCI-002238 - - CAT2 - # below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater." block: @@ -964,6 +927,43 @@ - CCI-002238 - CAT2 +# below task is dependent on WN16-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" +- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + block: + - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn22stig_resetlockoutcount < 15 + + - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-AC-000030' + when: + - wn22stig_resetlockoutcount < 15 + + - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" + community.windows.win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ wn22stig_resetlockoutcount }}" + when: + - wn22stig_resetlockoutcount >= 15 + when: + - wn22_ac_000030 + - not win22stig_cloud_based_system + tags: + - WN22-AC-000030 + - V-205630 + - SRG-OS-000021-GPOS-00005 + - SV-205630r569188_rule + - CCI-000044 + - CCI-002238 + - CAT2 + - name: "MEDIUM | WN22-AC-000040 | PATCH | Windows Server 2022 password history must be configured to 24 passwords remembered." community.windows.win_security_policy: section: System Access From 3bb7ce337a03dd832bf27d3194e7a30551213afe Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 27 Jun 2023 15:19:04 -0400 Subject: [PATCH 24/95] update cat2+3-10 Signed-off-by: Frederick Witty --- defaults/main.yml | 13 +++++++------ tasks/main.yml | 6 +----- tasks/prelim.yml | 5 +---- 3 files changed, 9 insertions(+), 15 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 841936f..f3d9f0f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -32,15 +32,16 @@ win2022stig_system_is_container: false # set to false to skip long running tasks long_running: false -# win2022stig_skip_for_test is used in the playbook to skip over certain controls that -# may cause breaking changes when running it for testing purposes. -# Controls that will be skipped: +# win2022stig_skip_for_test is used in the playbook to skip over WINRM based controls that +# may cause WINRM Basic Connection Type to be disabled. +# Setting win2022stig_skip_for_test to 'false' will enable Secure Connection types only. +# WINRM Controls that will be skipped: # WN22-CC-000470 - CAT1 # WN22-CC-000500 - CAT1 # WN22-CC-000480 - CAT2 # WN22-CC-000510 - CAT2 # WN22-CC-000520 - CAT2 -win2022stig_skip_for_test: false +win2022stig_skip_for_test: true # CAT 1 rules wn22_00_000010: true @@ -54,8 +55,8 @@ wn22_cc_000220: true wn22_cc_000230: true wn22_cc_000430: true # WINRM CONTROL -wn22_cc_000470: false -wn22_cc_000500: false +wn22_cc_000470: true +wn22_cc_000500: true # WINRM CONTROL END wn22_dc_000010: true wn22_dc_000070: true diff --git a/tasks/main.yml b/tasks/main.yml index d088364..09ea6f9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -48,11 +48,7 @@ # for cloud based systems - name: Execute the category 2 (medium severity) tasks for cloud based system ansible.builtin.import_tasks: cat2_cloud.yml - when: - - win22stig_cloud_based_system - - wn22_ac_000010 or - wn22_ac_000020 or - wn22_ac_000030 + when: ansible_virtualization_type == 'Hyper-V' or ansible_virtualization_type == 'hvm' or ansible_virtualization_type == 'kvm' tags: - CAT2_CLOUD2 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index bb5c174..6081b22 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -16,10 +16,7 @@ - name: Set Fact If Cloud Based System. ansible.builtin.set_fact: win22stig_cloud_based_system: true - when: - - ansible_virtualization_type == 'Hyper-V' or - ansible_virtualization_type == 'hvm' or - ansible_virtualization_type == 'kvm' + when: ansible_virtualization_type == 'Hyper-V' or ansible_virtualization_type == 'hvm' or ansible_virtualization_type == 'kvm' tags: - always From 1b8a81ae9c7287d4dcf62c2a9674f400f15ee43f Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 28 Jun 2023 11:36:18 -0400 Subject: [PATCH 25/95] update winrmskip var1 Signed-off-by: Frederick Witty --- defaults/main.yml | 6 +++--- tasks/cat1.yml | 4 ++-- tasks/cat2.yml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f3d9f0f..28ac169 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -32,16 +32,16 @@ win2022stig_system_is_container: false # set to false to skip long running tasks long_running: false -# win2022stig_skip_for_test is used in the playbook to skip over WINRM based controls that +# win2022stig_skip_secure_winrm is used in the playbook to skip over WINRM based controls that # may cause WINRM Basic Connection Type to be disabled. -# Setting win2022stig_skip_for_test to 'false' will enable Secure Connection types only. +# Setting win2022stig_skip_secure_winrm to 'false' will enable Secure Connection types only. # WINRM Controls that will be skipped: # WN22-CC-000470 - CAT1 # WN22-CC-000500 - CAT1 # WN22-CC-000480 - CAT2 # WN22-CC-000510 - CAT2 # WN22-CC-000520 - CAT2 -win2022stig_skip_for_test: true +win2022stig_skip_secure_winrm: true # CAT 1 rules wn22_00_000010: true diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 9730a07..b99f705 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -114,7 +114,7 @@ datatype: dword when: - wn22_cc_000470 - - not win2022stig_skip_for_test + - not win2022stig_skip_secure_winrm tags: - WN22-CC-000470 - V-254378 @@ -132,7 +132,7 @@ datatype: dword when: - wn22_cc_000500 - - not win2022stig_skip_for_test + - not win2022stig_skip_secure_winrm tags: - WN22-CC-000500 - V-254381 diff --git a/tasks/cat2.yml b/tasks/cat2.yml index aad132a..300101b 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -2539,7 +2539,7 @@ datatype: dword when: - wn22_cc_000480 - - not win2022stig_skip_for_test + - not win2022stig_skip_secure_winrm tags: - WN22-CC-000480 - V-205816 @@ -2573,7 +2573,7 @@ datatype: dword when: - wn22_cc_000510 - - not win2022stig_skip_for_test + - not win2022stig_skip_secure_winrm tags: - WN22-CC-000510 - V-205817 @@ -2591,7 +2591,7 @@ datatype: dword when: - wn22_cc_000520 - - not win2022stig_skip_for_test + - not win2022stig_skip_secure_winrm tags: - WN22-CC-000520 - V-205810 From fabaf54aa014281e2ea216eb6479203026040a95 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 28 Jun 2023 14:01:37 -0400 Subject: [PATCH 26/95] update cat2-1 Signed-off-by: Frederick Witty --- defaults/main.yml | 6 +- tasks/cat2.yml | 152 ++++++++++++++++++++++++++++++++-------------- 2 files changed, 109 insertions(+), 49 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 28ac169..1029830 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -44,10 +44,7 @@ long_running: false win2022stig_skip_secure_winrm: true # CAT 1 rules -wn22_00_000010: true wn22_00_000030: true -wn22_00_000100: true -wn22_00_000110: true wn22_00_000130: true wn22_ac_000090: true wn22_cc_000210: true @@ -81,6 +78,7 @@ wn22_ur_000060: true wn22_ur_000100: true # CAT 2 rules +wn22_00_000010: true wn22_00_000020: true wn22_00_000040: true wn22_00_000050: true @@ -88,6 +86,8 @@ wn22_00_000060: true wn22_00_000070: true wn22_00_000080: true wn22_00_000090: true +wn22_00_000100: true +wn22_00_000110: true wn22_00_000120: true wn22_00_000140: true wn22_00_000150: true diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 300101b..c54101e 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1,5 +1,25 @@ --- +- name: "MEDIUM | WN22-00-000010 | AUDIT | Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks." + block: + - name: "MEDIUM | WN22-00-000010 | AUDIT | Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks." + + - name: "MEDIUM | WN22-00-000010 | AUDIT | Windows Server 2022 users with Administrative privileges must have separate accounts for administrative duties and normal operational tasks. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000010' + when: + - wn22_00_000010 + tags: + - WN22-00-000010 + - V-254238 + - SRG-OS-000480-GPOS-00227 + - SV-254238r848530_rule + - CCI-000366 + - CAT2 + # enumerating on DC is different than standalone - name: "MEDIUM | WN22-00-000020 | AUDIT | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." block: @@ -48,9 +68,9 @@ - wn22_00_000020 tags: - WN22-00-000020 - - V-205657 + - V-254239 - CCI-000199 - - SV-205657r857286_rule + - SV-254239r915618_rule - SRG-OS-000076-GPOS-00044 - NeedToTestDomainController - audit @@ -86,9 +106,9 @@ - "'controller' not in ansible_windows_domain_role" tags: - WN22-00-000040 - - V-205846 + - V-254241 - SRG-OS-000480-GPOS-00227 - - SV-205846r569188_rule + - SV-254241r848539_rule - CCI-000366 - audit - CAT2 @@ -107,9 +127,9 @@ - wn22_00_000050 tags: - WN22-00-000050 - - V-205661 + - V-254242 - SRG-OS-000078-GPOS-00046 - - SV-205661r569188_rule + - SV-254242r848542_rule - CCI-000205 - CAT2 @@ -127,9 +147,9 @@ - wn22_00_000060 tags: - WN22-00-000060 - - V-205847 + - V-254243 - SRG-OS-000480-GPOS-00227 - - SV-205847r857288_rule + - SV-254243r848545_rule - CCI-000366 - CAT2 # how to make this list? @@ -148,9 +168,9 @@ - wn22_00_000070 tags: - WN22-00-000070 - - V-205699 + - V-254244 - SRG-OS-000104-GPOS-00051 - - SV-205699r569188_rule + - SV-254244r848548_rule - CCI-000764 - CAT2 @@ -168,36 +188,76 @@ - wn22_00_000080 tags: - WN22-00-000080 - - V-205807 + - V-254245 - SRG-OS-000370-GPOS-00155 - - SV-205807r569188_rule + - SV-254245r890536_rule - CCI-001774 - CAT2 # Get-AppLockerPolicy -Effective # Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. -- name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." +- name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level." block: - - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Message out" + - name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." + msg: "Warning!! This is a manual task. Windows Server 2022 must be maintained at a supported servicing level." - - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | import reuseable task." + - name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN22-00-000090' + warn_control_id: 'WN22-00-000100' when: - - wn22_00_000090 + - wn22_00_000100 tags: - - WN22-00-000090 - - V-205848 + - WN22-00-000100 + - V-254246 - SRG-OS-000480-GPOS-00227 - - SV-205848r857290_rule + - SV-254246r848554_rule - CCI-000366 - CAT2 # wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * # if not enabled see "No Instance(s) Available." ? +- name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level." + block: + - name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 must be maintained at a supported servicing level." + + - name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000100' + when: + - wn22_00_000100 + tags: + - WN22-00-000100 + - V-254247 + - SRG-OS-000480-GPOS-00227 + - SV-254247r848557_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN22-00-000110 | AUDIT | Windows Server 2022 must use an antivirus program." + block: + - name: "MEDIUM | WN22-00-000110 | AUDIT | Windows Server 2022 must use an antivirus program. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 must use an antivirus program." + + - name: "MEDIUM | WN22-00-000110 | AUDIT | Windows Server 2022 must use an antivirus program. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000110' + when: + - wn22_00_000110 + tags: + - WN22-00-000110 + - V-254248 + - SRG-OS-000480-GPOS-00227 + - SV-254248r848560_rule + - CCI-000366 + - CAT2 + - name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2022 must have a host-based intrusion detection or prevention system." block: - name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2022 must have a host-based intrusion detection or prevention system. | Message out" @@ -212,9 +272,9 @@ - wn22_00_000120 tags: - WN22-00-000120 - - V-205851 + - V-254249 - SRG-OS-000480-GPOS-00227 - - SV-205851r793214_rule + - SV-254249r848563_rule - CCI-000366 - CAT2 # think this is mcafee but need install and figure out paths for AV vs HIDS and/or running services? @@ -233,9 +293,9 @@ - wn22_00_000140 tags: - WN22-00-000140 - - V-205734 + - V-254251 - SRG-OS-000312-GPOS-00122 - - SV-205734r569188_rule + - SV-254251r848569_rule - CCI-002165 - CAT2 @@ -1274,22 +1334,22 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." +- name: "MEDIUM | WN22-AU-000100 | PATCH | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." block: - - name: "MEDIUM | WN22-AU-000090 | AUDIT | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." + - name: "MEDIUM | WN22-AU-000100 | AUDIT | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false - register: wn22_au_000090_audit + register: wn22_au_000100_audit - - name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." + - name: "MEDIUM | WN22-AU-000100 | PATCH | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable - when: "'Success' not in wn22_au_000090_audit.stdout" + when: "'Success' not in wn22_au_000100_audit.stdout" when: - - wn22_au_000090 + - wn22_au_000100 tags: - - WN22-AU-000090 + - WN22-AU-000100 - V-205769 - SRG-OS-000327-GPOS-00127 - SV-205769r569188_rule @@ -1992,16 +2052,16 @@ - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000090 | PATCH | Windows Server 2022 command line data must be included in process creation events." +- name: "MEDIUM | WN22-CC-000100 | PATCH | Windows Server 2022 command line data must be included in process creation events." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit value: ProcessCreationIncludeCmdLine_Enabled data: 1 datatype: dword when: - - wn22_cc_000090 + - wn22_cc_000100 tags: - - WN22-CC-000090 + - WN22-CC-000100 - V-205638 - SRG-OS-000042-GPOS-00020 - SV-205638r569188_rule @@ -3461,9 +3521,9 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN22-MS-000090 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." +- name: "MEDIUM | WN22-MS-000100 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." block: - - name: "MEDIUM | WN22-MS-000090 | PATCH | DOMAIN MEMBER | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000100 | PATCH | DOMAIN MEMBER | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyBatchLogonRight users: @@ -3473,7 +3533,7 @@ action: set when: ansible_windows_domain_role == "Member server" - - name: "MEDIUM | WN22-MS-000090 | PATCH | STAND-ALONE | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + - name: "MEDIUM | WN22-MS-000100 | PATCH | STAND-ALONE | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyBatchLogonRight users: @@ -3481,9 +3541,9 @@ action: set when: not ansible_windows_domain_member when: - - wn22_ms_000090 + - wn22_ms_000100 tags: - - WN22-MS-000090 + - WN22-MS-000100 - V-205673 - SRG-OS-000080-GPOS-00048 - SV-205673r857335_rule @@ -3796,16 +3856,16 @@ - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN22-SO-000090 | PATCH | Windows Server 2022 computer account password must not be prevented from being reset." +- name: "MEDIUM | WN22-SO-000100 | PATCH | Windows Server 2022 computer account password must not be prevented from being reset." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: DisablePasswordChange data: 0 datatype: dword when: - - wn22_so_000090 + - wn22_so_000100 tags: - - WN22-SO-000090 + - WN22-SO-000100 - V-205815 - SRG-OS-000379-GPOS-00164 - SV-205815r569188_rule @@ -4388,15 +4448,15 @@ - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000090 | PATCH | Windows Server 2022 Create symbolic links user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000100 | PATCH | Windows Server 2022 Create symbolic links user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeCreateSymbolicLinkPrivilege users: Administrators action: set when: - - wn22_ur_000090 + - wn22_ur_000100 tags: - - WN22-UR-000090 + - WN22-UR-000100 - V-205756 - SRG-OS-000324-GPOS-00125 - SV-205756r569188_rule From f99b1649a4c9bb086839368331d56c151b7a74a3 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 28 Jun 2023 15:36:17 -0400 Subject: [PATCH 27/95] update cat2-2 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 185 +++++++++++++++++++++++++------------------------ 1 file changed, 93 insertions(+), 92 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index c54101e..c311c68 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -195,21 +195,22 @@ - CAT2 # Get-AppLockerPolicy -Effective -# Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. -- name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level." +# Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting +# requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. +- name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." block: - - name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level. | Message out" + - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must be maintained at a supported servicing level." + msg: "Warning!! This is a manual task. Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." - - name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level. | import reuseable task." + - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN22-00-000100' + warn_control_id: 'WN22-00-000090' when: - - wn22_00_000100 + - wn22_00_000090 tags: - - WN22-00-000100 + - WN22-00-000090 - V-254246 - SRG-OS-000480-GPOS-00227 - SV-254246r848554_rule @@ -313,9 +314,9 @@ - wn22_00_000150 tags: - WN22-00-000150 - - V-205735 + - V-254252 - SRG-OS-000312-GPOS-00122 - - SV-205735r569188_rule + - SV-254252r848572_rule - CCI-002165 - CAT2 @@ -333,9 +334,9 @@ - wn22_00_000160 tags: - WN22-00-000160 - - V-205736 + - V-254253 - SRG-OS-000312-GPOS-00122 - - SV-205736r569188_rule + - SV-254253r848575_rule - CCI-002165 - CAT2 @@ -353,9 +354,9 @@ - wn22_00_000170 tags: - WN22-00-000170 - - V-205737 + - V-254254 - SRG-OS-000324-GPOS-00125 - - SV-205737r793220_rule + - SV-254254r877392_rule - CCI-002235 - CAT2 @@ -373,9 +374,9 @@ - wn22_00_000190 tags: - WN22-00-000190 - - V-205707 + - V-254256 - SRG-OS-000118-GPOS-00060 - - SV-205707r857292_rule + - SV-254256r848584_rule - CCI-000795 - CAT2 @@ -428,9 +429,9 @@ - wn22_00_000200 tags: - WN22-00-000200 - - V-205700 + - V-254257 - SRG-OS-000104-GPOS-00051 - - SV-205700r857294_rule + - SV-254257r848587_rule - CCI-000764 - audit - CAT2 @@ -459,9 +460,9 @@ - wn22_00_000210 tags: - WN22-00-000210 - - V-205658 + - V-254258 - SRG-OS-000076-GPOS-00044 - - SV-205658r857297_rule + - SV-254258r848590_rule - CAT2 - CCI-000199 @@ -479,9 +480,9 @@ - wn22_00_000220 tags: - WN22-00-000220 - - V-205803 + - V-254259 - SRG-OS-000363-GPOS-00150 - - SV-205803r860026_rule + - SV-254259r890538_rule - CCI-001744 - CAT2 # Some third party software to monitor files @@ -507,9 +508,9 @@ - wn22_00_000230 tags: - WN22-00-000230 - - V-205721 + - V-254260 - SRG-OS-000138-GPOS-00069 - - SV-205721r569188_rule + - SV-254260r848596_rule - CCI-001090 - CAT2 @@ -539,9 +540,9 @@ - wn22_00_000240 tags: - WN22-00-000240 - - V-205852 + - V-254261 - SRG-OS-000480-GPOS-00227 - - SV-205852r569188_rule + - SV-254261r848599_rule - CCI-000366 - CAT2 # do we need async; its very long running to search filesystems @@ -561,9 +562,9 @@ - wn22_00_000250 tags: - WN22-00-000250 - - V-205727 + - V-254262 - SRG-OS-000185-GPOS-00079 - - SV-205727r569188_rule + - SV-254262r848602_rule - CCI-001199 - CCI-002475 - CCI-002476 @@ -583,9 +584,9 @@ - wn22_00_000260 tags: - WN22-00-000260 - - V-205829 + - V-254263 - SRG-OS-000425-GPOS-00189 - - SV-205829r790513_rule + - SV-254263r848605_rule - CCI-002420 - CCI-002422 - CAT2 @@ -611,9 +612,9 @@ - wn22_00_000270 tags: - WN22-00-000270 - - V-205677 + - V-254264 - SRG-OS-000095-GPOS-00049 - - SV-205677r569188_rule + - SV-254264r848608_rule - CCI-000381 - CAT2 @@ -631,9 +632,9 @@ - wn22_00_000280 tags: - WN22-00-000280 - - V-214936 + - V-254265 - SRG-OS-000480-GPOS-00227 - - SV-214936r569188_rule + - SV-254265r848611_rule - CCI-000366 - CCI-002080 - CAT2 @@ -652,9 +653,9 @@ - wn22_00_000290 tags: - WN22-00-000290 - - V-205728 + - V-254266 - SRG-OS-000191-GPOS-00080 - - SV-205728r793217_rule + - SV-254266r849353_rule - CCI-001233 - CAT2 @@ -672,9 +673,9 @@ - wn22_00_000300 tags: - WN22-00-000300 - - V-205624 + - V-254267 - SRG-OS-000002-GPOS-00002 - - SV-205624r857301_rule + - SV-254267r848617_rule - CCI-000016 - CAT2 @@ -692,9 +693,9 @@ - wn22_00_000310 tags: - WN22-00-000310 - - V-205710 + - V-254268 - SRG-OS-000123-GPOS-00064 - - SV-205710r857303_rule + - SV-254268r848620_rule - CCI-001682 - CAT2 @@ -707,9 +708,9 @@ - wn22_00_000320 tags: - WN22-00-000320 - - V-205678 + - V-254269 - SRG-OS-000095-GPOS-00049 - - SV-205678r569188_rule + - SV-254269r848623_rule - CCI-000381 - CAT2 @@ -722,9 +723,9 @@ - wn22_00_000330 tags: - WN22-00-000330 - - V-205697 + - V-254270 - SRG-OS-000096-GPOS-00050 - - SV-205697r569188_rule + - SV-254270r848626_rule - CCI-000382 - CAT2 @@ -737,9 +738,9 @@ - wn22_00_000340 tags: - WN22-00-000340 - - V-205679 + - V-254271 - SRG-OS-000095-GPOS-00049 - - SV-205679r569188_rule + - SV-254271r848629_rule - CCI-000381 - CAT2 @@ -751,9 +752,9 @@ - wn22_00_000350 tags: - WN22-00-000350 - - V-205680 + - V-254272 - SRG-OS-000095-GPOS-00049 - - SV-205680r569188_rule + - SV-254272r848632_rule - CCI-000381 - CAT2 @@ -765,9 +766,9 @@ - wn22_00_000360 tags: - WN22-00-000360 - - V-205698 + - V-254273 - SRG-OS-000096-GPOS-00050 - - SV-205698r569188_rule + - SV-254273r848635_rule - CCI-000382 - CAT2 @@ -779,9 +780,9 @@ - wn22_00_000370 tags: - WN22-00-000370 - - V-205681 + - V-254274 - SRG-OS-000095-GPOS-00049 - - SV-205681r569188_rule + - SV-254274r848638_rule - CCI-000381 - CAT2 @@ -794,10 +795,10 @@ - wn22_00_000380 tags: - WN22-00-000380 - - V-205682 + - V-254275 - CAT2 - SRG-OS-000095-GPOS-00049 - - SV-205682r819711_rule + - SV-254275r848641_rule - CCI-000381 - name: "MEDIUM | WN22-00-000390 | PATCH | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." @@ -811,9 +812,9 @@ - wn22_00_000390 tags: - WN22-00-000390 - - V-205683 + - V-254276 - SRG-OS-000095-GPOS-00049 - - SV-205683r569188_rule + - SV-254276r848644_rule - CCI-000381 - CAT2 @@ -828,9 +829,9 @@ - wn22_00_000400 tags: - WN22-00-000400 - - V-205684 + - V-254277 - SRG-OS-000095-GPOS-00049 - - SV-205684r569188_rule + - SV-254277r848647_rule - CCI-000381 - CAT2 @@ -842,9 +843,9 @@ - wn22_00_000410 tags: - WN22-00-000410 - - V-205685 + - V-254278 - SRG-OS-000095-GPOS-00049 - - SV-205685r569188_rule + - SV-254278r848650_rule - CCI-000381 - CAT2 @@ -862,9 +863,9 @@ - wn22_00_000420 tags: - WN22-00-000420 - - V-205853 + - V-254279 - SRG-OS-000480-GPOS-00227 - - SV-205853r569188_rule + - SV-254279r848653_rule - CCI-000366 - CAT2 @@ -882,9 +883,9 @@ - wn22_00_000430 tags: - WN22-00-000430 - - V-205854 + - V-254280 - SRG-OS-000480-GPOS-00227 - - SV-205854r569188_rule + - SV-254280r848656_rule - CCI-000366 - CAT2 @@ -902,9 +903,9 @@ - wn22_00_000450 tags: - WN22-00-000450 - - V-205800 + - V-254282 - SRG-OS-000480-GPOS-00227 - - SV-205855r569188_rule + - SV-254282r848662_rule - CCI-000366 - CAT2 # https://www.stigviewer.com/stig/windows_server_2016/2022-01-16/finding/V-78127 @@ -942,9 +943,9 @@ - not win22stig_cloud_based_system tags: - WN22-AC-000020 - - V-205629 + - V-254286 - SRG-OS-000021-GPOS-00005 - - SV-205629r569188_rule + - SV-254286r848674_rule - CCI-000044 - CAT2 @@ -981,9 +982,9 @@ - not win22stig_cloud_based_system tags: - WN22-AC-000010 - - V-205795 + - V-254285 - SRG-OS-000329-GPOS-00128 - - SV-205795r569188_rule + - SV-254285r848671_rule - CCI-002238 - CAT2 @@ -1017,9 +1018,9 @@ - not win22stig_cloud_based_system tags: - WN22-AC-000030 - - V-205630 + - V-254287 - SRG-OS-000021-GPOS-00005 - - SV-205630r569188_rule + - SV-254287r848677_rule - CCI-000044 - CCI-002238 - CAT2 @@ -1033,9 +1034,9 @@ - wn22_ac_000040 tags: - WN22-AC-000040 - - V-205660 + - V-254288 - SRG-OS-000077-GPOS-00045 - - SV-205660r569188_rule + - SV-254288r848680_rule - CCI-000200 - CAT2 @@ -1070,9 +1071,9 @@ - wn22_ac_000050 tags: - WN22-AC-000050 - - V-205659 + - V-254289 - SRG-OS-000076-GPOS-00044 - - SV-205659r569188_rule + - SV-254289r848683_rule - CCI-000199 - CAT2 @@ -1104,9 +1105,9 @@ - wn22_ac_000060 tags: - WN22-AC-000060 - - V-205656 + - V-254290 - SRG-OS-000075-GPOS-00043 - - SV-205656r569188_rule + - SV-254290r848686_rule - CCI-000198 - CAT2 @@ -1138,9 +1139,9 @@ - wn22_ac_000070 tags: - WN22-AC-000070 - - V-205662 + - V-254291 - SRG-OS-000078-GPOS-00046 - - SV-205662r569188_rule + - SV-254291r890539_rule - CCI-000205 - CAT2 @@ -1153,9 +1154,9 @@ - wn22_ac_000080 tags: - WN22-AC-000080 - - V-205652 + - V-254292 - SRG-OS-000069-GPOS-00037 - - SV-205652r569188_rule + - SV-254292r848692_rule - CCI-000192 - CCI-000193 - CCI-000194 @@ -1176,9 +1177,9 @@ - wn22_au_000010 tags: - WN22-AU-000010 - - V-205799 + - V-254294 - SRG-OS-000342-GPOS-00133 - - SV-205799r569188_rule + - SV-254294r877390_rule - CCI-001851 - CAT2 @@ -1196,9 +1197,9 @@ - wn22_au_000020 tags: - WN22-AU-000020 - - V-205843 + - V-254295 - SRG-OS-000479-GPOS-00224 - - SV-205843r860027_rule + - SV-254295r848701_rule - CCI-001851 - CAT2 # hard one, either need to standardize on say log shipping like splunk or other is set? @@ -1217,9 +1218,9 @@ - wn22_au_000030 tags: - WN22-AU-000030 - - V-205640 + - V-254296 - SRG-OS-000057-GPOS-00027 - - SV-205640r569188_rule + - SV-254296r848704_rule - CCI-000162 - CCI-000163 - CCI-000164 @@ -1239,9 +1240,9 @@ - wn22_au_000040 tags: - WN22-AU-000040 - - V-205641 + - V-254297 - SRG-OS-000057-GPOS-00027 - - SV-205641r569188_rule + - SV-254297r848707_rule - CCI-000162 - CCI-000163 - CCI-000164 @@ -1261,9 +1262,9 @@ - wn22_au_000050 tags: - WN22-AU-000050 - - V-205642 + - V-254298 - SRG-OS-000057-GPOS-00027 - - SV-205642r569188_rule + - SV-254298r848710_rule - CCI-000162 - CCI-000163 - CCI-000164 From b8fcb57c35727c7fa90a0ed78ac15d3cdf376479 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 29 Jun 2023 15:11:48 -0400 Subject: [PATCH 28/95] update cat2-3 Signed-off-by: Frederick Witty --- defaults/main.yml | 1 - tasks/cat2.yml | 205 +++++++++++++++++++++++++++------------------- 2 files changed, 122 insertions(+), 84 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 1029830..2d18dd1 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -141,7 +141,6 @@ wn22_au_000110: true wn22_au_000120: true wn22_au_000130: true wn22_au_000140: true -wn22_au_000150: true wn22_au_000160: true wn22_au_000170: true wn22_au_000180: true diff --git a/tasks/cat2.yml b/tasks/cat2.yml index c311c68..b02a29e 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1284,9 +1284,9 @@ - wn22_au_000060 tags: - WN22-AU-000060 - - V-205731 + - V-254299 - SRG-OS-000257-GPOS-00098 - - SV-205731r569188_rule + - SV-254299r848713_rule - CCI-001494 - CCI-001495 - CAT2 @@ -1307,9 +1307,9 @@ - wn22_au_000070 tags: - WN22-AU-000070 - - V-205832 + - V-254300 - SRG-OS-000470-GPOS-00214 - - SV-205832r569188_rule + - SV-254300r848716_rule - CCI-000172 - CAT2 @@ -1329,33 +1329,87 @@ - wn22_au_000080 tags: - WN22-AU-000080 - - V-205833 + - V-254301 - SRG-OS-000470-GPOS-00214 - - SV-205833r569188_rule + - SV-254301r848719_rule - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000100 | PATCH | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." +- name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." block: - - name: "MEDIUM | WN22-AU-000100 | AUDIT | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." + - name: "MEDIUM | WN22-AU-000090 | AUDIT | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false + register: wn22_au_000090_audit + + - name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Other Account Management Events" /failure:enable + when: "'Failure' not in wn22_au_000090_audit.stdout" + when: + - wn22_au_000090 + tags: + - WN22-AU-000090 + - V-254302 + - SRG-OS-000327-GPOS-00127 + - SV-254302r848722_rule + - CCI-000172 + - CCI-002234 + - CAT2 + +- name: "MEDIUM | WN22-AU-000100 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management successes." + block: + - name: "MEDIUM | WN22-AU-000100 | AUDIT | Windows Server 2022 must be configured to audit Account Management - User Account Management successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false register: wn22_au_000100_audit - - name: "MEDIUM | WN22-AU-000100 | PATCH | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." - ansible.windows.win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable + - name: "MEDIUM | WN22-AU-000100 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable when: "'Success' not in wn22_au_000100_audit.stdout" when: - wn22_au_000100 tags: - WN22-AU-000100 - - V-205769 - - SRG-OS-000327-GPOS-00127 - - SV-205769r569188_rule + - V-254303 + - SRG-OS-000004-GPOS-00004 + - SV-254303r848725_rule + - CCI-000018 - CCI-000172 - - CCI-002234 + - CCI-001403 + - CCI-001404 + - CCI-001405 + - CCI-002130 + - CAT2 + +- name: "MEDIUM | WN22-AU-000110 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management successes." + block: + - name: "MEDIUM | WN22-AU-000110 | AUDIT | Windows Server 2022 must be configured to audit Account Management - User Account Management successes." + ansible.windows.win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + check_mode: false + register: wn22_au_000110_audit + + - name: "MEDIUM | WN22-AU-000110 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management successes." + ansible.windows.win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable + when: "'Success' not in wn22_au_000110_audit.stdout" + when: + - wn22_au_000110 + tags: + - WN22-AU-000110 + - V-254304 + - SRG-OS-000004-GPOS-00004 + - SV-254304r848728_rule + - CCI-000018 + - CCI-000172 + - CCI-001403 + - CCI-001404 + - CCI-001405 + - CCI-002130 - CAT2 - name: "MEDIUM | WN22-AU-000120 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management failures." @@ -1374,9 +1428,9 @@ - wn22_au_000120 tags: - WN22-AU-000120 - - V-205627 + - V-254305 - SRG-OS-000004-GPOS-00004 - - SV-205627r569188_rule + - SV-254305r848731_rule - CCI-000018 - CCI-000172 - CCI-001403 @@ -1401,9 +1455,9 @@ - wn22_au_000130 tags: - WN22-AU-000130 - - V-205839 + - V-254306 - SRG-OS-000474-GPOS-00219 - - SV-205839r569188_rule + - SV-254306r848734_rule - CCI-000172 - CAT2 @@ -1423,9 +1477,9 @@ - wn22_au_000140 tags: - WN22-AU-000140 - - V-205770 + - V-254307 - SRG-OS-000327-GPOS-00127 - - SV-205770r569188_rule + - SV-254307r848737_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1439,20 +1493,6 @@ check_mode: false register: wn22_au_000150_audit - - name: "MEDIUM | WN22-AU-000150 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout successes." - ansible.windows.win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable - when: "'Success' not in wn22_au_000150_audit.stdout" - when: - - wn22_au_000150 - tags: - - WN22-AU-000150 - - V-205729 - - SRG-OS-000240-GPOS-00090 - - SV-205729r569188_rule - - CCI-000172 - - CCI-001404 - - CAT2 - - name: "MEDIUM | WN22-AU-000160 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures." block: - name: "MEDIUM | WN22-AU-000160 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures." @@ -1469,9 +1509,9 @@ - wn22_au_000160 tags: - WN22-AU-000160 - - V-205730 + - V-254309 - SRG-OS-000240-GPOS-00090 - - SV-205730r569188_rule + - SV-254309r848743_rule - CCI-000172 - CCI-001404 - CAT2 @@ -1492,9 +1532,9 @@ - wn22_au_000170 tags: - WN22-AU-000170 - - V-205834 + - V-254310 - SRG-OS-000470-GPOS-00214 - - SV-205834r569188_rule + - SV-254310r848746_rule - CCI-000172 - CAT2 @@ -1514,11 +1554,10 @@ - wn22_au_000180 tags: - WN22-AU-000180 - - V-205838 + - V-254311 - SRG-OS-000472-GPOS-00217 - - SV-205838r569188_rule + - SV-254311r848749_rule - CCI-000172 - - CCI-000366 - CAT2 - name: "MEDIUM | WN22-AU-000190 | PATCH | Windows Server 2022 must be configured to audit logon successes." @@ -1537,9 +1576,9 @@ - wn22_au_000190 tags: - WN22-AU-000190 - - V-205634 + - V-254312 - SRG-OS-000032-GPOS-00013 - - SV-205634r569188_rule + - SV-254312r848752_rule - CCI-000067 - CCI-000172 - CAT2 @@ -1560,9 +1599,9 @@ - wn22_au_000200 tags: - WN22-AU-000200 - - V-205635 + - V-254313 - SRG-OS-000032-GPOS-00013 - - SV-205635r569188_rule + - SV-254313r848755_rule - CCI-000067 - CCI-000172 - CAT2 @@ -1583,9 +1622,9 @@ - wn22_au_000210 tags: - WN22-AU-000210 - - V-205835 + - V-254314 - SRG-OS-000470-GPOS-00214 - - SV-205835r569188_rule + - SV-254314r848758_rule - CCI-000172 - CAT2 @@ -1597,9 +1636,9 @@ - wn22_au_000220 tags: - WN22-AU-000220 - - V-205836 + - V-254315 - SRG-OS-000470-GPOS-00214 - - SV-205836r569188_rule + - SV-254315r848761_rule - CCI-000172 - CAT2 @@ -1611,9 +1650,9 @@ - wn22_au_000230 tags: - WN22-AU-000230 - - V-205837 + - V-254316 - SRG-OS-000470-GPOS-00214 - - SV-205837r569188_rule + - SV-254316r848764_rule - CCI-000172 - CAT2 @@ -1633,9 +1672,9 @@ - wn22_au_000240 tags: - WN22-AU-000240 - - V-205840 + - V-254317 - SRG-OS-000474-GPOS-00219 - - SV-205840r569188_rule + - SV-254317r848767_rule - CCI-000172 - CAT2 @@ -1655,9 +1694,9 @@ - wn22_au_000250 tags: - WN22-AU-000250 - - V-205841 + - V-254318 - SRG-OS-000474-GPOS-00219 - - SV-205841r569188_rule + - SV-254318r848770_rule - CCI-000172 - CAT2 @@ -1677,9 +1716,9 @@ - wn22_au_000260 tags: - WN22-AU-000260 - - V-205771 + - V-254319 - SRG-OS-000327-GPOS-00127 - - SV-205771r569188_rule + - SV-254319r848773_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1700,9 +1739,9 @@ - wn22_au_000270 tags: - WN22-AU-000270 - - V-205772 + - V-254320 - SRG-OS-000327-GPOS-00127 - - SV-205772r569188_rule + - SV-254320r848776_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1723,9 +1762,9 @@ - wn22_au_000280 tags: - WN22-AU-000280 - - V-205773 + - V-254321 - SRG-OS-000327-GPOS-00127 - - SV-205773r569188_rule + - SV-254321r848779_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1746,9 +1785,9 @@ - wn22_au_000290 tags: - WN22-AU-000290 - - V-205774 + - V-254322 - SRG-OS-000327-GPOS-00127 - - SV-205774r569188_rule + - SV-254322r848782_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1769,9 +1808,9 @@ - wn22_au_000300 tags: - WN22-AU-000300 - - V-205775 + - V-254323 - SRG-OS-000327-GPOS-00127 - - SV-205775r569188_rule + - SV-254323r848785_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1792,9 +1831,9 @@ - wn22_au_000310 tags: - WN22-AU-000310 - - V-205776 + - V-254324 - SRG-OS-000327-GPOS-00127 - - SV-205776r569188_rule + - SV-254324r848788_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1815,9 +1854,9 @@ - wn22_au_000320 tags: - WN22-AU-000320 - - V-205777 + - V-254325 - SRG-OS-000327-GPOS-00127 - - SV-205777r569188_rule + - SV-254325r848791_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1838,9 +1877,9 @@ - wn22_au_000330 tags: - WN22-AU-000330 - - V-205778 + - V-254326 - SRG-OS-000327-GPOS-00127 - - SV-205778r569188_rule + - SV-254326r848794_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1861,9 +1900,9 @@ - wn22_au_000340 tags: - WN22-AU-000340 - - V-205779 + - V-254327 - SRG-OS-000327-GPOS-00127 - - SV-205779r569188_rule + - SV-254327r848797_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1884,9 +1923,9 @@ - wn22_au_000350 tags: - WN22-AU-000350 - - V-205780 + - V-254328 - SRG-OS-000327-GPOS-00127 - - SV-205780r569188_rule + - SV-254328r848800_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1907,9 +1946,9 @@ - wn22_au_000360 tags: - WN22-AU-000360 - - V-205781 + - V-254329 - SRG-OS-000327-GPOS-00127 - - SV-205781r569188_rule + - SV-254329r848803_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1930,9 +1969,9 @@ - wn22_au_000370 tags: - WN22-AU-000370 - - V-205782 + - V-254330 - SRG-OS-000327-GPOS-00127 - - SV-205782r569188_rule + - SV-254330r848806_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1953,9 +1992,9 @@ - wn22_au_000380 tags: - WN22-AU-000380 - - V-205783 + - V-254331 - SRG-OS-000327-GPOS-00127 - - SV-205783r569188_rule + - SV-254331r848809_rule - CCI-000172 - CCI-002234 - CAT2 @@ -1976,9 +2015,9 @@ - wn22_au_000390 tags: - WN22-AU-000390 - - V-205784 + - V-254332 - SRG-OS-000327-GPOS-00127 - - SV-205784r569188_rule + - SV-254332r848812_rule - CCI-000172 - CCI-002234 - CAT2 From f95928fa44235313216b983be8445c05e90a511e Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 29 Jun 2023 16:34:41 -0400 Subject: [PATCH 29/95] update cat2-4 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 68 +++++++++++++++++++++++++------------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index b02a29e..7cf7a22 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -2033,9 +2033,9 @@ - wn22_cc_000010 tags: - WN22-CC-000010 - - V-205686 + - V-254333 - SRG-OS-000095-GPOS-00049 - - SV-205686r569188_rule + - SV-254333r848815_rule - CCI-000381 - CAT2 @@ -2049,9 +2049,9 @@ - wn22_cc_000020 tags: - WN22-CC-000020 - - V-205687 + - V-254334 - SRG-OS-000095-GPOS-00049 - - SV-205687r569188_rule + - SV-254334r848818_rule - CCI-000381 - CAT2 @@ -2065,9 +2065,9 @@ - wn22_cc_000070 tags: - WN22-CC-000070 - - V-205861 + - V-254339 - SRG-OS-000480-GPOS-00227 - - SV-205861r569188_rule + - SV-254339r848833_rule - CCI-000366 - CAT2 @@ -2086,31 +2086,31 @@ - ansible_windows_domain_member tags: - WN22-CC-000080 - - V-205862 + - V-254340 - SRG-OS-000480-GPOS-00227 - - 205862r857311_rule + - SV-254340r848836_rule - CCI-000366 - CAT2 -- name: "MEDIUM | WN22-CC-000100 | PATCH | Windows Server 2022 command line data must be included in process creation events." +- name: "MEDIUM | WN22-CC-000090 | PATCH | Windows Server 2022 command line data must be included in process creation events." ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ value: ProcessCreationIncludeCmdLine_Enabled data: 1 datatype: dword when: - - wn22_cc_000100 + - wn22_cc_000090 tags: - - WN22-CC-000100 - - V-205638 + - WN22-CC-000090 + - V-254341 - SRG-OS-000042-GPOS-00020 - - SV-205638r569188_rule + - SV-254341r848839_rule - CCI-000135 - CAT2 -- name: "MEDIUM | WN22-CC-000100 | PATCH | Windows Server 2022 must be configured to enable Remote host allows delegation of non-exportable credentials." +- name: "MEDIUM | WN22-CC-000100 | PATCH | Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials." ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\ value: AllowProtectedCreds data: 1 datatype: dword @@ -2118,9 +2118,9 @@ - wn22_cc_000100 tags: - WN22-CC-000100 - - V-205863 + - V-254342 - SRG-OS-000480-GPOS-00227 - - SV-205863r569188_rule + - SV-254342r848842_rule - CCI-000366 - CAT2 @@ -2139,9 +2139,9 @@ - ansible_windows_domain_member tags: - WN22-CC-000110 - - V-205864 + - V-254343 - SRG-OS-000480-GPOS-00227 - - SV-205864r857313_rule + - SV-254343r848845_rule - CCI-000366 - CAT2 @@ -2155,9 +2155,9 @@ - wn22_cc_000130 tags: - WN22-CC-000130 - - V-205865 + - V-254344 - SRG-OS-000480-GPOS-00227 - - SV-205865r569188_rule + - SV-254344r848848_rule - CCI-000366 - CAT2 @@ -2171,9 +2171,9 @@ - wn22_cc_000140 tags: - WN22-CC-000140 - - V-205866 + - V-254345 - SRG-OS-000480-GPOS-00227 - - SV-205866r569188_rule + - SV-254345r848851_rule - CCI-000366 - CAT2 @@ -2187,9 +2187,9 @@ - wn22_cc_000150 tags: - WN22-CC-000150 - - V-205688 + - V-254346 - SRG-OS-000095-GPOS-00049 - - SV-205688r569188_rule + - SV-254346r848854_rule - CCI-000381 - CAT2 @@ -2203,9 +2203,9 @@ - wn22_cc_000160 tags: - WN22-CC-000160 - - V-205689 + - V-254347 - SRG-OS-000095-GPOS-00049 - - SV-205689r569188_rule + - SV-254347r848857_rule - CCI-000381 - CAT2 @@ -2219,9 +2219,9 @@ - wn22_cc_000170 tags: - WN22-CC-000170 - - V-205690 + - V-254348 - SRG-OS-000095-GPOS-00049 - - SV-205690r569188_rule + - SV-254348r848860_rule - CCI-000381 - CAT2 @@ -2235,9 +2235,9 @@ - wn22_cc_000180 tags: - WN22-CC-000180 - - V-205867 + - V-254349 - SRG-OS-000480-GPOS-00227 - - SV-205867r569188_rule + - SV-254349r848863_rule - CCI-000366 - CAT2 @@ -2251,9 +2251,9 @@ - wn22_cc_000190 tags: - WN22-CC-000190 - - V-205868 + - V-254350 - SRG-OS-000480-GPOS-00227 - - SV-205868r569188_rule + - SV-254350r848866_rule - CCI-000366 - CAT2 From 1c55035c90ceb5fc8766bd9b4a8b01d51677a6db Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 30 Jun 2023 15:28:00 -0400 Subject: [PATCH 30/95] update cat2-5 Signed-off-by: Frederick Witty --- defaults/main.yml | 3 +- tasks/cat2.yml | 348 +++++++++++++++++++++++----------------------- 2 files changed, 176 insertions(+), 175 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 2d18dd1..24a81ba 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -198,8 +198,8 @@ wn22_cc_000410: true wn22_cc_000420: true wn22_cc_000440: true wn22_cc_000450: true -wn22_cc_000451: true wn22_cc_000460: true +wn22_cc_000530: true # WINRM CONTROL wn22_cc_000480: true wn22_cc_000490: true @@ -224,7 +224,6 @@ wn22_dc_000230: true wn22_dc_000240: true wn22_dc_000250: true wn22_dc_000260: true -wn22_dc_000270: true wn22_dc_000280: true wn22_dc_000310: true wn22_dc_000320: true diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 7cf7a22..6ded278 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -2267,9 +2267,9 @@ - wn22_cc_000240 tags: - WN22-CC-000240 - - V-205714 + - V-254355 - SRG-OS-000134-GPOS-00068 - - SV-205714r569188_rule + - SV-254355r848881_rule - CCI-001084 - CAT2 @@ -2283,9 +2283,9 @@ - wn22_cc_000250 tags: - WN22-CC-000250 - - V-205869 + - V-254356 - SRG-OS-000480-GPOS-00227 - - SV-205869r569188_rule + - SV-254356r916220_rule - CCI-000366 - CAT2 @@ -2311,9 +2311,9 @@ - wn22_cc_000270 tags: - WN22-CC-000270 - - V-205796 + - V-254358 - SRG-OS-000341-GPOS-00132 - - SV-205796r569188_rule + - SV-254358r877391_rule - CCI-001849 - CAT2 @@ -2339,9 +2339,9 @@ - wn22_cc_000280 tags: - WN22-CC-000280 - - V-205797 + - V-254359 - SRG-OS-000341-GPOS-00132 - - SV-205797r569188_rule + - SV-254359r877391_rule - CCI-001849 - CAT2 @@ -2367,10 +2367,11 @@ - wn22_cc_000290 tags: - WN22-CC-000290 - - V-93181 + - V-254360 - SRG-OS-000341-GPOS-00132 - - SV-103269r1 + - SV-254360r877391_rule - CCI-001849 + - CAT2 - name: "MEDIUM | WN22-CC-000300 | PATCH | Windows Server 2022 Windows Defender SmartScreen must be enabled." ansible.windows.win_regedit: @@ -2382,9 +2383,9 @@ - wn22_cc_000300 tags: - WN22-CC-000300 - - V-205798 + - V-254361 - SRG-OS-000095-GPOS-00049 - - SV-205798r569188_rule + - SV-254361r848899_rule - CCI-000381 - CAT2 @@ -2398,9 +2399,9 @@ - wn22_cc_000310 tags: - WN22-CC-000310 - - V-205830 + - V-254362 - SRG-OS-000433-GPOS-00192 - - SV-205830r569188_rule + - SV-254362r848902_rule - CCI-002824 - CAT2 @@ -2414,9 +2415,9 @@ - wn22_cc_000330 tags: - WN22-CC-000330 - - V-205872 + - V-254364 - SRG-OS-000480-GPOS-00227 - - SV-205872r569188_rule + - SV-254364r848908_rule - CCI-000366 - CAT2 @@ -2430,9 +2431,9 @@ - wn22_cc_000340 tags: - WN22-CC-000340 - - V-205808 - - SRG-OS-000373-GPOS-00157 - - SV-205808r569188_rule + - V-254365 + - SRG-OS-000373-GPOS-00156 + - SV-254365r848911_rule - CCI-002038 - CAT2 @@ -2446,9 +2447,9 @@ - wn22_cc_000350 tags: - WN22-CC-000350 - - V-205722 + - V-254366 - SRG-OS-000138-GPOS-00069 - - SV-205722r569188_rule + - SV-254366r848914_rule - CCI-001090 - CAT2 @@ -2462,9 +2463,9 @@ - wn22_cc_000360 tags: - WN22-CC-000360 - - V-205809 - - SRG-OS-000373-GPOS-00157 - - SV-205809r569188_rule + - V-254367 + - SRG-OS-000373-GPOS-00156 + - SV-254367r848917_rule - CCI-002038 - CAT2 @@ -2478,9 +2479,9 @@ - wn22_cc_000370 tags: - WN22-CC-000370 - - V-92971 + - V-254368 - SRG-OS-000033-GPOS-00014 - - SV-103059r1 + - SV-254368r877398_rule - CCI-000068 - CCI-001453 - CAT2 @@ -2495,10 +2496,10 @@ - wn22_cc_000380 tags: - WN22-CC-000380 - - V-205636 + - V-254369 - SRG-OS-000033-GPOS-00014 - SRG-OS-000250-GPOS-00093 - - SV-205636r569188_rule + - SV-254369r877398_rule - CCI-000068 - CCI-001453 - CAT2 @@ -2513,9 +2514,9 @@ - wn22_cc_000390 tags: - WN22-CC-000390 - - V-205873 + - V-254370 - SRG-OS-000480-GPOS-00227 - - SV-205873r569188_rule + - SV-254370r848926_rule - CCI-000366 - CAT2 @@ -2529,9 +2530,9 @@ - wn22_cc_000400 tags: - WN22-CC-000400 - - V-205693 + - V-254371 - SRG-OS-000095-GPOS-00049 - - SV-205693r569188_rule + - SV-254371r848929_rule - CCI-000381 - CAT2 @@ -2545,9 +2546,9 @@ - wn22_cc_000410 tags: - WN22-CC-000410 - - V-205694 + - V-254372 - SRG-OS-000095-GPOS-00049 - - SV-205694r569188_rule + - SV-254372r848932_rule - CCI-000381 - CAT2 @@ -2561,9 +2562,9 @@ - wn22_cc_000420 tags: - WN22-CC-000420 - - V-205801 + - V-254373 - SRG-OS-000362-GPOS-00149 - - SV-205801r569188_rule + - SV-254373r848935_rule - CCI-001812 - CAT2 @@ -2577,9 +2578,9 @@ - wn22_cc_000440 tags: - WN22-CC-000440 - - V-205874 + - V-254375 - SRG-OS-000480-GPOS-00227 - - SV-205874r569188_rule + - SV-254375r848941_rule - CCI-000366 - CAT2 @@ -2593,25 +2594,9 @@ - wn22_cc_000450 tags: - WN22-CC-000450 - - V-205925 + - V-254376 - SRG-OS-000480-GPOS-00229 - - SV-205925r569188_rule - - CCI-000366 - - CAT2 - -- name: "MEDIUM | WN22-CC-000451 | PATCH | The Windows Explorer Preview pane must be disabled for Windows Server 2022." - ansible.windows.win_regedit: - path: HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - value: NoPreviewPane - data: 1 - datatype: dword - when: - - wn22_cc_000451 - tags: - - WN22-CC-000451 - - V-236001 - - SRG-OS-000095-GPOS-00049 - - SV-236001r641821_rule + - SV-254376r877377_rule - CCI-000366 - CAT2 @@ -2625,9 +2610,9 @@ - wn22_cc_000460 tags: - WN22-CC-000460 - - V-205639 + - V-254377 - SRG-OS-000042-GPOS-00020 - - SV-205639r569188_rule + - SV-254377r848947_rule - CCI-000135 - CAT2 @@ -2642,9 +2627,9 @@ - not win2022stig_skip_secure_winrm tags: - WN22-CC-000480 - - V-205816 + - V-254379 - SRG-OS-000393-GPOS-00173 - - SV-205816r569188_rule + - SV-254379r877382_rule - CCI-002890 - CCI-003123 - CAT2 @@ -2659,9 +2644,9 @@ - wn22_cc_000490 tags: - WN22-CC-000490 - - V-205712 + - V-254380 - SRG-OS-000125-GPOS-00065 - - SV-205712r569188_rule + - SV-254380r877395_rule - CCI-000877 - CAT2 @@ -2676,9 +2661,9 @@ - not win2022stig_skip_secure_winrm tags: - WN22-CC-000510 - - V-205817 + - V-254382 - SRG-OS-000393-GPOS-00173 - - SV-205817r569188_rule + - SV-254382r877382_rule - CCI-002890 - CCI-003123 - CAT2 @@ -2694,12 +2679,28 @@ - not win2022stig_skip_secure_winrm tags: - WN22-CC-000520 - - V-205810 - - SRG-OS-000373-GPOS-00157 - - SV-205810r569188_rule + - V-254383 + - SRG-OS-000373-GPOS-00156 + - SV-254383r848965_rule - CCI-002038 - CAT2 +- name: "MEDIUM | WN22-CC-000530 | PATCH | Windows Server 2022 must have PowerShell Transcription enabled." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\ + value: EnableTranscripting + data: 1 + datatype: dword + when: + - wn22_cc_000530 + tags: + - WN22-CC-000530 + - V-254384 + - SRG-OS-000041-GPOS-00019 + - SV-254384r848968_rule + - CCI-000134 + - CAT2 + - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2022 Kerberos user logon restrictions must be enforced." block: - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2022 Kerberos user logon restrictions must be enforced." @@ -2715,9 +2716,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000020 - - V-205702 + - V-254386 - SRG-OS-000112-GPOS-00057 - - SV-205702r569188_rule + - SV-254386r848974_rule - CCI-001941 - CCI-001942 - CAT2 @@ -2737,9 +2738,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000030 - - V-205703 + - V-254387 - SRG-OS-000112-GPOS-00057 - - SV-205703r569188_rule + - SV-254387r848977_rule - CCI-001941 - CCI-001942 - CAT2 @@ -2759,9 +2760,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000040 - - V-205704 + - V-254388 - SRG-OS-000112-GPOS-00057 - - SV-205704r569188_rule + - SV-254388r848980_rule - CCI-001941 - CCI-001942 - CAT2 @@ -2781,9 +2782,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000050 - - V-205705 + - V-254389 - SRG-OS-000112-GPOS-00057 - - SV-205705r569188_rule + - SV-254389r848983_rule - CCI-001941 - CCI-001942 - CAT2 @@ -2803,9 +2804,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000060 - - V-205706 + - V-254390 - SRG-OS-000112-GPOS-00057 - - SV-205706r569188_rule + - SV-254390r848986_rule - CCI-001941 - CCI-001942 - CAT2 @@ -2825,9 +2826,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000120 - - V-205723 + - V-254396 - SRG-OS-000138-GPOS-00069 - - SV-205723r569188_rule + - SV-254396r849004_rule - CCI-001090 - CAT2 @@ -2846,9 +2847,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000130 - - V-205695 + - V-254397 - SRG-OS-000095-GPOS-00049 - - SV-205695r569188_rule + - SV-254397r849007_rule - CCI-000381 - CAT2 @@ -2867,9 +2868,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000140 - - V-205818 + - V-254398 - SRG-OS-000396-GPOS-00176 - - SV-205818r569188_rule + - SV-254398r877380_rule - CCI-002450 - CAT2 @@ -2888,9 +2889,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000170 - - V-205785 + - V-254401 - SRG-OS-000327-GPOS-00127 - - SV-205785r569188_rule + - SV-254401r849019_rule - CCI-000172 - CCI-002234 - CAT2 @@ -2910,9 +2911,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000180 - - V-205786 + - V-254402 - SRG-OS-000327-GPOS-00127 - - SV-205786r569188_rule + - SV-254402r849022_rule - CCI-000172 - CCI-002234 - CAT2 @@ -2932,9 +2933,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000190 - - V-205787 + - V-254403 - SRG-OS-000327-GPOS-00127 - - SV-205787r569188_rule + - SV-254403r849025_rule - CCI-000172 - CCI-002234 - CAT2 @@ -2954,9 +2955,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000200 - - V-205788 + - V-254404 - SRG-OS-000327-GPOS-00127 - - SV-205788r569188_rule + - SV-254404r849028_rule - CCI-000172 - CCI-002234 - CAT2 @@ -2976,9 +2977,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000210 - - V-205789 + - V-254405 - SRG-OS-000327-GPOS-00127 - - WN22-DC-000210 + - SV-254405r849031_rule - CCI-000172 - CCI-002234 - CAT2 @@ -2998,9 +2999,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000220 - - V-205790 + - V-254406 - SRG-OS-000327-GPOS-00127 - - SV-205790r569188_rule + - SV-254406r849034_rule - CCI-000172 - CCI-002234 - CAT2 @@ -3022,14 +3023,14 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000230 - - V-205628 + - V-254407 - SRG-OS-000004-GPOS-00004 - SRG-OS-000239-GPOS-00089 - SRG-OS-000240-GPOS-00090 - SRG-OS-000241-GPOS-00091 - SRG-OS-000303-GPOS-00120 - SRG-OS-000476-GPOS-00221 - - SV-205628r569188_rule + - SV-254407r849037_rule - CCI-000018 - CCI-000172 - CCI-001403 @@ -3055,12 +3056,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000240 - - V-205791 + - V-254408 - SRG-OS-000327-GPOS-00127 - SRG-OS-000458-GPOS-00203 - SRG-OS-000463-GPOS-00207 - SRG-OS-000468-GPOS-00212 - - SV-205791r569188_rule + - SV-254408r849040_rule - CCI-000172 - CCI-002234 - CAT2 @@ -3083,9 +3084,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000250 - - V-205792 + - V-254409 - SRG-OS-000327-GPOS-00127 - - SV-205792r569188_rule + - SV-254409r849043_rule - SRG-OS-000458-GPOS-00203 - SRG-OS-000463-GPOS-00207 - SRG-OS-000468-GPOS-00212 @@ -3111,40 +3112,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000260 - - V-205793 + - V-254410 - SRG-OS-000327-GPOS-00127 - SRG-OS-000458-GPOS-00203 - SRG-OS-000463-GPOS-00207 - SRG-OS-000468-GPOS-00212 - - SV-205793r569188_rule - - CCI-000172 - - CCI-002234 - - CAT2 - - NeedToTestDomainController - -- name: "MEDIUM | WN22-DC-000270 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes failures." - block: - - name: "MEDIUM | WN22-DC-000270 | AUDIT | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes failures." - ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - changed_when: false - failed_when: false - check_mode: false - register: wn22_dc_000270_audit - - - name: "MEDIUM | WN22-DC-000270 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes failures." - ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Changes" /failure:enable - when: "'Failure' not in wn22_dc_000270_audit.stdout" - when: - - wn22_dc_000270 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - WN22-DC-000270 - - V-205794 - - SRG-OS-000327-GPOS-00127 - - SRG-OS-000458-GPOS-00203 - - SRG-OS-000463-GPOS-00207 - - SRG-OS-000468-GPOS-00212 - - SV-205794r569188_rule + - SV-254410r849046_rule - CCI-000172 - CCI-002234 - CAT2 @@ -3165,9 +3138,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000280 - - V-205645 + - V-254412 - SRG-OS-000066-GPOS-00034 - - SV-205645r569188_rule + - SV-254412r849052_rule - CCI-000185 - CAT2 @@ -3186,13 +3159,13 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000310 - - V-205701 + - V-254415 - SRG-OS-000105-GPOS-00052 - SRG-OS-000106-GPOS-00053 - SRG-OS-000107-GPOS-00054 - SRG-OS-000108-GPOS-00055 - SRG-OS-000375-GPOS-00160 - - SV-205701r569188_rule + - SV-254415r849355_rule - CCI-000765 - CCI-000766 - CCI-000767 @@ -3211,10 +3184,10 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000320 - - V-205820 + - V-254416 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 - - SV-205820r569188_rule + - SV-254416r849064_rule - CCI-002418 - CCI-002421 - CAT2 @@ -3231,9 +3204,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000330 - - V-205876 + - V-254417 - SRG-OS-000480-GPOS-00227 - - SV-205876r569188_rule + - SV-254417r849067_rule - CCI-000366 - CAT2 - NeedToTestDomainController @@ -3251,9 +3224,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000340 - - V-205665 + - V-254418 - SRG-OS-000080-GPOS-00048 - - SV-205665r569188_rule + - SV-254418r849070_rule - CCI-000213 - CAT2 - NeedToTestDomainController @@ -3268,9 +3241,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000350 - - V-205744 + - V-254419 - SRG-OS-000324-GPOS-00125 - - SV-205744r569188_rule + - SV-254419r877392_rule - CCI-002235 - CAT2 - NeedToTestDomainController @@ -3285,9 +3258,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000360 - - V-205666 + - V-254420 - SRG-OS-000080-GPOS-00048 - - SV-205666r569188_rule + - SV-254420r849076_rule - CCI-000213 - CAT2 - NeedToTestDomainController @@ -3302,9 +3275,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000370 - - V-205667 + - V-254421 - SRG-OS-000080-GPOS-00048 - - SV-205667r569188_rule + - SV-254421r849079_rule - CCI-000213 - CAT2 - NeedToTestDomainController @@ -3319,9 +3292,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000380 - - V-205668 + - V-254422 - SRG-OS-000080-GPOS-00048 - - SV-205668r569188_rule + - SV-254422r849082_rule - CCI-000213 - CAT2 - NeedToTestDomainController @@ -3336,9 +3309,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000390 - - V-205669 + - V-254423 - SRG-OS-000080-GPOS-00048 - - SV-205669r569188_rule + - SV-254423r849085_rule - CCI-000213 - CAT2 - NeedToTestDomainController @@ -3353,9 +3326,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000400 - - V-205670 + - V-254424 - SRG-OS-000080-GPOS-00048 - - SV-205670r569188_rule + - SV-254424r849088_rule - CCI-000213 - CAT2 - NeedToTestDomainController @@ -3370,9 +3343,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000410 - - V-205732 + - V-254425 - SRG-OS-000297-GPOS-00115 - - SV-205732r569188_rule + - SV-254425r849091_rule - CCI-002314 - CAT2 - NeedToTestDomainController @@ -3387,9 +3360,9 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000420 - - V-205745 + - V-254426 - SRG-OS-000324-GPOS-00125 - - SV-205745r569188_rule + - SV-254426r877392_rule - CCI-002235 - CAT2 - NeedToTestDomainController @@ -3417,9 +3390,9 @@ - win2022stig_complexity_high tags: - WN22-DC-000430 - - V-205877 + - V-254427 - SRG-OS-000480-GPOS-00227 - - SV-205877r857315_rule + - SV-254427r849097_rule - CCI-000366 - NeedToTestDomainController - CAT2 @@ -3435,9 +3408,9 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-MS-000020 - - V-205715 + - V-254429 - SRG-OS-000134-GPOS-00068 - - SV-205715r857320_rule + - SV-254429r849103_rule - CCI-001084 - CAT2 - NeedToTestMemberServer @@ -3453,9 +3426,9 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-MS-000030 - - V-205696 + - V-254430 - SRG-OS-000095-GPOS-00049 - - SV-205696r857322_rule + - SV-254430r849106_rule - CCI-000381 - CAT2 - NeedToTestMemberServer @@ -3471,9 +3444,9 @@ - not ansible_windows_domain_role == "Primary domain controller" tags: - WN22-MS-000040 - - V-205814 + - V-254431 - SRG-OS-000379-GPOS-00164 - - SV-205814r860031_rule + - SV-254431r877039_rule - CCI-001967 - CAT2 @@ -3488,9 +3461,9 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-MS-000050 - - V-205906 + - V-254432 - SRG-OS-000480-GPOS-00227 - - SV-205906r857326_rule + - SV-254432r849112_rule - CCI-000366 - CAT2 @@ -3505,9 +3478,9 @@ - not ansible_windows_domain_role == "Primary domain controller" tags: - WN22-MS-000060 - - V-205747 + - V-254433 - SRG-OS-000324-GPOS-00125 - - SV-205747r860032_rule + - SV-254433r877392_rule - CCI-002235 - CAT2 @@ -3523,9 +3496,9 @@ - not ansible_windows_domain_role == "Primary domain controller" tags: - WN22-MS-000070 - - V-205671 + - V-254434 - SRG-OS-000080-GPOS-00048 - - SV-205671r857331_rule + - SV-254434r849118_rule - CCI-000213 - CAT2 @@ -3554,9 +3527,38 @@ - not ansible_windows_domain_role == "Primary domain controller" tags: - WN22-MS-000080 - - V-205672 + - V-254435 + - SRG-OS-000080-GPOS-00048 + - SV-254435r849121_rule + - CCI-000213 + - CAT2 + - NeedToTestMemberServer + +- name: "MEDIUM | WN22-MS-000090 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + block: + - name: "MEDIUM | WN22-MS-000090 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + ansible.windows.win_user_right: + name: SeDenyBatchLogonRight + users: + - Enterprise Admins + - Domain Admins + action: set + when: ansible_windows_domain_role == "Member server" + + - name: "MEDIUM | WN22-MS-000090 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." + ansible.windows.win_user_right: + name: SeDenyBatchLogonRight + users: Guests + action: set + when: not ansible_windows_domain_member + when: + - wn22_ms_000090 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-MS-000090 + - V-254436 - SRG-OS-000080-GPOS-00048 - - SV-205672r857333_rule + - SV-254436r849124_rule - CCI-000213 - CAT2 - NeedToTestMemberServer From 4de96cb57e414c20afebe661910587245d253526 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 3 Jul 2023 10:21:01 -0400 Subject: [PATCH 31/95] update cat2-6 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 173 ++++++++++++++++++++++++++----------------------- 1 file changed, 93 insertions(+), 80 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 6ded278..7c63090 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -3586,28 +3586,9 @@ - wn22_ms_000100 tags: - WN22-MS-000100 - - V-205673 + - V-254437 - SRG-OS-000080-GPOS-00048 - - SV-205673r857335_rule - - CCI-000213 - - CAT2 - - NeedToTestMemberServer - -- name: "MEDIUM | WN22-MS-000100 | PATCH | Windows Server 2022 Deny log on as a service user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts. No other groups or accounts must be assigned this right." - ansible.windows.win_user_right: - name: SeDenyServiceLogonRight - users: - - Enterprise Admins - - Domain Admins - action: set - when: - - wn22_ms_000100 - - ansible_windows_domain_role == "Member server" - tags: - - WN22-MS-000100 - - V-205674 - - SRG-OS-000080-GPOS-00048 - - SV-205674r819709_rule + - SV-254437r890547_rule - CCI-000213 - CAT2 - NeedToTestMemberServer @@ -3635,9 +3616,9 @@ - wn22_ms_000110 tags: - WN22-MS-000110 - - V-205675 + - V-254438 - SRG-OS-000080-GPOS-00048 - - SV-205675r857337_rule + - SV-254438r849130_rule - CCI-000213 - CAT2 - NeedToTestMemberServer @@ -3666,9 +3647,9 @@ - wn22_ms_000120 tags: - WN22-MS-000120 - - V-205733 + - V-254439 - SRG-OS-000297-GPOS-00115 - - SV-205733r860033_rule + - SV-254439r849133_rule - CCI-002314 - CAT2 - NeedToTestMemberServer @@ -3682,9 +3663,9 @@ - wn22_ms_000130 tags: - WN22-MS-000130 - - V-205748 + - V-254440 - SRG-OS-000324-GPOS-00125 - - SV-205748r860034_rule + - SV-254440r877392_rule - CCI-002235 - CAT2 @@ -3695,13 +3676,22 @@ changed_when: false check_mode: false register: wn22_PK_000010_audit + + - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." + + - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-PK-000010' when: - wn22_pk_000010 tags: - WN22-PK-000010 - - V-205648 + - V-254442 - SRG-OS-000066-GPOS-00034 - - SV-205648r819704_rule + - SV-254442r894653_rule - CCI-000185 - CCI-002470 - CAT2 @@ -3726,9 +3716,9 @@ - wn22_pk_000020 tags: - WN22-PK-000020 - - V-205649 + - V-254443 - SRG-OS-000066-GPOS-00034 - - SV-205649r857346_rule + - SV-254443r890553_rule - CCI-000185 - CCI-002470 - CAT2 @@ -3753,9 +3743,9 @@ - wn22_pk_000030 tags: - WN22-PK-000030 - - V-205650 + - V-254444 - SRG-OS-000066-GPOS-00034 - - SV-205650r573797_rule + - SV-254444r894343_rule - CCI-000185 - CCI-002470 - CAT2 @@ -3769,9 +3759,9 @@ - wn22_so_000010 tags: - WN22-SO-000010 - - V-205709 + - V-254445 - SRG-OS-000121-GPOS-00062 - - SV-205709r569188_rule + - SV-254445r849151_rule - CCI-000804 - CAT2 @@ -3803,9 +3793,9 @@ - wn22_so_000030 tags: - WN22-SO-000030 - - V-205909 + - V-254447 - SRG-OS-000480-GPOS-00227 - - SV-205909r569188_rule + - SV-254447r849157_rule - CCI-000366 - CAT2 @@ -3837,9 +3827,9 @@ - wn22_so_000040 tags: - WN22-SO-000040 - - V-205910 + - V-254448 - SRG-OS-000480-GPOS-00227 - - SV-205910r569188_rule + - SV-254448r849160_rule - CCI-000366 - CAT2 @@ -3853,9 +3843,9 @@ - wn22_so_000050 tags: - WN22-SO-000050 - - V-205644 + - V-254449 - SRG-OS-000062-GPOS-00031 - - SV-205644r569188_rule + - SV-254449r849163_rule - CCI-000169 - CAT2 @@ -3870,10 +3860,30 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-SO-000060 - - V-205821 + - V-254450 + - SRG-OS-000423-GPOS-00187 + - SRG-OS-000424-GPOS-00188 + - SV-254450r849166_rule + - CCI-002418 + - CCI-002421 + - CAT2 + - NeedToTestMemberServer + +- name: "MEDIUM | WN22-SO-000070 | PATCH | Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + value: SignSecureChannel + data: 1 + datatype: dword + when: + - wn22_so_000070 + - ansible_windows_domain_role == "Member server" + tags: + - WN22-SO-000070 + - V-254451 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 - - SV-205821r569188_rule + - SV-254451r849169_rule - CCI-002418 - CCI-002421 - CAT2 @@ -3890,29 +3900,32 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-SO-000080 - - V-205823 + - V-254452 - SRG-OS-000423-GPOS-00187 - - SV-205823r569188_rule + - SRG-OS-000424-GPOS-00188 + - SV-254452r849172_rule - CCI-002418 - CCI-002421 - CAT2 - NeedToTestMemberServer -- name: "MEDIUM | WN22-SO-000100 | PATCH | Windows Server 2022 computer account password must not be prevented from being reset." +- name: "MEDIUM | WN22-SO-000090 | PATCH | Windows Server 2022 computer account password must not be prevented from being reset." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters value: DisablePasswordChange data: 0 datatype: dword when: - - wn22_so_000100 + - wn22_so_000090 + - ansible_windows_domain_role == "Member server" tags: - - WN22-SO-000100 - - V-205815 + - WN22-SO-000090 + - V-254453 - SRG-OS-000379-GPOS-00164 - - SV-205815r569188_rule + - SV-254453r877039_rule - CCI-001967 - CAT2 + - NeedToTestMemberServer - name: "MEDIUM | WN22-SO-000100 | PATCH | Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less." ansible.windows.win_regedit: @@ -3924,9 +3937,9 @@ - wn22_so_000100 tags: - WN22-SO-000100 - - V-205911 + - V-254454 - SRG-OS-000480-GPOS-00227 - - SV-205911r569188_rule + - SV-254454r849178_rule - CCI-000366 - CAT2 @@ -3940,9 +3953,9 @@ - wn22_so_000110 tags: - WN22-SO-000110 - - V-205824 + - V-254455 - SRG-OS-000423-GPOS-00187 - - SV-205824r569188_rule + - SV-254455r849181_rule - CCI-002418 - CCI-002421 - CAT2 @@ -3957,9 +3970,9 @@ - wn22_so_000120 tags: - WN22-SO-000120 - - V-205633 + - V-254456 - SRG-OS-000028-GPOS-00009 - - SV-205633r569188_rule + - SV-254456r849184_rule - CCI-000056 - CCI-000057 - CCI-000060 @@ -3975,9 +3988,9 @@ - wn22_so_000130 tags: - WN22-SO-000130 - - V-205631 + - V-254457 - SRG-OS-000023-GPOS-00006 - - SV-205631r569188_rule + - SV-254457r849187_rule - CCI-000048 - CCI-000050 - CCI-001384 @@ -3997,9 +4010,9 @@ - wn22_so_000150 tags: - WN22-SO-000150 - - V-205912 + - V-254459 - SRG-OS-000480-GPOS-00227 - - SV-205912r569188_rule + - SV-254459r849193_rule - CCI-000366 - CAT2 @@ -4013,10 +4026,10 @@ - wn22_so_000160 tags: - WN22-SO-000160 - - V-205825 + - V-254460 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 - - SV-205825r569188_rule + - SV-254460r849196_rule - CCI-002418 - CCI-002421 - CAT2 @@ -4031,10 +4044,10 @@ - wn22_so_000170 tags: - WN22-SO-000170 - - V-205826 + - V-254461 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 - - SV-205826r569188_rule + - SV-254461r849199_rule - CCI-002421 - CCI-002418 - CAT2 @@ -4049,9 +4062,9 @@ - wn22_so_000180 tags: - WN22-SO-000180 - - V-205655 + - V-254462 - SRG-OS-000074-GPOS-00042 - - SV-205655r569188_rule + - SV-254462r877396_rule - CCI-000197 - CAT2 @@ -4065,9 +4078,9 @@ - wn22_so_000190 tags: - WN22-SO-000190 - - V-205827 + - V-254463 - SRG-OS-000423-GPOS-00187 - - SV-205827r569188_rule + - SV-254463r849205_rule - CCI-002418 - CCI-002421 - CAT2 @@ -4082,9 +4095,9 @@ - wn22_so_000200 tags: - WN22-SO-000200 - - V-205828 + - V-254464 - SRG-OS-000423-GPOS-00187 - - SV-205828r569188_rule + - SV-254464r849208_rule - CCI-002418 - CCI-002421 - CAT2 @@ -4099,9 +4112,9 @@ - wn22_so_000240 tags: - WN22-SO-000240 - - V-205915 + - V-254468 - SRG-OS-000480-GPOS-00227 - - SV-205915r569188_rule + - SV-254468r849220_rule - CCI-000366 - CAT2 @@ -4115,9 +4128,9 @@ - wn22_so_000260 tags: - WN22-SO-000260 - - V-205916 + - V-254470 - SRG-OS-000480-GPOS-00227 - - SV-205916r569188_rule + - SV-254470r849226_rule - CCI-000366 - CAT2 @@ -4131,9 +4144,9 @@ - wn22_so_000270 tags: - WN22-SO-000270 - - V-205917 + - V-254471 - SRG-OS-000480-GPOS-00227 - - SV-205917r569188_rule + - SV-254471r849229_rule - CCI-000366 - CAT2 @@ -4147,9 +4160,9 @@ - wn22_so_000280 tags: - WN22-SO-000280 - - V-205918 + - V-254472 - SRG-OS-000480-GPOS-00227 - - SV-205918r569188_rule + - SV-254472r849232_rule - CCI-000366 - CAT2 @@ -4163,9 +4176,9 @@ - wn22_so_000290 tags: - WN22-SO-000290 - - V-205708 + - V-254473 - SRG-OS-000120-GPOS-00061 - - WN22-SO-000290 + - SV-254473r849235_rule - CCI-000803 - CAT2 From 10217538f63f68d39b5152241b2267773c277416 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 3 Jul 2023 11:47:49 -0400 Subject: [PATCH 32/95] update cat2-7 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 145 +++++++++++++++++++++++++------------------------ 1 file changed, 74 insertions(+), 71 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 7c63090..f16b027 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -4192,9 +4192,9 @@ - wn22_so_000320 tags: - WN22-SO-000320 - - V-205920 + - V-254476 - SRG-OS-000480-GPOS-00227 - - SV-205920r569188_rule + - SV-254476r849244_rule - CCI-000366 - CAT2 @@ -4208,9 +4208,9 @@ - wn22_so_000330 tags: - WN22-SO-000330 - - V-205921 + - V-254477 - SRG-OS-000480-GPOS-00227 - - SV-205921r569188_rule + - SV-254477r849247_rule - CCI-000366 - CAT2 @@ -4224,9 +4224,9 @@ - wn22_so_000340 tags: - WN22-SO-000340 - - V-205922 + - V-254478 - SRG-OS-000480-GPOS-00227 - - SV-205922r569188_rule + - SV-254478r849250_rule - CCI-000366 - CAT2 @@ -4240,9 +4240,9 @@ - wn22_so_000350 tags: - WN22-SO-000350 - - V-205651 + - V-254479 - SRG-OS-000067-GPOS-00035 - - SV-205651r569188_rule + - SV-254479r849253_rule - CCI-000186 - CAT2 @@ -4256,9 +4256,9 @@ - wn22_so_000360 tags: - WN22-SO-000360 - - V-205842 - - SRG-OS-000480-GPOS-00227 - - SV-205842r569188_rule + - V-254480 + - SRG-OS-000478-GPOS-00223 + - SV-254480r877466_rule - CCI-002450 - CAT2 @@ -4272,9 +4272,9 @@ - wn22_so_000380 tags: - WN22-SO-000380 - - V-205811 - - SRG-OS-000373-GPOS-00157 - - SV-205811r569188_rule + - V-254482 + - SRG-OS-000373-GPOS-00156 + - SV-254482r849262_rule - CCI-002038 - CAT2 # - exclusions for server core? think its NA there @@ -4289,9 +4289,9 @@ - wn22_so_000390 tags: - WN22-SO-000390 - - V-205716 + - V-254483 - SRG-OS-000134-GPOS-00068 - - SV-205716r569188_rule + - SV-254483r849265_rule - CCI-001084 - CAT2 @@ -4305,9 +4305,9 @@ - wn22_so_000400 tags: - WN22-SO-000400 - - V-205717 + - V-254484 - SRG-OS-000134-GPOS-00068 - - SV-205717r569188_rule + - SV-254484r849268_rule - CCI-001084 - CAT2 @@ -4322,9 +4322,10 @@ - wn22_so_000410 tags: - WN22-SO-000410 - - V-205812 + - V-254485 - SRG-OS-000373-GPOS-00157 - - SV-205812r569188_rule + - SRG-OS-000373-GPOS-00156 + - SV-254485r849271_rule - CCI-002038 - CAT2 @@ -4338,9 +4339,9 @@ - wn22_so_000420 tags: - WN22-SO-000420 - - V-205718 + - V-254486 - SRG-OS-000134-GPOS-00068 - - SV-205718r569188_rule + - SV-254486r849274_rule - CCI-001084 - CAT2 @@ -4354,9 +4355,9 @@ - wn22_so_000430 tags: - WN22-SO-000430 - - V-205719 + - V-254487 - SRG-OS-000134-GPOS-00068 - - SV-205719r569188_rule + - SV-254487r849277_rule - CCI-001084 - CAT2 @@ -4370,9 +4371,10 @@ - wn22_so_000440 tags: - WN22-SO-000440 - - V-205813 + - V-254488 - SRG-OS-000373-GPOS-00157 - - SV-205813r569188_rule + - SRG-OS-000373-GPOS-00156 + - SV-254488r849280_rule - CCI-002038 - CAT2 @@ -4386,9 +4388,9 @@ - wn22_so_000450 tags: - WN22-SO-000450 - - V-205720 + - V-254489 - SRG-OS-000134-GPOS-00068 - - SV-205720r569188_rule + - SV-254489r849283_rule - CCI-001084 - CAT2 @@ -4402,9 +4404,9 @@ - wn22_uc_000010 tags: - WN22-UC-000010 - - V-205924 + - V-254490 - SRG-OS-000480-GPOS-00227 - - SV-205924r569188_rule + - SV-254490r849286_rule - CCI-000366 - CAT2 @@ -4418,9 +4420,9 @@ - wn22_ur_000010 tags: - WN22-UR-000010 - - V-205749 + - V-254491 - SRG-OS-000324-GPOS-00125 - - SV-205749r569188_rule + - SV-254491r877392_rule - CCI-002235 - CAT2 @@ -4433,9 +4435,9 @@ - wn22_ur_000030 tags: - WN22-UR-000030 - - V-205676 + - V-254493 - SRG-OS-000080-GPOS-00048 - - SV-205676r569188_rule + - SV-254493r849295_rule - CCI-000213 - CAT2 @@ -4448,9 +4450,9 @@ - wn22_ur_000040 tags: - WN22-UR-000040 - - V-205751 + - V-254494 - SRG-OS-000324-GPOS-00125 - - SV-205751r569188_rule + - SV-254494r877392_rule - CCI-002235 - CAT2 @@ -4463,9 +4465,9 @@ - wn22_ur_000050 tags: - WN22-UR-000050 - - V-205752 + - V-254495 - SRG-OS-000324-GPOS-00125 - - SV-205752r569188_rule + - SV-254495r877392_rule - CCI-002235 - CAT2 @@ -4482,9 +4484,9 @@ - wn22_ur_000070 tags: - WN22-UR-000070 - - V-205754 + - V-254497 - SRG-OS-000324-GPOS-00125 - - SV-205754r569188_rule + - SV-254497r877392_rule - CCI-002235 - CAT2 @@ -4497,24 +4499,24 @@ - wn22_ur_000080 tags: - WN22-UR-000080 - - V-205755 + - V-254498 - SRG-OS-000324-GPOS-00125 - - SV-205755r569188_rule + - SV-254498r877392_rule - CCI-002235 - CAT2 -- name: "MEDIUM | WN22-UR-000100 | PATCH | Windows Server 2022 Create symbolic links user right must only be assigned to the Administrators group." +- name: "MEDIUM | WN22-UR-000090 | PATCH | Windows Server 2022 Create symbolic links user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeCreateSymbolicLinkPrivilege users: Administrators action: set when: - - wn22_ur_000100 + - wn22_ur_000090 tags: - - WN22-UR-000100 - - V-205756 + - WN22-UR-000090 + - V-254499 - SRG-OS-000324-GPOS-00125 - - SV-205756r569188_rule + - SV-254499r877392_rule - CCI-002235 - CAT2 @@ -4527,9 +4529,9 @@ - wn22_ur_000110 tags: - WN22-UR-000110 - - V-205758 + - V-254501 - SRG-OS-000324-GPOS-00125 - - SV-205758r569188_rule + - SV-254501r877392_rule - CCI-002235 - CAT2 @@ -4544,9 +4546,9 @@ - wn22_ur_000120 tags: - WN22-UR-000120 - - V-205759 + - V-254502 - SRG-OS-000324-GPOS-00125 - - SV-205759r569188_rule + - SV-254502r877392_rule - CCI-002235 - CAT2 @@ -4563,9 +4565,9 @@ - wn22_ur_000130 tags: - WN22-UR-000130 - - V-205760 + - V-254503 - SRG-OS-000324-GPOS-00125 - - SV-205760r569188_rule + - SV-254503r877392_rule - CCI-002235 - CAT2 @@ -4578,9 +4580,9 @@ - wn22_ur_000140 tags: - WN22-UR-000140 - - V-205761 + - V-254504 - SRG-OS-000324-GPOS-00125 - - SV-205761r569188_rule + - SV-254504r877392_rule - CCI-002235 - CAT2 @@ -4593,9 +4595,9 @@ - wn22_ur_000150 tags: - WN22-UR-000150 - - V-205762 + - V-254505 - SRG-OS-000324-GPOS-00125 - - SV-205762r569188_rule + - SV-254505r877392_rule - CCI-002235 - CAT2 @@ -4608,10 +4610,11 @@ - wn22_ur_000160 tags: - WN22-UR-000160 - - V-205763 + - V-254506 - SRG-OS-000324-GPOS-00125 - - SV-205763r569188_rule + - SV-254506r877392_rule - CCI-002235 + - CCI-002824 - CAT2 - name: "MEDIUM | WN22-UR-000170 | PATCH | Windows Server 2022 Manage auditing and security log user right must only be assigned to the Administrators group." @@ -4623,9 +4626,9 @@ - wn22_ur_000170 tags: - WN22-UR-000170 - - V-205643 + - V-254507 - SRG-OS-000057-GPOS-00027 - - SV-205643r569188_rule + - SV-254507r849337_rule - CCI-000162 - CCI-000163 - CCI-000164 @@ -4642,9 +4645,9 @@ - wn22_ur_000180 tags: - WN22-UR-000180 - - V-205764 + - V-254508 - SRG-OS-000324-GPOS-00125 - - SV-205764r569188_rule + - SV-254508r877392_rule - CCI-002235 - CAT2 @@ -4657,9 +4660,9 @@ - wn22_ur_000190 tags: - WN22-UR-000190 - - V-205765 + - V-254509 - SRG-OS-000324-GPOS-00125 - - SV-205765r569188_rule + - SV-254509r877392_rule - CCI-002235 - CAT2 @@ -4672,9 +4675,9 @@ - wn22_ur_000200 tags: - WN22-UR-000200 - - V-205766 + - V-254510 - SRG-OS-000324-GPOS-00125 - - SV-205766r569188_rule + - SV-254510r877392_rule - CCI-002235 - CAT2 @@ -4687,9 +4690,9 @@ - wn22_ur_000210 tags: - WN22-UR-000210 - - V-205767 + - V-254511 - SRG-OS-000324-GPOS-00125 - - SV-205767r569188_rule + - SV-254511r877392_rule - CCI-002235 - CAT2 @@ -4702,8 +4705,8 @@ - wn22_ur_000220 tags: - WN22-UR-000220 - - V-205768 + - V-254512 - SRG-OS-000324-GPOS-00125 - - SV-205768r569188_rule + - SV-254512r877392_rule - CCI-002235 - CAT2 From e13767ed6ee6e1f2e1f7711e3c51de89b77a1bff Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 5 Jul 2023 09:52:00 -0400 Subject: [PATCH 33/95] update cat2-8 Signed-off-by: Frederick Witty --- defaults/main.yml | 4 ++-- tasks/cat2.yml | 42 ++++++++++++++++++++++++++++++++++++++++-- tasks/cat3.yml | 40 ---------------------------------------- 3 files changed, 42 insertions(+), 44 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 24a81ba..0c16676 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -119,6 +119,8 @@ wn22_00_000410: true wn22_00_000420: true wn22_00_000430: true wn22_00_000450: true +wn22_00_000460: true +wn22_00_000470: true wn22_ac_000020: true wn22_ac_000030: wn22_ac_000020 wn22_ac_000010: wn22_ac_000030 @@ -313,8 +315,6 @@ wn22_ur_000220: true # CAT 3 rules wn22_00_000180: true wn22_00_000440: true -wn22_00_000460: true -wn22_00_000470: true wn22_cc_000030: true wn22_cc_000040: true wn22_cc_000050: true diff --git a/tasks/cat2.yml b/tasks/cat2.yml index f16b027..848dad1 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -278,7 +278,6 @@ - SV-254249r848563_rule - CCI-000366 - CAT2 - # think this is mcafee but need install and figure out paths for AV vs HIDS and/or running services? - name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2022 permissions for the system drive root directory usually C:\ must conform to minimum requirements." block: @@ -908,7 +907,46 @@ - SV-254282r848662_rule - CCI-000366 - CAT2 - # https://www.stigviewer.com/stig/windows_server_2016/2022-01-16/finding/V-78127 + +- name: "MEDIUM | WN22-00-000460 | AUDIT | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." + block: + - name: "MEDIUM | WN22-00-000460 | AUDIT | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." + + - name: "MEDIUM | WN22-00-000460 | AUDIT | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000460' + when: + - wn22_00_000460 + tags: + - WN22-00-000460 + - V-254283 + - SRG-OS-000480-GPOS-00227 + - SV-254283r848665_rule + - CCI-000366 + - CAT2 + +- name: "MEDIUM | WN22-00-000470 | AUDIT | Windows Server 2022 must have Secure Boot enabled." + block: + - name: "MEDIUM | WN22-00-000470 | AUDIT | Windows Server 2022 must have Secure Boot enabled." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 must have Secure Boot enabled. " + + - name: "MEDIUM | WN22-00-000470 | AUDIT | Windows Server 2022 must have Secure Boot enabled. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000470' + when: + - wn22_00_000470 + tags: + - WN22-00-000470 + - V-254284 + - SRG-OS-000480-GPOS-00227 + - SV-254284r848668_rule + - CCI-000366 + - CAT2 # THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL BASED SYSTEMS. - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less." diff --git a/tasks/cat3.yml b/tasks/cat3.yml index 772be1a..23a4e94 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -111,46 +111,6 @@ - CCI-002385 - CAT3 -- name: "LOW | WN22-00-000460 | AUDIT | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." - block: - - name: "LOW | WN22-00-000460 | AUDIT | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." - ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." - - - name: "LOW | WN22-00-000460 | AUDIT | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. | import reuseable task." - ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: 'WN22-00-000460' - when: - - wn22_00_000460 - tags: - - WN22-00-000460 - - V-205856 - - SRG-OS-000480-GPOS-00227 - - SV-205856r569188_rule - - CCI-000366 - - CAT3 - -- name: "LOW | WN22-00-000470 | AUDIT | Windows Server 2022 must have Secure Boot enabled." - block: - - name: "LOW | WN22-00-000470 | AUDIT | Windows Server 2022 must have Secure Boot enabled." - ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must have Secure Boot enabled. " - - - name: "LOW | WN22-00-000470 | AUDIT | Windows Server 2022 must have Secure Boot enabled. | import reuseable task." - ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: 'WN22-00-000470' - when: - - wn22_00_000470 - tags: - - WN22-00-000470 - - V-205857 - - SRG-OS-000480-GPOS-00227 - - SV-205857r569188_rule - - CCI-000366 - - CAT3 - - name: "LOW | WN22-CC-000030 | PATCH | Windows Server 2022 internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters From 05ed9022bfdfa56c0c3098ef134d6d1850523cac Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 6 Jul 2023 14:35:30 -0400 Subject: [PATCH 34/95] update cat2-9 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 1 - tasks/cat2_cloud.yml | 115 ------------------------------------------- tasks/prelim.yml | 12 ----- vars/main.yml | 3 -- 4 files changed, 131 deletions(-) delete mode 100644 tasks/cat2_cloud.yml diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 848dad1..85cdc2d 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1240,7 +1240,6 @@ - SV-254295r848701_rule - CCI-001851 - CAT2 - # hard one, either need to standardize on say log shipping like splunk or other is set? - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2022 permissions for the Application event log must prevent access by non-privileged accounts." block: diff --git a/tasks/cat2_cloud.yml b/tasks/cat2_cloud.yml deleted file mode 100644 index 99956e3..0000000 --- a/tasks/cat2_cloud.yml +++ /dev/null @@ -1,115 +0,0 @@ ---- -# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR CLOUD BASED SYSTEMS -# below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" -- name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less." - block: - - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." - ansible.builtin.debug: - msg: - - "Warning!! You have a invalid number of days set for wn22stig_lockoutbadcount please read" - - "the notes for the variable and make the necessary change to the variable to be in compliance." - when: - - wn22stig_lockoutbadcount == 0 or - wn22stig_lockoutbadcount > 3 - - - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: 'WN22-AC-000020' - when: - - wn22stig_lockoutbadcount == 0 or - wn22stig_lockoutbadcount > 3 - - - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Apply Variable." - community.windows.win_security_policy: - section: System Access - key: LockoutBadCount - value: "{{ wn22stig_lockoutbadcount }}" - when: - - wn22stig_lockoutbadcount > 0 - - wn22stig_lockoutbadcount <= 3 - when: - - wn22_ac_000020 - tags: - - WN22-AC-000020 - - V-205629 - - SRG-OS-000021-GPOS-00005 - - SV-205629r569188_rule - - CCI-000044 - - CAT2_CLOUD2 - -- name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater." - block: - - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." - ansible.builtin.debug: - msg: - - "Warning!! You have a invalid number of minutes set for wn22stig_lockoutduration please read" - - "the notes for the variable and make the necessary change to the variable to be in compliance." - when: - - wn22stig_lockoutduration < 15 - - wn22stig_lockoutduration > 0 - - - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: 'WN22-AC-000010' - when: - - wn22stig_lockoutduration < 15 - - wn22stig_lockoutduration > 0 - - - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Apply Variable." - community.windows.win_security_policy: - section: System Access - key: LockoutDuration - value: "{{ wn22stig_lockoutduration }}" - when: - - wn22stig_lockoutduration == 0 or - wn22stig_lockoutduration >= 15 - when: - - wn22_ac_000010 - tags: - - WN22-AC-000010 - - V-205795 - - SRG-OS-000329-GPOS-00128 - - SV-205795r569188_rule - - CCI-002238 - - CAT2_CLOUD2 - -# below task is dependent on WN16-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" -- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." - block: - - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." - ansible.builtin.debug: - msg: - - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" - - "the notes for the variable and make the necessary change to the variable to be in compliance." - when: - - wn22stig_resetlockoutcount > wn22stig_lockoutduration or - wn22stig_resetlockoutcount < 15 - - - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." - ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: 'WN22-AC-000030' - when: - - wn22stig_resetlockoutcount > wn22stig_lockoutduration or - wn22stig_resetlockoutcount < 15 - - - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" - community.windows.win_security_policy: - section: System Access - key: ResetLockoutCount - value: "{{ wn22stig_resetlockoutcount }}" - when: - - wn22stig_resetlockoutcount >= 15 - - wn22stig_resetlockoutcount <= wn22stig_lockoutduration - when: - - wn22_ac_000030 - tags: - - WN22-AC-000030 - - V-205630 - - SRG-OS-000021-GPOS-00005 - - SV-205630r569188_rule - - CCI-000044 - - CCI-002238 - - CAT2_CLOUD2 diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 6081b22..c158b12 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -8,18 +8,6 @@ tags: - always -# hvm is for amazon ami's, Hyper-V we have found for azure, kvm is used for -# ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') -# This list is not complete and will be updated as we try on more cloud based services. -# As of now testing is working in azure using Hyper-V. We are curently using this for reference: -# https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205 -- name: Set Fact If Cloud Based System. - ansible.builtin.set_fact: - win22stig_cloud_based_system: true - when: ansible_virtualization_type == 'Hyper-V' or ansible_virtualization_type == 'hvm' or ansible_virtualization_type == 'kvm' - tags: - - always - # 1 = disabled 0 = enabled # this reg key may be useful detect is secure conenctions enabled, etc? - name: "PRELIM | Detect if Remote Desktop Services (RDP) is Enabled" diff --git a/vars/main.yml b/vars/main.yml index 2e63a14..40411e4 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -7,6 +7,3 @@ warn_count: 0 # This sets the variable that is created for the banner. lockdown_banner: "{{lookup('file', './templates/banner.txt')}}" - -# This will be changed to true if discovered for cloud based systems. -wn19stig_cloud_based_system: false From 37cf2c20f8da46226181684329e344c7cd7580b5 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 6 Jul 2023 14:46:36 -0400 Subject: [PATCH 35/95] update cat2-10 Signed-off-by: Frederick Witty --- tasks/main.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 09ea6f9..8324494 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,15 +43,6 @@ tags: - CAT1 -# We have found the order of these three tasks varies between cloud based instances -# and VM based instances. The task below breaks out to run in a different order -# for cloud based systems -- name: Execute the category 2 (medium severity) tasks for cloud based system - ansible.builtin.import_tasks: cat2_cloud.yml - when: ansible_virtualization_type == 'Hyper-V' or ansible_virtualization_type == 'hvm' or ansible_virtualization_type == 'kvm' - tags: - - CAT2_CLOUD2 - - name: Execute the category 2 (medium severity) tasks ansible.builtin.import_tasks: cat2.yml when: win2022stig_cat2_patch @@ -64,7 +55,6 @@ tags: - CAT3 - - name: If Warnings Found Output Count and Control IDs Affected ansible.builtin.debug: msg: From 1118ea2def5721095791f37c7b51fa234cc09b42 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 6 Jul 2023 15:15:00 -0400 Subject: [PATCH 36/95] update ansible-lint1 Signed-off-by: Frederick Witty --- .ansible-lint | 1 + ChangeLog.md | 5 +++++ 2 files changed, 6 insertions(+) create mode 100644 ChangeLog.md diff --git a/.ansible-lint b/.ansible-lint index 64239e1..9a75749 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -14,6 +14,7 @@ skip_list: - 'jinja[spacing]' - 'yaml[line-length]' - 'var-naming' # Older playbook no new release + - 'key-order' - '204' - '208' - '305' diff --git a/ChangeLog.md b/ChangeLog.md new file mode 100644 index 0000000..d2b9a8b --- /dev/null +++ b/ChangeLog.md @@ -0,0 +1,5 @@ +# Changelog + +## Release 1.0.0 + +June 2023 Release From 2010917ecdd5b52f61c72b2663140f6e29018363 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 6 Jul 2023 16:28:55 -0400 Subject: [PATCH 37/95] update ac-000020 with pause1 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 85cdc2d..c50f207 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -976,6 +976,10 @@ when: - wn22stig_lockoutbadcount > 0 - wn22stig_lockoutbadcount <= 3 + + - name: Pause for 3 minutes to finsh WN22-AC-000020 + ansible.builtin.pause: + minutes: '3' when: - wn22_ac_000020 - not win22stig_cloud_based_system @@ -987,6 +991,25 @@ - CCI-000044 - CAT2 +- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" + community.windows.win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ wn22stig_resetlockoutcount }}" + when: + - wn22stig_resetlockoutcount >= 15 + when: + - wn22_ac_000030 + - not win22stig_cloud_based_system + tags: + - WN22-AC-000030 + - V-254287 + - SRG-OS-000021-GPOS-00005 + - SV-254287r848677_rule + - CCI-000044 + - CCI-002238 + - CAT2 + # below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater." block: @@ -1044,25 +1067,6 @@ when: - wn22stig_resetlockoutcount < 15 - - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" - community.windows.win_security_policy: - section: System Access - key: ResetLockoutCount - value: "{{ wn22stig_resetlockoutcount }}" - when: - - wn22stig_resetlockoutcount >= 15 - when: - - wn22_ac_000030 - - not win22stig_cloud_based_system - tags: - - WN22-AC-000030 - - V-254287 - - SRG-OS-000021-GPOS-00005 - - SV-254287r848677_rule - - CCI-000044 - - CCI-002238 - - CAT2 - - name: "MEDIUM | WN22-AC-000040 | PATCH | Windows Server 2022 password history must be configured to 24 passwords remembered." community.windows.win_security_policy: section: System Access From 0d6d8a2909ac83ed5d6055fbaa4080ba00535017 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 6 Jul 2023 16:47:29 -0400 Subject: [PATCH 38/95] update ac-000020 with pause2 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index c50f207..94b6609 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -982,7 +982,6 @@ minutes: '3' when: - wn22_ac_000020 - - not win22stig_cloud_based_system tags: - WN22-AC-000020 - V-254286 @@ -1000,7 +999,6 @@ - wn22stig_resetlockoutcount >= 15 when: - wn22_ac_000030 - - not win22stig_cloud_based_system tags: - WN22-AC-000030 - V-254287 @@ -1040,7 +1038,6 @@ wn22stig_lockoutduration >= 15 when: - wn22_ac_000010 - - not win22stig_cloud_based_system tags: - WN22-AC-000010 - V-254285 From 4b435c43cf4cf9e0e02da16612dc709638c2bbed Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 6 Jul 2023 16:49:47 -0400 Subject: [PATCH 39/95] update ac-000020 with pause3 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 94b6609..5da7f84 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -977,9 +977,9 @@ - wn22stig_lockoutbadcount > 0 - wn22stig_lockoutbadcount <= 3 - - name: Pause for 3 minutes to finsh WN22-AC-000020 - ansible.builtin.pause: - minutes: '3' + - name: Pause for 3 minutes to finsh WN22-AC-000020 + ansible.builtin.pause: + minutes: '3' when: - wn22_ac_000020 tags: From ad713b774a157fc79437cd7c4beb0b9eab1a4ce6 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 6 Jul 2023 17:04:17 -0400 Subject: [PATCH 40/95] update cat1 removed high from tags Signed-off-by: Frederick Witty --- tasks/cat1.yml | 29 ----------------------------- 1 file changed, 29 deletions(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index b99f705..73e3069 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -19,7 +19,6 @@ - SRG-OS-000066-GPOS-00034 - SV-254413r849055_rule - CCI-000185 - - high - CAT1 # add some task/external variable for approved CAs, check for DoD and how to pull programatically @@ -42,7 +41,6 @@ - SRG-OS-000066-GPOS-00034 - SV-254414r849058_rule - CCI-000185 - - high - CAT1 - name: "HIGH | WN22-AC-000090 | PATCH | Windows Server 2022 reversible password encryption must be disabled." @@ -58,7 +56,6 @@ - SRG-OS-000073-GPOS-00041 - SV-254293r877397_rule - CCI-000226 - - high - CAT1 - name: "HIGH | WN22-SO-000300 | PATCH | Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords." @@ -75,7 +72,6 @@ - SRG-OS-000073-GPOS-00041 - SV-254474r877397_rule - CCI-000226 - - high - CAT1 - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes." @@ -103,7 +99,6 @@ - SRG-OS-000080-GPOS-00048 - SV-254250r848566_rule - CCI-000213 - - high - CAT1 - name: "HIGH | WN22-CC-000470 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication." @@ -121,7 +116,6 @@ - SRG-OS-000125-GPOS-00065 - SV-254378r877395_rule - CCI-000877 - - high - CAT1 - name: "HIGH | WN22-CC-000500 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication." @@ -139,7 +133,6 @@ - SRG-OS-000125-GPOS-00065 - SV-254381r877395_rule - CCI-000877 - - high - CAT1 - name: "HIGH | WN22-SO-000230 | PATCH | Windows Server 2022 must not allow anonymous enumeration of shares." @@ -156,7 +149,6 @@ - SRG-OS-000138-GPOS-00069 - SV-254467r849217_rule - CCI-001090 - - high - CAT1 - name: "HIGH | WN22-SO-000250 | PATCH | Windows Server 2022 must restrict anonymous access to Named Pipes and Shares." @@ -173,7 +165,6 @@ - SRG-OS-000138-GPOS-00069 - SV-254469r849223_rule - CCI-001090 - - high - CAT1 - name: "HIGH | WN22-DC-000010 | AUDIT | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system." @@ -204,7 +195,6 @@ - SV-254385r877392_rule - CCI-002235 - notest - - high - CAT1 - name: "HIGH | WN22-DC-000070 | AUDIT | Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access." @@ -226,7 +216,6 @@ - SRG-OS-000324-GPOS-00125 - SV-254391r877392_rule - CCI-002235 - - high - CAT1 - name: "HIGH | WN22-DC-000080 | AUDIT | Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions." @@ -248,7 +237,6 @@ - SRG-OS-000324-GPOS-00125 - SV-254392r877392_rule - CCI-002235 - - high - CAT1 - name: "HIGH | WN22-DC-000090 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions." @@ -270,7 +258,6 @@ - SRG-OS-000324-GPOS-00125 - SV-205741r569188_rule - CCI-002235 - - high - CAT1 - name: "HIGH | WN22-DC-000100 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions." @@ -292,7 +279,6 @@ - SRG-OS-000324-GPOS-00125 - SV-254394r877392_rule - CCI-002235 - - high - CAT1 - name: "HIGH | WN22-DC-000110 | AUDIT | Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions." @@ -314,7 +300,6 @@ - SV-254395r877392_rule - SRG-OS-000324-GPOS-00125 - CCI-002235 - - high - CAT1 # populate a dictionary/list from customer @@ -347,7 +332,6 @@ - SV-254428r877392_rule - CCI-002235 - audit - - high - CAT1 - name: "HIGH | WN22-UR-000020 | PATCH | Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts." @@ -363,7 +347,6 @@ - SRG-OS-000324-GPOS-00125 - SV-254492r877392_rule - CCI-002235 - - high - CAT1 - name: "HIGH | WN22-UR-000060 | PATCH | Windows Server 2022 Create a token object user right must not be assigned to any groups or accounts." @@ -398,7 +381,6 @@ - SRG-OS-000324-GPOS-00125 - SV-254500r877392_rule - CCI-002235 - - high - CAT1 - name: "HIGH | WN22-CC-000430 | PATCH | Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option." @@ -416,7 +398,6 @@ - SRG-OS-000362-GPOS-00149 - SV-254374r848938_rule - CCI-001812 - - high - CAT1 - name: "HIGH | WN22-CC-000210 | PATCH | Windows Server 2022 AutoPlay must be turned off for non-volume devices." @@ -433,7 +414,6 @@ - SRG-OS-000368-GPOS-00154 - SV-254352r848872_rule - CCI-001764 - - high - CAT1 - name: "HIGH | WN22-CC-000220 | PATCH | Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands." @@ -450,7 +430,6 @@ - SRG-OS-000368-GPOS-00154 - SV-254353r848875_rule - CCI-001764 - - high - CAT1 - name: "HIGH | WN22-CC-000230 | PATCH | Windows Server 2022 AutoPlay must be disabled for all drives." @@ -466,7 +445,6 @@ - SV-254354r848878_rule - SRG-OS-000368-GPOS-00154 - CCI-001764 - - high - CAT1 - name: "HIGH | WN22-00-000030 | AUDIT | Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." @@ -487,7 +465,6 @@ - SRG-OS-000480-GPOS-00227 - SV-254240r848536_rule - CCI-000366 - - high - CAT1 - name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access." @@ -509,7 +486,6 @@ - SRG-OS-000480-GPOS-00227 - SV-254399r849013_rule - CCI-000366 - - high - CAT1 - name: "HIGH | WN22-MS-000140 | PATCH | Windows Server 2022 must be running Credential Guard on domain-joined member servers." @@ -534,7 +510,6 @@ - SV-254441r849139_rule - CCI-000366 - NeedToTestMemberServer - - high - CAT1 - name: "HIGH | WN22-SO-000020 | PATCH | Windows Server 2022 must prevent local accounts with blank passwords from being used from the network." @@ -551,7 +526,6 @@ - SV-254446r849154_rule - SRG-OS-000480-GPOS-00227 - CCI-000366 - - high - CAT1 - name: "HIGH | WN22-SO-000210 | PATCH | Windows Server 2022 must not allow anonymous SID/Name translation." @@ -567,7 +541,6 @@ - SRG-OS-000480-GPOS-00227 - SV-254465r849211_rule - CCI-000366 - - high - CAT1 - name: "HIGH | WN22-SO-000220 | PATCH | Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts." @@ -585,7 +558,6 @@ - SRG-OS-000480-GPOS-00227 - SV-254466r849214_rule - CCI-000366 - - high - CAT1 - name: "HIGH | WN22-SO-000310 | PATCH | Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM." @@ -602,5 +574,4 @@ - SRG-OS-000480-GPOS-00227 - SV-254467r849217_rule - CCI-000366 - - high - CAT1 From 7cd67d00d7216fec8ae235ce76c769b6c6e59bfb Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 6 Jul 2023 17:22:29 -0400 Subject: [PATCH 41/95] update cat2 pause to 2min Signed-off-by: Frederick Witty --- tasks/cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 5da7f84..6c1e3a2 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -977,9 +977,9 @@ - wn22stig_lockoutbadcount > 0 - wn22stig_lockoutbadcount <= 3 - - name: Pause for 3 minutes to finsh WN22-AC-000020 + - name: Pause for 2 minutes to finsh WN22-AC-000020 ansible.builtin.pause: - minutes: '3' + minutes: '2' when: - wn22_ac_000020 tags: From 3851eebaf89c49cd343861f8ebd5066878945e99 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 6 Jul 2023 17:24:28 -0400 Subject: [PATCH 42/95] update cat2 pause to 2min2 Signed-off-by: Frederick Witty --- defaults/main.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0c16676..e40a7ec 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -344,8 +344,6 @@ wn22stig_lockoutduration: 15 # and may not be set to 0. wn22stig_lockoutbadcount: 3 -win22stig_cloud_based_system: true - # WN22-AC-000030 # Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. # wn22stig_resetlockoutcount is the Reset account lockout counter after value in mintues. From c94088c7a93cb802e8575ec5eebd5c7f158d3543 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 7 Jul 2023 12:39:28 -0400 Subject: [PATCH 43/95] update cat1 order1 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 484 ++++++++++++++++++++++++------------------------- 1 file changed, 242 insertions(+), 242 deletions(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 73e3069..a4148a9 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -1,46 +1,50 @@ --- -- name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." +- name: "HIGH | WN22-00-000030 | AUDIT | Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." block: - - name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | Message out" + - name: "HIGH | WN22-00-000030 | AUDIT | Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." + msg: "Warning!! This is a manual task. Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." - - name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | import reuseable task." + - name: "HIGH | WN22-00-000030 | AUDIT | Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN22-DC-000290' + warn_control_id: 'WN22-00-000030' when: - - wn22_dc_000290 - - ansible_windows_domain_role == "Primary domain controller" + - wn22_00_000030 tags: - - WN22-DC-000290 - - V-254413 - - SRG-OS-000066-GPOS-00034 - - SV-254413r849055_rule - - CCI-000185 + - WN22-00-000030 + - V-254240 + - SRG-OS-000480-GPOS-00227 + - SV-254240r848536_rule + - CCI-000366 - CAT1 -# add some task/external variable for approved CAs, check for DoD and how to pull programatically -- name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)." +- name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes." block: - - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | Message out" - ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)." + - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes." + ansible.windows.win_shell: Get-Volume + changed_when: false + failed_when: false + check_mode: false + register: wn22_00_000130_audit - - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | import reuseable task." + - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | Message out" + debug: + msg: "Warning!! This is a manual task. Windows Server 2022 local volumes must use a format that supports NTFS attributes." + + - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN22-DC-000300' + warn_control_id: 'WN22-00-000130' when: - - wn22_dc_000300 - - ansible_windows_domain_role == "Primary domain controller" + - wn22_00_000130 tags: - - WN22-DC-000300 - - V-254414 - - SRG-OS-000066-GPOS-00034 - - SV-254414r849058_rule - - CCI-000185 + - WN22-00-000130 + - V-205663 + - SRG-OS-000080-GPOS-00048 + - SV-254250r848566_rule + - CCI-000213 - CAT1 - name: "HIGH | WN22-AC-000090 | PATCH | Windows Server 2022 reversible password encryption must be disabled." @@ -58,47 +62,68 @@ - CCI-000226 - CAT1 -- name: "HIGH | WN22-SO-000300 | PATCH | Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords." +- name: "HIGH | WN22-CC-000210 | PATCH | Windows Server 2022 AutoPlay must be turned off for non-volume devices." ansible.windows.win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa - value: NoLMHash + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + value: NoAutoplayfornonVolume data: 1 datatype: dword when: - - wn22_so_000300 + - wn22_cc_000210 tags: - - WN22-SO-000300 - - V-254474 - - SRG-OS-000073-GPOS-00041 - - SV-254474r877397_rule - - CCI-000226 + - WN22-CC-000210 + - V-254352 + - SRG-OS-000368-GPOS-00154 + - SV-254352r848872_rule + - CCI-001764 - CAT1 -- name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes." - block: - - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes." - ansible.windows.win_shell: Get-Volume - changed_when: false - failed_when: false - check_mode: false - register: wn22_00_000130_audit +- name: "HIGH | WN22-CC-000220 | PATCH | Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + value: NoAutorun + data: 1 + datatype: dword + when: + - wn22_cc_000220 + tags: + - WN22-CC-000220 + - V-254353 + - SRG-OS-000368-GPOS-00154 + - SV-254353r848875_rule + - CCI-001764 + - CAT1 - - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | Message out" - debug: - msg: "Warning!! This is a manual task. Windows Server 2022 local volumes must use a format that supports NTFS attributes." +- name: "HIGH | WN22-CC-000230 | PATCH | Windows Server 2022 AutoPlay must be disabled for all drives." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + name: NoDriveTypeAutoRun + data: 255 + datatype: dword + when: wn22_cc_000230 + tags: + - WN22-CC-000230 + - V-254354 + - SV-254354r848878_rule + - SRG-OS-000368-GPOS-00154 + - CCI-001764 + - CAT1 - - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | import reuseable task." - ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: 'WN22-00-000130' +- name: "HIGH | WN22-CC-000430 | PATCH | Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer + state: present + value: AlwaysInstallElevated + data: 0 + datatype: dword when: - - wn22_00_000130 + - wn22_cc_000430 tags: - - WN22-00-000130 - - V-205663 - - SRG-OS-000080-GPOS-00048 - - SV-254250r848566_rule - - CCI-000213 + - WN22-CC-000430 + - V-254374 + - SRG-OS-000362-GPOS-00149 + - SV-254374r848938_rule + - CCI-001812 - CAT1 - name: "HIGH | WN22-CC-000470 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication." @@ -135,38 +160,6 @@ - CCI-000877 - CAT1 -- name: "HIGH | WN22-SO-000230 | PATCH | Windows Server 2022 must not allow anonymous enumeration of shares." - ansible.windows.win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa - value: RestrictAnonymous - data: 1 - datatype: dword - when: - - wn22_so_000230 - tags: - - WN22-SO-000230 - - V-254467 - - SRG-OS-000138-GPOS-00069 - - SV-254467r849217_rule - - CCI-001090 - - CAT1 - -- name: "HIGH | WN22-SO-000250 | PATCH | Windows Server 2022 must restrict anonymous access to Named Pipes and Shares." - ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters - value: restrictnullsessaccess - data: 1 - datatype: dword - when: - - wn22_so_000250 - tags: - - WN22-SO-000250 - - V-254469 - - SRG-OS-000138-GPOS-00069 - - SV-254469r849223_rule - - CCI-001090 - - CAT1 - - name: "HIGH | WN22-DC-000010 | AUDIT | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system." block: - name: "HIGH | WN22-DC-000010 | AUDIT | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system." @@ -302,6 +295,70 @@ - CCI-002235 - CAT1 +- name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access." + block: + - name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access. | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access." + + - name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000150' + when: + - wn22_dc_000150 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-DC-000150 + - V-254399 + - SRG-OS-000480-GPOS-00227 + - SV-254399r849013_rule + - CCI-000366 + - CAT1 + +- name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." + block: + - name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." + + - name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000290' + when: + - wn22_dc_000290 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-DC-000290 + - V-254413 + - SRG-OS-000066-GPOS-00034 + - SV-254413r849055_rule + - CCI-000185 + - CAT1 + +# add some task/external variable for approved CAs, check for DoD and how to pull programatically +- name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)." + block: + - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | Message out" + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)." + + - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000300' + when: + - wn22_dc_000300 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - WN22-DC-000300 + - V-254414 + - SRG-OS-000066-GPOS-00034 + - SV-254414r849058_rule + - CCI-000185 + - CAT1 + # populate a dictionary/list from customer - name: "HIGH | WN22-MS-000010 | AUDIT | Windows Server 2022 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system" block: @@ -334,160 +391,6 @@ - audit - CAT1 -- name: "HIGH | WN22-UR-000020 | PATCH | Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts." - ansible.windows.win_user_right: - name: SeTcbPrivilege - users: [] - action: set - when: - - wn22_ur_000020 - tags: - - WN22-UR-000020 - - V-254492 - - SRG-OS-000324-GPOS-00125 - - SV-254492r877392_rule - - CCI-002235 - - CAT1 - -- name: "HIGH | WN22-UR-000060 | PATCH | Windows Server 2022 Create a token object user right must not be assigned to any groups or accounts." - community.windows.win_security_policy: - section: Privilege Rights - key: SeCreateTokenPrivilege - value: "" - when: - - wn22_ur_000060 - tags: - - WN22-UR-000060 - - V-254496 - - SRG-OS-000324-GPOS-00125 - - SV-254496r877392_rule - - CCI-002235 - - CAT1 - -# fails openscap - the v1r10 xml checks for "Administrators" string but secedit uses the SIDs thus -# "SeDebugPrivilege = *S-1-5-32-544" is Administrators (openscap fails) -# emailed_disa.letterkenny.re.mbx.stig-customer-support-mailbox@mail.mil -# SCC tool works -- name: "HIGH | WN22-UR-000100 | PATCH | Windows Server 2022 Debug programs: user right must only be assigned to the Administrators group." - ansible.windows.win_user_right: - name: SeDebugPrivilege - users: Administrators - action: set - when: - - wn22_ur_000100 - tags: - - WN22-UR-000100 - - V-254500 - - SRG-OS-000324-GPOS-00125 - - SV-254500r877392_rule - - CCI-002235 - - CAT1 - -- name: "HIGH | WN22-CC-000430 | PATCH | Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option." - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer - state: present - value: AlwaysInstallElevated - data: 0 - datatype: dword - when: - - wn22_cc_000430 - tags: - - WN22-CC-000430 - - V-254374 - - SRG-OS-000362-GPOS-00149 - - SV-254374r848938_rule - - CCI-001812 - - CAT1 - -- name: "HIGH | WN22-CC-000210 | PATCH | Windows Server 2022 AutoPlay must be turned off for non-volume devices." - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - value: NoAutoplayfornonVolume - data: 1 - datatype: dword - when: - - wn22_cc_000210 - tags: - - WN22-CC-000210 - - V-254352 - - SRG-OS-000368-GPOS-00154 - - SV-254352r848872_rule - - CCI-001764 - - CAT1 - -- name: "HIGH | WN22-CC-000220 | PATCH | Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands." - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - value: NoAutorun - data: 1 - datatype: dword - when: - - wn22_cc_000220 - tags: - - WN22-CC-000220 - - V-254353 - - SRG-OS-000368-GPOS-00154 - - SV-254353r848875_rule - - CCI-001764 - - CAT1 - -- name: "HIGH | WN22-CC-000230 | PATCH | Windows Server 2022 AutoPlay must be disabled for all drives." - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer - name: NoDriveTypeAutoRun - data: 255 - datatype: dword - when: wn22_cc_000230 - tags: - - WN22-CC-000230 - - V-254354 - - SV-254354r848878_rule - - SRG-OS-000368-GPOS-00154 - - CCI-001764 - - CAT1 - -- name: "HIGH | WN22-00-000030 | AUDIT | Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." - block: - - name: "HIGH | WN22-00-000030 | AUDIT | Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | Message out" - ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." - - - name: "HIGH | WN22-00-000030 | AUDIT | Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | import reuseable task." - ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: 'WN22-00-000030' - when: - - wn22_00_000030 - tags: - - WN22-00-000030 - - V-254240 - - SRG-OS-000480-GPOS-00227 - - SV-254240r848536_rule - - CCI-000366 - - CAT1 - -- name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access." - block: - - name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access. | Message out" - ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access." - - - name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access. | import reuseable task." - ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: 'WN22-DC-000150' - when: - - wn22_dc_000150 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - WN22-DC-000150 - - V-254399 - - SRG-OS-000480-GPOS-00227 - - SV-254399r849013_rule - - CCI-000366 - - CAT1 - - name: "HIGH | WN22-MS-000140 | PATCH | Windows Server 2022 must be running Credential Guard on domain-joined member servers." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard @@ -560,6 +463,54 @@ - CCI-000366 - CAT1 +- name: "HIGH | WN22-SO-000230 | PATCH | Windows Server 2022 must not allow anonymous enumeration of shares." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + value: RestrictAnonymous + data: 1 + datatype: dword + when: + - wn22_so_000230 + tags: + - WN22-SO-000230 + - V-254467 + - SRG-OS-000138-GPOS-00069 + - SV-254467r849217_rule + - CCI-001090 + - CAT1 + +- name: "HIGH | WN22-SO-000250 | PATCH | Windows Server 2022 must restrict anonymous access to Named Pipes and Shares." + ansible.windows.win_regedit: + path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters + value: restrictnullsessaccess + data: 1 + datatype: dword + when: + - wn22_so_000250 + tags: + - WN22-SO-000250 + - V-254469 + - SRG-OS-000138-GPOS-00069 + - SV-254469r849223_rule + - CCI-001090 + - CAT1 + +- name: "HIGH | WN22-SO-000300 | PATCH | Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa + value: NoLMHash + data: 1 + datatype: dword + when: + - wn22_so_000300 + tags: + - WN22-SO-000300 + - V-254474 + - SRG-OS-000073-GPOS-00041 + - SV-254474r877397_rule + - CCI-000226 + - CAT1 + - name: "HIGH | WN22-SO-000310 | PATCH | Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM." ansible.windows.win_regedit: path: HKLM:\System\CurrentControlSet\Control\Lsa @@ -575,3 +526,52 @@ - SV-254467r849217_rule - CCI-000366 - CAT1 + +- name: "HIGH | WN22-UR-000020 | PATCH | Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts." + ansible.windows.win_user_right: + name: SeTcbPrivilege + users: [] + action: set + when: + - wn22_ur_000020 + tags: + - WN22-UR-000020 + - V-254492 + - SRG-OS-000324-GPOS-00125 + - SV-254492r877392_rule + - CCI-002235 + - CAT1 + +- name: "HIGH | WN22-UR-000060 | PATCH | Windows Server 2022 Create a token object user right must not be assigned to any groups or accounts." + community.windows.win_security_policy: + section: Privilege Rights + key: SeCreateTokenPrivilege + value: "" + when: + - wn22_ur_000060 + tags: + - WN22-UR-000060 + - V-254496 + - SRG-OS-000324-GPOS-00125 + - SV-254496r877392_rule + - CCI-002235 + - CAT1 + +# fails openscap - the v1r10 xml checks for "Administrators" string but secedit uses the SIDs thus +# "SeDebugPrivilege = *S-1-5-32-544" is Administrators (openscap fails) +# emailed_disa.letterkenny.re.mbx.stig-customer-support-mailbox@mail.mil +# SCC tool works +- name: "HIGH | WN22-UR-000100 | PATCH | Windows Server 2022 Debug programs: user right must only be assigned to the Administrators group." + ansible.windows.win_user_right: + name: SeDebugPrivilege + users: Administrators + action: set + when: + - wn22_ur_000100 + tags: + - WN22-UR-000100 + - V-254500 + - SRG-OS-000324-GPOS-00125 + - SV-254500r877392_rule + - CCI-002235 + - CAT1 From c64861271ae69e600c111323e25de67ebe81382b Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 7 Jul 2023 14:41:12 -0400 Subject: [PATCH 44/95] update cat3 order1 Signed-off-by: Frederick Witty --- tasks/cat3.yml | 145 +++++++++++++++++++++++++------------------------ 1 file changed, 73 insertions(+), 72 deletions(-) diff --git a/tasks/cat3.yml b/tasks/cat3.yml index 23a4e94..debc8ae 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -1,24 +1,4 @@ --- -- name: "LOW | WN22-SO-000140 | PATCH | Windows Server 2022 title for the legal banner must be configured with the appropriate text." - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - value: LegalNoticeCaption - data: "{{ wn22stig_legalnoticecaption }}" - datatype: string - when: - - wn22_so_000140 - tags: - - WN22-SO-000140 - - V-205632 - - SRG-OS-000023-GPOS-00006 - - SRG-OS-000228-GPOS-00088 - - SV-205632r569188_rule - - CCI-000048 - - CCI-001384 - - CCI-001385 - - CCI-001386 - - CCI-001387 - - CCI-001388 - name: "LOW | WN22-00-000180 | AUDIT | Windows Server 2022 non-administrative accounts or groups must only have print permissions on printer shares." block: @@ -40,42 +20,6 @@ - CCI-000213 - CAT3 -- name: "LOW | WN22-CC-000200 | PATCH | Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat - value: DisableInventory - data: 1 - datatype: dword - when: - - wn22_cc_000200 - tags: - - WN22-CC-000200 - - V-205691 - - SRG-OS-000095-GPOS-00049 - - SV-205691r569188_rule - - CCI-000381 - - CAT3 - -- name: "LOW | WN22-DC-000160 | AUDIT | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." - block: - - name: "LOW | WN22-DC-000160 | AUDIT | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." - ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." - - - name: "LOW | WN22-DC-000160 | AUDIT | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. | import reuseable task." - ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: 'WN22-DC-000160' - when: - - wn22_dc_000160 - tags: - - WN22-DC-000160 - - V-205726 - - SRG-OS-000163-GPOS-00072 - - SV-205726r569188_rule - - CCI-001133 - - CAT3 - - name: "LOW | WN22-00-000440 | AUDIT | The Windows Server 2022 time service must synchronize with an appropriate DoD time source." block: - name: "LOW | WN22-00-000440 | AUDIT | The Windows Server 2022 time service must synchronize with an appropriate DoD time source." @@ -95,22 +39,6 @@ - CCI-001891 - CAT3 -- name: "LOW | WN22-CC-000060 | PATCH | Windows Server 2022 Must be configured to ignore NetBIOS name release requests except from WINS servers." - ansible.windows.win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Netbt\Parameters - value: NoNameReleaseOnDemand - data: 1 - datatype: dword - when: - - wn22_cc_000060 - tags: - - WN22-CC-000060 - - V-205822 - - SRG-OS-000420-GPOS-00186 - - SV-205822r569188_rule - - CCI-002385 - - CAT3 - - name: "LOW | WN22-CC-000030 | PATCH | Windows Server 2022 internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters @@ -159,6 +87,38 @@ - CCI-000366 - CAT3 +- name: "LOW | WN22-CC-000060 | PATCH | Windows Server 2022 Must be configured to ignore NetBIOS name release requests except from WINS servers." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netbt\Parameters + value: NoNameReleaseOnDemand + data: 1 + datatype: dword + when: + - wn22_cc_000060 + tags: + - WN22-CC-000060 + - V-205822 + - SRG-OS-000420-GPOS-00186 + - SV-205822r569188_rule + - CCI-002385 + - CAT3 + +- name: "LOW | WN22-CC-000200 | PATCH | Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat + value: DisableInventory + data: 1 + datatype: dword + when: + - wn22_cc_000200 + tags: + - WN22-CC-000200 + - V-205691 + - SRG-OS-000095-GPOS-00049 + - SV-205691r569188_rule + - CCI-000381 + - CAT3 + - name: "LOW | WN22-CC-000260 | PATCH | Windows Server 2022 Windows Update must not obtain updates from other PCs on the Internet." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization @@ -195,6 +155,47 @@ - SRG-OS-000480-GPOS-00227 - CAT3 +- name: "LOW | WN22-DC-000160 | AUDIT | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." + block: + - name: "LOW | WN22-DC-000160 | AUDIT | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." + ansible.builtin.debug: + msg: "Warning!! This is a manual task. Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." + + - name: "LOW | WN22-DC-000160 | AUDIT | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. | import reuseable task." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-DC-000160' + when: + - wn22_dc_000160 + tags: + - WN22-DC-000160 + - V-205726 + - SRG-OS-000163-GPOS-00072 + - SV-205726r569188_rule + - CCI-001133 + - CAT3 + +- name: "LOW | WN22-SO-000140 | PATCH | Windows Server 2022 title for the legal banner must be configured with the appropriate text." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + value: LegalNoticeCaption + data: "{{ wn22stig_legalnoticecaption }}" + datatype: string + when: + - wn22_so_000140 + tags: + - WN22-SO-000140 + - V-205632 + - SRG-OS-000023-GPOS-00006 + - SRG-OS-000228-GPOS-00088 + - SV-205632r569188_rule + - CCI-000048 + - CCI-001384 + - CCI-001385 + - CCI-001386 + - CCI-001387 + - CCI-001388 + - name: "LOW | WN22-SO-000370 | PATCH | Windows Server 2022 default permissions of global system objects must be strengthened." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager From 0a96339d88d11043a8743b83f6aeb16d8bd502db Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Mon, 10 Jul 2023 16:23:01 -0400 Subject: [PATCH 45/95] update cat1-1 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index a4148a9..2d371b1 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -23,7 +23,7 @@ - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes." block: - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes." - ansible.windows.win_shell: Get-Volume + ansible.windows.win_shell: '[System.IO.DriveInfo]::GetDrives() | Format-Table' changed_when: false failed_when: false check_mode: false @@ -31,7 +31,9 @@ - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | Message out" debug: - msg: "Warning!! This is a manual task. Windows Server 2022 local volumes must use a format that supports NTFS attributes." + msg: + - "Warning!! This is a manual task. Windows Server 2022 local volumes must use a format that supports NTFS attributes." + - "{{ wn22_00_000130_audit.stdout.split('\n') }}" - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml From ff92aafc7c23620b5a0f0f28b4c0d73d4a6c13c0 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 11 Jul 2023 08:18:09 -0400 Subject: [PATCH 46/95] removed pause Signed-off-by: Frederick Witty --- tasks/cat2.yml | 3 --- tasks/main.yml | 9 ++------- 2 files changed, 2 insertions(+), 10 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 6c1e3a2..21a76e0 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -977,9 +977,6 @@ - wn22stig_lockoutbadcount > 0 - wn22stig_lockoutbadcount <= 3 - - name: Pause for 2 minutes to finsh WN22-AC-000020 - ansible.builtin.pause: - minutes: '2' when: - wn22_ac_000020 tags: diff --git a/tasks/main.yml b/tasks/main.yml index 8324494..86d12f2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,13 +43,13 @@ tags: - CAT1 -- name: Execute the category 2 (medium severity) tasks +- name: Execute the category 2 (Medium Severity) tasks ansible.builtin.import_tasks: cat2.yml when: win2022stig_cat2_patch tags: - CAT2 -- name: Execute the category 3 (lowest severity) tasks +- name: Execute the category 3 (Lowest Severity) tasks ansible.builtin.import_tasks: cat3.yml when: win2022stig_cat3_patch tags: @@ -61,8 +61,3 @@ - "You have {{ warn_count }} Warning(s) that require investigation(s). Their ID's are listed below:" - "{{ warn_control_list }}" when: warn_count != 0 - -- name: Reboot Now - ansible.windows.win_shell: shutdown -r -t 1 - changed_when: false - check_mode: false From 2cc503c2b1bbe786b81f755892c41c13768b5024 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 12 Jul 2023 11:52:04 -0400 Subject: [PATCH 47/95] updated cat-1+2-1 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 2 +- tasks/cat2.yml | 27 +++++++++++++++++++++++---- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 2d371b1..da37f20 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -422,7 +422,7 @@ path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa value: LimitBlankPasswordUse data: 1 - datatype: string + datatype: dword when: - wn22_so_000020 tags: diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 21a76e0..2161652 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -301,12 +301,31 @@ - name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2022 permissions for program file directories must conform to minimum requirements." block: - - name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2022 permissions for program file directories must conform to minimum requirements. | Message out" + - name: "MEDIUM | WN22-00-000150 | AUDIT | Permissions for program file directories must conform to minimum requirements. | Obtain icacls for Program Files." + ansible.windows.win_shell: icacls "c:\program files" + changed_when: false + failed_when: false + register: wn22_00_000150_program_files_audit + + - name: "MEDIUM | WN22-00-000150 | AUDIT | Permissions for program file directories must conform to minimum requirements. | Manual Audit icacls for Program Files." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 permissions for program file directories must conform to minimum requirements." + msg: + - "Warning!! This is a manual task to audit. Windows Server 2022 icacls program needs to meet" + - "the STIG requirements. Please check the report below and compare the the STIG requirements." + - "{{ wn22_00_000150_program_files_audit.stdout_lines }}" - - name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2022 permissions for program file directories must conform to minimum requirements. | import reuseable task." - ansible.builtin.import_tasks: warning_facts.yml + - name: "MEDIUM | WN22-00-000150 | AUDIT | Permissions for program file directories must conform to minimum requirements. | Obtain icacls for Program Files x86" + ansible.windows.win_shell: icacls "c:\program files (x86)" + changed_when: false + failed_when: false + register: wn22_00_000150_program_files_86_audit + + - name: "MEDIUM | WN22-00-000150 | AUDIT | Permissions for program file directories must conform to minimum requirements. | Manual Audit icacls for Program Files x86." + ansible.builtin.debug: + msg: + - "Warning!! This is a manual task to audit. Windows Server 2022 icacls program files x86 needs to meet" + - "the STIG requirements. Please check the report below and compare the the STIG requirements." + - "{{ wn22_00_000150_program_files_86_audit.stdout_lines }}" vars: warn_control_id: 'WN22-00-000150' when: From 483049346b179fb06f001b18c8eee5d9c498d15b Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 12 Jul 2023 14:28:02 -0400 Subject: [PATCH 48/95] updated cat-2-2 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 2161652..c964c8e 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -302,7 +302,7 @@ - name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2022 permissions for program file directories must conform to minimum requirements." block: - name: "MEDIUM | WN22-00-000150 | AUDIT | Permissions for program file directories must conform to minimum requirements. | Obtain icacls for Program Files." - ansible.windows.win_shell: icacls "c:\program files" + ansible.windows.win_shell: icacls "c:\Program Files" changed_when: false failed_when: false register: wn22_00_000150_program_files_audit @@ -315,7 +315,7 @@ - "{{ wn22_00_000150_program_files_audit.stdout_lines }}" - name: "MEDIUM | WN22-00-000150 | AUDIT | Permissions for program file directories must conform to minimum requirements. | Obtain icacls for Program Files x86" - ansible.windows.win_shell: icacls "c:\program files (x86)" + ansible.windows.win_shell: icacls "c:\Program Files (x86)" changed_when: false failed_when: false register: wn22_00_000150_program_files_86_audit @@ -340,11 +340,20 @@ - name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements." block: - - name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements. | Message out" + - name: "MEDIUM | WN22-00-000160 | AUDIT | Permissions for the Windows installation directory must conform to minimum requirements. | Obtain icacls for Windows Directory." + ansible.windows.win_shell: icacls "c:\windows" + changed_when: false + failed_when: false + register: wn16_00_000160_windows_dir_audit + + - name: "MEDIUM | WN22-00-000160 | AUDIT | Permissions for the Windows installation directory must conform to minimum requirements. | Warning Message." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements." + msg: + - "Warning!! This is a manual task to audit. Windows Server 2016 permissions for the Windows installation directory needs to meet" + - "the STIG requirements. Please check the report below and compare the the STIG requirements." + - "{{ wn16_00_000160_windows_dir_audit.stdout_lines }}" - - name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements. | import reuseable task." + - name: "MEDIUM | WN22-00-000160 | AUDIT | Permissions for the Windows installation directory must conform to minimum requirements. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000160' From e68e4830329c36bb9479facd5fb7ca0685b6a691 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 12 Jul 2023 15:35:27 -0400 Subject: [PATCH 49/95] updated cat-2-3 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 67 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 63 insertions(+), 4 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index c964c8e..84e8e8e 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -349,7 +349,7 @@ - name: "MEDIUM | WN22-00-000160 | AUDIT | Permissions for the Windows installation directory must conform to minimum requirements. | Warning Message." ansible.builtin.debug: msg: - - "Warning!! This is a manual task to audit. Windows Server 2016 permissions for the Windows installation directory needs to meet" + - "Warning!! This is a manual task to audit. Windows Server 2022 permissions for the Windows installation directory needs to meet" - "the STIG requirements. Please check the report below and compare the the STIG requirements." - "{{ wn16_00_000160_windows_dir_audit.stdout_lines }}" @@ -389,14 +389,73 @@ - name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2022 outdated or unused accounts must be removed from the system or disabled." block: - - name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2022 outdated or unused accounts must be removed from the system or disabled. | Message out" + - name: "MEDIUM | WN22-00-000190 | AUDIT - DOMAIN CONTROLLERS | Outdated or unused accounts must be removed from the system or disabled | Audit System." + ansible.windows.win_shell: Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 35.00:00:00 + changed_when: false + failed_when: false + register: wn22_00_000190_account_audit_dc + when: ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN22-00-000190 | AUDIT - DOMAIN CONTROLLERS | Outdated or unused accounts must be removed from the system or disabled. | Warning Message." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 outdated or unused accounts must be removed from the system or disabled." + msg: + - "Warning!! This is a manual task. Outdated or unused accounts must be removed from" + - "the Windows Server 2022 system or disabled." + - "Accounts to exclude are the following:" + - "Built-in administrator account (Renamed, SID ending in 500)" + - "Built-in guest account (Renamed, Disabled, SID ending in 501)" + - "Built-in default account (Renamed, Disabled, SID ending in 503)" + - "Application accounts" + - "Below is the list of User accounts found on the system. Please check the report" + - "below and compare the the STIG requirements." + - "----------------------------------------------------------" + - "{{ wn22_00_000190_account_audit_dc.stdout.split('\n') }}" + - "----------------------------------------------------------" + when: + - wn22_00_000190_account_audit_dc is not skipped + - wn22_00_000190_account_audit_dc.stdout != "" + + - name: "MEDIUM | WN22-00-000190 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Outdated or unused accounts must be removed from the system or disabled. | Audit User Accounts" + ansible.windows.win_shell: | + ([ADSI]('WinNT://{0}' -f $env:COMPUTERNAME)).Children | Where { + $_.SchemaClassName -eq 'user' } | ForEach { + $user = ([ADSI]$_.Path) + $lastLogin = $user.Properties.LastLogin.Value + $enabled = ($user.Properties.UserFlags.Value -band 0x2) -ne 0x2 + if ($lastLogin -eq $null) { + $lastLogin = 'Never' + } + Write-Host $user.Name $lastLogin $enabled + } + changed_when: false + failed_when: false + register: wn22_00_000210_account_audit_dm_sa + when: not ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN22-00-000190 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Outdated or unused accounts must be removed from the system or disabled. | Warning Message." + ansible.builtin.debug: + msg: + - "Warning!! This is a manual task. Outdated or unused accounts must be removed from" + - "the Windows Server 2022 system or disabled." + - "Accounts to exclude are the following:" + - "Built-in administrator account (Renamed, SID ending in 500)" + - "Built-in guest account (Renamed, Disabled, SID ending in 501)" + - "Built-in default account (Renamed, Disabled, SID ending in 503)" + - "Application accounts" + - "Below is the list of User accounts found on the system. Please check the report" + - "below and compare the the STIG requirements." + - "----------------------------------------------------------" + - "{{ wn22_00_000210_account_audit_dm_sa.stdout.split('\n') }}" + - "----------------------------------------------------------" + when: + - wn22_00_000210_account_audit_dm_sa is not skipped + - wn22_00_000210_account_audit_dm_sa.stdout != "" - - name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2022 outdated or unused accounts must be removed from the system or disabled. | import reuseable task." + - name: "MEDIUM | WN22-00-000190 | AUDIT | Outdated or unused accounts must be removed from the system or disabled. | Warn Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000190' + when: wn22_00_000210_account_audit_dc is not skipped and wn22_00_000210_account_audit_dc.stdout != "" or wn22_00_000210_account_audit_dm_sa is not skipped and wn22_00_000210_account_audit_dm_sa.stdout != "" when: - wn22_00_000190 tags: From 5f88b7113ac6b4360a403821102bc587b7eaf205 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 12 Jul 2023 16:15:27 -0400 Subject: [PATCH 50/95] updated cat-2-4 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 84e8e8e..73340a7 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -429,7 +429,7 @@ } changed_when: false failed_when: false - register: wn22_00_000210_account_audit_dm_sa + register: wn22_00_000190_account_audit_dm_sa when: not ansible_windows_domain_role == "Primary domain controller" - name: "MEDIUM | WN22-00-000190 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Outdated or unused accounts must be removed from the system or disabled. | Warning Message." @@ -445,17 +445,17 @@ - "Below is the list of User accounts found on the system. Please check the report" - "below and compare the the STIG requirements." - "----------------------------------------------------------" - - "{{ wn22_00_000210_account_audit_dm_sa.stdout.split('\n') }}" + - "{{ wn22_00_000190_account_audit_dm_sa.stdout.split('\n') }}" - "----------------------------------------------------------" when: - - wn22_00_000210_account_audit_dm_sa is not skipped - - wn22_00_000210_account_audit_dm_sa.stdout != "" + - wn22_00_000190_account_audit_dm_sa is not skipped + - wn22_00_000190_account_audit_dm_sa.stdout != "" - name: "MEDIUM | WN22-00-000190 | AUDIT | Outdated or unused accounts must be removed from the system or disabled. | Warn Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000190' - when: wn22_00_000210_account_audit_dc is not skipped and wn22_00_000210_account_audit_dc.stdout != "" or wn22_00_000210_account_audit_dm_sa is not skipped and wn22_00_000210_account_audit_dm_sa.stdout != "" + when: wn22_00_000190_account_audit_dc is not skipped and wn22_00_000190_account_audit_dc.stdout != "" or wn22_00_000190_account_audit_dm_sa is not skipped and wn22_00_000190_account_audit_dm_sa.stdout != "" when: - wn22_00_000190 tags: From 4bffca17c24f69b44d280865f826fd7140d4ff05 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 12 Jul 2023 16:26:24 -0400 Subject: [PATCH 51/95] updated cat-2-00-230 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 73340a7..d7026c6 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -575,21 +575,24 @@ - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2022 non-system-created file shares on a system must limit access to groups that require it." block: - - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2022 non-system-created file shares on a system must limit access to groups that require it." - ansible.windows.win_shell: Get-SmbShare | Where-Object -FilterScript {$_.Special -EQ $False} + - name: "MEDIUM | WN22-00-000230 | AUDIT | Non-system-created file shares on a system must limit access to groups that require it. | Audit Shares" + ansible.windows.win_shell: Get-SmbShare | Where-Object { ($_.Name -notlike "ADMIN$") -and ($_.Name -notlike 'C$') -and ($_.Name -notlike 'IPC$') } | Select-Object -Property Name | format-table -hidetableheaders changed_when: false failed_when: false - check_mode: false register: wn22_00_000230_audit - - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2022 non-system-created file shares on a system must limit access to groups that require it." + - name: "MEDIUM | WN22-00-000230 | AUDIT | Non-system-created file shares on a system must limit access to groups that require it. | Warning Message." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 non-system-created file shares on a system must limit access to groups that require it." + msg: + - "Warning!! You have shares that non-system created. Please manually review those shares listed below to make sure appropriate permissions are applied" + - "{{ wn22_00_000230_audit.stdout_lines | select() | list }}" + when: wn22_00_000230_audit.stdout_lines | select() | length > 0 - - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2022 non-system-created file shares on a system must limit access to groups that require it. | import reuseable task." + - name: "MEDIUM | WN22-00-000230 | AUDIT | Non-system-created file shares on a system must limit access to groups that require it." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000230' + when: wn22_00_000230_audit.stdout_lines | select() | length > 0 when: - wn22_00_000230 tags: From 285dc5c83c93802e8dc75d8bc1d3aa3d3bbbfcb6 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 12 Jul 2023 16:35:50 -0400 Subject: [PATCH 52/95] updated cat-2-00-270 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index d7026c6..0b70ff2 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -682,18 +682,22 @@ - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2022 must have the roles and features required by the system documented." block: - - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2022 bust have the roles and features required by the system documented." + - name: "MEDIUM | WN22-00-000270 | AUDIT | The roles and features required by the system must be documented. | Audit The System" ansible.windows.win_shell: Get-WindowsFeature | Where-Object -FilterScript {$_.Installed -EQ $True} changed_when: false failed_when: false - check_mode: false register: wn22_00_000270_audit - - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2022 must have the roles and features required by the system documented." + - name: "MEDIUM | WN22-00-000270 | AUDIT | The roles and features required by the system must be documented. | Warning Message." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must have the roles and features required by the system documented." + msg: + - "Warning!! This is a manual task. Windows Server 2022 must have the roles" + - "and features required by the system documented. Below is the current list of" + - "roles and features installed on the system." + - "Document the roles and features required for the system to operate. Uninstall any that are not required." + - "{{ wn22_00_000270_audit.stdout_lines }}" - - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2022 must have the roles and features required by the system documented. | import reuseable task." + - name: "MEDIUM | WN22-00-000270 | AUDIT | The roles and features required by the system must be documented. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000270' From e1db323c093f3e2ee8070d4f4574a3ba21161534 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 12 Jul 2023 17:25:12 -0400 Subject: [PATCH 53/95] updated cat-2-00-290 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 0b70ff2..3aab55f 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -734,11 +734,16 @@ - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." block: - - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." + - name: "MEDIUM | WN16-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Warning Message" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." + msg: + - "Warning!! This is a manual task. Windows Server 2022 must employ automated mechanisms to determine the state of system" + - "components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System" + - "(HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans" + - "by Computer Network Defense Service Provider (CNDSP). Verify DoD-approved ESS software is installed and properly operating." + - "Ask the site ISSM for documentation of the ESS software installation and configuration." - - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | import reuseable task." + - name: "MEDIUM | WN16-00-000290 | PATCH | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Warn Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000290' From fe5508aa8421219ba8947a13124fca4ee170f5c3 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 13 Jul 2023 08:01:36 -0400 Subject: [PATCH 54/95] updated cat-2-00-300 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 37 ++++++++++++++++++++++++++++++++++--- 1 file changed, 34 insertions(+), 3 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 3aab55f..0d17bee 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -759,14 +759,45 @@ - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours." block: - - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours." + - name: "MEDIUM | WN22-00-000300 | AUDIT - DOMAIN CONTROLLER | Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours. | Get User List." + ansible.windows.win_shell: Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate + changed_when: false + failed_when: false + register: wn22_00_000330_audit_dc + when: ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN22-00-000300 | AUDIT - DOMAIN CONTROLLER | Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours. | Warning Message" + ansible.builtin.debug: + msg: + - "Warning!! This is a manual task. Please review all accounts to verify there are no temporary accounts" + - "listed where the expiration date is longer then 72 hours." + - "{{ wn22_00_000330_audit_dc.stdout.split('\n') }}" + when: + - wn22_00_000330_audit_dc is not skipped + - wn22_00_000330_audit_dc.stdout != "" + + - name: "MEDIUM | WN22-00-000300 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours. | Get User List." + ansible.windows.win_shell: Get-LocalUser + changed_when: false + failed_when: false + register: wn22_00_000330_audit_sa + when: not ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN22-00-000300 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours. | Warning Message" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours." + msg: + - "Warning!! This is a manual task. Please review all accounts to verify there are no temporary accounts" + - "listed where the expiration date is longer then 72 hours." + - "{{ wn22_00_000330_audit_sa.stdout.split('\n') }}" + when: + - wn22_00_000330_audit_dc is not skipped + - wn22_00_000330_audit_dc.stdout != "" - - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours. | import reuseable task." + - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours. | Warning Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000300' + when: wn22_00_000330_audit_dc is not skipped and wn22_00_000330_audit_dc.stdout != "" or wn22_00_000330_audit_dc is not skipped and wn22_00_000330_audit_dc.stdout != "" when: - wn22_00_000300 tags: From 93e961582d8e1b3b25927e7a351db92dfae124f2 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 13 Jul 2023 12:09:19 -0400 Subject: [PATCH 55/95] updated cat-2-au-060 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 329 +++++++++++++++++++++++++++++++++++++++-------- tasks/prelim.yml | 8 ++ 2 files changed, 281 insertions(+), 56 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 0d17bee..8db6a8e 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -759,14 +759,14 @@ - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours." block: - - name: "MEDIUM | WN22-00-000300 | AUDIT - DOMAIN CONTROLLER | Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours. | Get User List." + - name: "MEDIUM | WN22-00-000300 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours. | Get User List." ansible.windows.win_shell: Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate changed_when: false failed_when: false register: wn22_00_000330_audit_dc when: ansible_windows_domain_role == "Primary domain controller" - - name: "MEDIUM | WN22-00-000300 | AUDIT - DOMAIN CONTROLLER | Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours. | Warning Message" + - name: "MEDIUM | WN22-00-000300 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours. | Warning Message" ansible.builtin.debug: msg: - "Warning!! This is a manual task. Please review all accounts to verify there are no temporary accounts" @@ -776,14 +776,14 @@ - wn22_00_000330_audit_dc is not skipped - wn22_00_000330_audit_dc.stdout != "" - - name: "MEDIUM | WN22-00-000300 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours. | Get User List." + - name: "MEDIUM | WN22-00-000300 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours. | Get User List." ansible.windows.win_shell: Get-LocalUser changed_when: false failed_when: false register: wn22_00_000330_audit_sa when: not ansible_windows_domain_role == "Primary domain controller" - - name: "MEDIUM | WN22-00-000300 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours. | Warning Message" + - name: "MEDIUM | WN22-00-000300 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours. | Warning Message" ansible.builtin.debug: msg: - "Warning!! This is a manual task. Please review all accounts to verify there are no temporary accounts" @@ -793,7 +793,7 @@ - wn22_00_000330_audit_dc is not skipped - wn22_00_000330_audit_dc.stdout != "" - - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2016 must automatically remove or disable temporary user accounts after 72 hours. | Warning Count" + - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours. | Warning Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000300' @@ -810,14 +810,45 @@ - name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." block: - - name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." + - name: "MEDIUM | WN22-00-000310 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | Get User List." + ansible.windows.win_shell: Search-ADAccount -AccountExpiring | FT Name, AccountExpirationDate + changed_when: false + failed_when: false + register: wn22_00_000310_audit_dc + when: ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN22-00-000310 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | Warning Message" + ansible.builtin.debug: + msg: + - "Warning!! This is a manual task. Windows Server 2022 must automatically remove or disable emergency" + - "accounts after the crisis is resolved or within 72 hours." + - "{{ wn22_00_000310_audit_dc.stdout.split('\n') }}" + when: + - wn22_00_000310_audit_dc is not skipped + - wn22_00_000310_audit_dc.stdout != "" + + - name: "MEDIUM | WN22-00-000310 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | Get User List." + ansible.windows.win_shell: Get-LocalUser + changed_when: false + failed_when: false + register: wn22_00_000310_audit_sa + when: not ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN22-00-000310 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | Warning Message" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." + msg: + - "Warning!! This is a manual task. Windows Server 2022 must automatically remove or disable emergency" + - "accounts after the crisis is resolved or within 72 hours." + - "{{ wn22_00_000310_audit_sa.stdout.split('\n') }}" + when: + - wn22_00_000310_audit_sa is not skipped + - wn22_00_000310_audit_sa.stdout != "" - - name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | import reuseable task." + - name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours. | Warning Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000310' + when: wn22_00_000310_audit_dc is not skipped and wn22_00_000310_audit_dc.stdout != "" or wn22_00_000310_audit_dc is not skipped and wn22_00_000310_audit_dc.stdout != "" when: - wn22_00_000310 tags: @@ -980,14 +1011,28 @@ - name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent anonymous logons." block: - - name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent anonymous logons." + - name: "MEDIUM | WN22-00-000420 | AUDIT | FTP servers must be configured to prevent anonymous logons. | Get FTP Installed Status." + ansible.windows.win_shell: Get-WindowsFeature | Where Name -eq Web-Ftp-Service + changed_when: false + failed_when: false + register: wn22_00_000420_audit + + - name: set_fact + ansible.builtin.set_fact: + wn22_00_000420_audit: "{{ wn22_00_000420_audit.stdout_lines | regex_search('Installed') }}" + + - name: "MEDIUM | WN22-00-000420 | AUDIT | FTP servers must be configured to prevent anonymous logons. | Warning Message" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 FTP servers must be configured to prevent anonymous logons." + msg: + - "Warning!! This is a manual task. Internet Information Services (IIS) Manager FTP is currently" + - "installed on the system. Anonymous Authentication must be set to diabled per STIG Requirements." + when: "'Installed' in wn22_00_000420_audit" - - name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent anonymous logons. | import reuseable task." + - name: "MEDIUM | WN22-00-000420 | AUDIT | FTP servers must be configured to prevent anonymous logons. | Warn Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000420' + when: "'Installed' in wn22_00_000420_audit" when: - wn22_00_000420 tags: @@ -1000,14 +1045,39 @@ - name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent access to the system drive." block: - - name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent access to the system drive." - ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 FTP servers must be configured to prevent access to the system drive." + - name: "MEDIUM | WN22-00-000430 | AUDIT | FTP servers must be configured to prevent access to the system drive. | Get FTP Installed." + ansible.windows.win_shell: Get-WindowsFeature | Where Name -eq Web-Ftp-Service + changed_when: false + failed_when: false + register: wn22_00_000430_audit + + - name: "MEDIUM | WN22-00-000430 | AUDIT | FTP servers must be configured to prevent access to the system drive. | Set Fact." + ansible.builtin.set_fact: + wn22_00_000430_audit: "{{ wn22_00_000430_audit.stdout_lines | regex_search('Installed') }}" - - name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent access to the system drive. | import reuseable task." + - name: "MEDIUM | WN22-00-000430 | AUDIT | FTP servers must be configured to prevent access to the system drive. | Get Sites Info." + ansible.windows.win_shell: | + Import-Module IISAdministration + Get-IISSite + changed_when: false + failed_when: false + register: wn22_00_000430_isssite_audit + when: "'Installed' in wn22_00_000430_audit" + + - name: "MEDIUM | WN22-00-000430 | AUDIT | FTP servers must be configured to prevent access to the system drive. | Warning Message." + debug: + msg: + - "Warning!! This is a manual task. For any sites with a Binding that lists FTP, right-click the site and select Explore." + - "If the site includes any system areas such as root of the drive, Program Files, or Windows directories, this is a finding" + - "Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system." + - "{{ wn22_00_000430_isssite_audit.stdout.split('\n') }}" + when: "'Installed' in wn22_00_000430_audit" + + - name: "MEDIUM | WN22-00-000430 | AUDIT | FTP servers must be configured to prevent access to the system drive. | Warn Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000430' + when: "'Installed' in wn22_00_000430_audit" when: - wn22_00_000430 tags: @@ -1333,7 +1403,10 @@ block: - name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2022 audit records must be backed up to a different system or media than the system being audited." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 audit records must be backed up to a different system or media than the system being audited." + msg: + - "Warning!! This is a manual task. Windows Server 2022 audit records must be backed up to a" + - "different system or media than the system being audited. Establish and implement a process" + - "for backing up log data to another system or media other than the system being audited." - name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2022 audit records must be backed up to a different system or media than the system being audited. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -1353,7 +1426,9 @@ block: - name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." + msg: + - "Warning!! This is a manual task. Windows Server 2022 must, at a minimum, offload audit" + - "records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." - name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -1371,11 +1446,30 @@ - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2022 permissions for the Application event log must prevent access by non-privileged accounts." block: - - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2022 permissions for the Application event log must prevent access by non-privileged accounts." - ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 permissions for the Application event log must prevent access by non-privileged accounts." + - name: "MEDIUM | WN22-AU-000030 | PATCH | Windows 2022 permissions for the Application event log must prevent access by non-privileged accounts. | Get Default Log Locations." + ansible.windows.win_shell: Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Application\ | Select-Object File | ft -HideTableHeaders + changed_when: false + failed_when: false + register: wn22_au_000030_app_log_location + + - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows 2022 permissions for the Application event log must prevent access by non-privileged accounts. | Get Current Permissions For Default Application Log." + ansible.windows.win_shell: get-acl "{{ wn22_au_000030_app_log_location.stdout | trim }}" | FL AccessToString + changed_when: false + failed_when: false + register: wn22_au_000030_app_log_permissions - - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2022 permissions for the Application event log must prevent access by non-privileged accounts. | import reuseable task." + - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows 2022 permissions for the Application event log must prevent access by non-privileged accounts. | Permissions warning for accounts." + ansible.builtin.debug: + msg: + - "Warning!! Ensure the permissions on the Application event log (Application.evtx) are configured" + - "to prevent standard user accounts or groups from having access. The default permissions listed below satisfy this requirement:" + - "Eventlog - Full Control, SYSTEM - Full Control, Administrators - Full Control" + - "Current location of Application.evtx is {{ wn22_au_000030_app_log_location.stdout | trim }}" + - "If there is no output below If the location of the logs has been changed, when adding Eventlog to the permissions," + - "it must be entered as NT Service\\Eventlog" + - "{{ wn22_au_000030_app_log_permissions.stdout_lines | reject('match', '^$') | list }}" + + - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows 2022 permissions for the Application event log must prevent access by non-privileged accounts. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AU-000030' @@ -1393,9 +1487,28 @@ - name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2022 permissions for the Security event log must prevent access by non-privileged accounts." block: - - name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2022 permissions for the Security event log must prevent access by non-privileged accounts." + - name: "MEDIUM | WN22-AU-000040 | AUDIT | Permissions for the Security event log must prevent access by non-privileged accounts. | Get Default Log Locations." + ansible.windows.win_shell: Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security\ | Select-Object File | ft -HideTableHeaders + changed_when: false + failed_when: false + register: wn22_au_000040_sec_log_location + + - name: "MEDIUM | WN22-AU-000040 | AUDIT | Permissions for the Security event log must prevent access by non-privileged accounts. | Get Current Permissions For Default Security Log." + ansible.windows.win_shell: get-acl "{{ wn22_au_000040_sec_log_location.stdout | trim }}" | FL AccessToString + changed_when: false + failed_when: false + register: wn22_au_000040_sec_log_permissions + + - name: "MEDIUM | WN22-AU-000040 | AUDIT | Permissions for the Security event log must prevent access by non-privileged accounts. | Permissions warning for accounts." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 permissions for the Security event log must prevent access by non-privileged accounts." + msg: + - "Warning!! Ensure the permissions on the Security event log (Security.evtx) are configured" + - "to prevent standard user accounts or groups from having access. The default permissions listed below satisfy this requirement:" + - "Eventlog - Full Control, SYSTEM - Full Control, Administrators - Full Control" + - "Current location of Security.evtx is {{ wn22_au_000040_sec_log_location.stdout | trim }}" + - "If there is no output below If the location of the logs has been changed, when adding Eventlog to the permissions," + - "it must be entered as NT Service\\Eventlog" + - "{{ wn22_au_000040_sec_log_permissions.stdout_lines | reject('match', '^$') | list }}" - name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2022 permissions for the Security event log must prevent access by non-privileged accounts. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -1415,9 +1528,28 @@ - name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2022 permissions for the System event log must prevent access by non-privileged accounts." block: - - name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2022 permissions for the System event log must prevent access by non-privileged accounts." + - name: "MEDIUM | WN22-AU-000050 | AUDIT | Permissions for the System event log must prevent access by non-privileged accounts. | Get Default Log Locations." + ansible.windows.win_shell: Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\System\ | Select-Object File | ft -HideTableHeaders + changed_when: false + failed_when: false + register: wn22_au_000050_system_log_location + + - name: "MEDIUM | WN22-AU-000050 | AUDIT | Permissions for the System event log must prevent access by non-privileged accounts. | Get Current Permissions For Default System Log." + ansible.windows.win_shell: get-acl "{{ wn22_au_000050_system_log_location.stdout | trim }}" | FL AccessToString + changed_when: false + failed_when: false + register: wn22_au_000050_system_log_permissions + + - name: "MEDIUM | WN22-AU-000050 | AUDIT | Permissions for the System event log must prevent access by non-privileged accounts. | Permissions warning for accounts." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 permissions for the System event log must prevent access by non-privileged accounts." + msg: + - "Warning!! Ensure the permissions on the System event log (System.evtx) are configured" + - "to prevent standard user accounts or groups from having access. The default permissions listed below satisfy this requirement:" + - "Eventlog - Full Control, SYSTEM - Full Control, Administrators - Full Control" + - "Current location of System.evtx is {{ wn22_au_000050_system_log_location.stdout | trim }}" + - "If there is no output below If the location of the logs has been changed, when adding Eventlog to the permissions," + - "it must be entered as NT Service\\Eventlog" + - "{{ wn22_au_000050_system_log_permissions.stdout_lines | reject('match', '^$') | list }}" - name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2022 permissions for the System event log must prevent access by non-privileged accounts. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -1437,9 +1569,24 @@ - name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion." block: - - name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion." + - name: "MEDIUM | WN22-AU-000060 | AUDIT | Event Viewer must be protected from unauthorized modification and deletion. | Get Current Permissions For Eventvwr.exe." + ansible.windows.win_shell: get-acl {{ item }}:\Windows\system32\Eventvwr.exe | FL AccessToString + changed_when: false + failed_when: false + with_items: + - "{{ wn22_drive_letters.stdout_lines }}" + register: wn22_au_000060_event_viewer_permissions + + - name: "MEDIUM | WN22-AU-000060 | AUDIT | Event Viewer must be protected from unauthorized modification and deletion. | Permissions warning for accounts." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion." + msg: + - "Warning!! Event Viewer must be protected from unauthorized modification and deletion." + - "If any groups or accounts other than TrustedInstaller have Full control or Modify permissions, this is a finding." + - "TrustedInstaller - Full Control, Administrators, SYSTEM, Users, ALL APPLICATION PACKAGES," + - "ALL RESTRICTED APPLICATION PACKAGES - Read & Execute" + - "If there is no output below If the location of the logs has been changed" + - "The default location should be System32 folder." + - "{{ wn22_au_000060_event_viewer_permissions.results[0].stdout_lines }}" - name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -2870,7 +3017,11 @@ block: - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2022 Kerberos user logon restrictions must be enforced." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 Kerberos user logon restrictions must be enforced." + msg: + - "Warning!! Kerberos user logon restrictions must be enforced." + - "Configure the policy value in the Default Domain Policy for Computer Configuration" + - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" + - ">> Enforce user logon restrictions to Enabled" - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2022 Kerberos user logon restrictions must be enforced. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -2892,7 +3043,12 @@ block: - name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." + msg: + - "Warning!! The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." + - "Configure the policy value in the Default Domain Policy for Computer Configuration" + - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" + - ">> Maximum lifetime for service ticket to a maximum of 600 minutes, but not 0, which equates to" + - "Ticket doesn't expire" - name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -2914,7 +3070,11 @@ block: - name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less." + msg: + - "Warning!! The Kerberos user ticket lifetime must be limited to 10 hours or less." + - "Configure the policy value in the Default Domain Policy for Computer Configuration" + - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" + - ">> Maximum lifetime for user ticket to a maximum of 10 hours but not 0, which equates to Ticket doesn't expire" - name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -2936,7 +3096,11 @@ block: - name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." + msg: + - "Warning!! The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." + - "Configure the policy value in the Default Domain Policy for Computer Configuration" + - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" + - ">> Maximum lifetime for user ticket renewal to a maximum of 7 days or less" - name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.| import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -2958,7 +3122,11 @@ block: - name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2022 computer clock synchronization tolerance must be limited to 5 minutes or less." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 computer clock synchronization tolerance must be limited to 5 minutes or less." + msg: + - "Warning!! The Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." + - "Configure the policy value in the Default Domain Policy for Computer Configuration" + - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" + - ">> Maximum tolerance for computer clock synchronization to a maximum of 5 minutes or less." - name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2022 computer clock synchronization tolerance must be limited to 5 minutes or less. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -2978,9 +3146,29 @@ - name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files." block: - - name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files." + - name: "MEDIUM | WN22-DC-000120 | AUDIT | Data files owned by users must be on a different logical partition from the directory server data files. | Audit Current Dir Locations For DSA" + ansible.windows.win_shell: Get-ItemProperty Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters -Name "Database log files path","DSA Database file" + changed_when: false + failed_when: false + register: wn22_dc_000120_audit_dirlocation + + - name: "MEDIUM | WN22-DC-000120 | AUDIT | Data files owned by users must be on a different logical partition from the directory server data files. | Get Shared Drives" + ansible.windows.win_shell: net share + changed_when: false + failed_when: false + register: wn22_dc_000120_audit_shares + + - name: "MEDIUM | WN22-DC-000120 | AUDIT | Data files owned by users must be on a different logical partition from the directory server data files. | Warning Message." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files." + msg: + - "Warning!! This is a manual task. Data files owned by users must be on a different logical partition" + - "from the directory server data files. Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative" + - "shares ending in $). User shares that are hidden (ending with $) should not be ignored." + - "If user shares are located on the same logical partition as the directory server data files, this is a finding." + - "Note the directory locations in the values for DSA Database file" + - "{{ wn22_dc_000120_audit_dirlocation.stdout_lines | trim }}" + - "Note the logical drive(s) or file system partition for any organization-created data shares." + - "{{ wn22_dc_000120_audit_shares.stdout_lines | trim }}" - name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -3001,7 +3189,10 @@ block: - name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2022 domain controllers must run on a machine dedicated to that function." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 domain controllers must run on a machine dedicated to that function." + msg: + - "Warning!! This is a manual task. Domain controllers must run on a machine dedicated to that function." + - "Review installed applications. Remove additional roles or applications such as web, database," + - "and email from the domain controller." - name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2022 domain controllers must run on a machine dedicated to that function. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -3022,7 +3213,12 @@ block: - name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." + msg: + - "Warning!! This is a manual task. If the classification level of the Windows domain controller is higher than" + - "the level of the network traversed and NSA-approved encryption is not used, this is a finding." + - "Configure NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service" + - "implementations at a classified confidentiality level that transfer replication data through a network cleared" + - "to a lower level than the data." - name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -3043,7 +3239,9 @@ block: - name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings." + msg: + - "Warning!! This is a manual task. Active Directory Group Policy objects must be configured with proper audit settings." + - "Please review the STIG documentation for proper direction on auditing this control." - name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -3065,7 +3263,9 @@ block: - name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2022 Active Directory Domain object must be configured with proper audit settings." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory Domain object must be configured with proper audit settings." + msg: + - "Warning!! This is a manual task. The Active Directory Domain object must be configured with proper audit settings." + - "Please review the STIG documentation for proper direction on auditing this control." - name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2022 Active Directory Domain object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -3087,7 +3287,9 @@ block: - name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings." + msg: + - "Warning!! This is a manual task. The Active Directory Infrastructure object must be configured with proper audit settings." + - "Please review the STIG documentation for proper direction on auditing this control." - name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -3109,7 +3311,10 @@ block: - name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." + msg: + - "Warning!! This is a manual task. The Active Directory Domain Controllers Organizational" + - "Unit (OU) object must be configured with proper audit settings." + - "Please review the STIG documentation for proper direction on auditing this control." - name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -3131,7 +3336,9 @@ block: - name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings." + msg: + - "Warning!! This is a manual task. The Active Directory AdminSDHolder object must be configured with proper audit settings." + - "Please review the STIG documentation for proper direction on auditing this control." - name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -3153,7 +3360,9 @@ block: - name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings." + msg: + - "Warning!! This is a manual task. The Active Directory RID Manager$ object must be configured with proper audit settings." + - "Please review the STIG documentation for proper direction on auditing this control." - name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -3863,20 +4072,24 @@ - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." block: - - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." - ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*"} | FL Subject, Issuer, Thumbprint, NotAfter + - name: "MEDIUM | WN22-PK-000020 | AUDIT | The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | DoD Interoperability Root CA 2 49 Thumb Check." + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*DoD Interoperability*" -and $_.Subject -Like "*DoD*" -and $_.Thumbprint -Like "49CBE933151872E17C8EAE7F0ABA97FB610F6477"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false - check_mode: false - register: wn22_pk_000020_audit + failed_when: false + register: wn22_pk_000020_interop_check_for_49 - - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + - name: "MEDIUM | WN22-PK-000020 | AUDIT | The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | Warning!! No DoD Interoperability Root CA 2 Certificate Installed." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." + msg: + - "Warning!! The DoD Root CA 3 - DoD Interoperability Root CA 2 certificate is not installed on the system or" + - "does not contain Thumbprint 49CBE933151872E17C8EAE7F0ABA97FB610F6477 for the Certificate." + when: wn22_pk_000020_interop_check_for_49.stdout == "" - - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems. | import reuseable task." + - name: "MEDIUM | WN22-PK-000020 | AUDIT | The DoD Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-PK-000020' + when: wn22_pk_000020_interop_check_for_49.stdout == "" when: - wn22_pk_000020 tags: @@ -3890,20 +4103,24 @@ - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." block: - - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." - ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where Issuer -Like "*CCEB Interoperability*" | FL Subject, Issuer, Thumbprint, NotAfter + - name: "MEDIUM | WN22-PK-000030 | AUDIT | The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | DoD CCEB Interop Check." + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\disallowed | Where {$_.Issuer -Like "*US DoD CCEB Interoperability Root CA 2*" -and $_.Subject -Like "*DoD Root CA 3*" -and $_.Thumbprint -Like "9B74964506C7ED9138070D08D5F8B969866560C8"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false - check_mode: false - register: wn22_pk_000030_audit + failed_when: false + register: wn22_pk_000030_cceb_interop_check - - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + - name: "MEDIUM | WN22-PK-000030 | AUDIT | The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | Warning!! No DoD Root CA 3 - US DoD CCEB Interoperability Certificate Installed." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." + msg: + - "Warning!! The DoD Root CA 3 - US DoD CCEB Interoperability Root CA 2 certificate is not installed on the system or" + - "does not contain Thumbprint 9B74964506C7ED9138070D08D5F8B969866560C8 for the Certificate." + when: wn22_pk_000030_cceb_interop_check.stdout == "" - - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems. | import reuseable task." + - name: "MEDIUM | WN22-PK-000030 | AUDIT | The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificates Store on unclassified systems. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-PK-000030' + when: wn22_pk_000030_cceb_interop_check.stdout == "" when: - wn22_pk_000030 tags: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c158b12..d5f39ba 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -24,3 +24,11 @@ - name: win2022_rdp_enabled.value var ansible.builtin.debug: var: win2022_rdp_enabled.value + +- name: Get Drive Letters" + ansible.windows.win_shell: Get-Volume | ?{ $_.DriveType -eq 'Fixed' } | Select-Object -ExpandProperty 'DriveLetter' + changed_when: false + failed_when: false + register: wn22_drive_letters + when: + - wn22_au_000060 From e20cba5a065e209880988bd112eb1f102c662658 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 13 Jul 2023 15:10:50 -0400 Subject: [PATCH 56/95] updated cat-3-0370-1 Signed-off-by: Frederick Witty --- tasks/cat3.yml | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/tasks/cat3.yml b/tasks/cat3.yml index debc8ae..61a474f 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -2,14 +2,26 @@ - name: "LOW | WN22-00-000180 | AUDIT | Windows Server 2022 non-administrative accounts or groups must only have print permissions on printer shares." block: - - name: "LOW | WN22-00-000180 | AUDIT | Windows Server 2022 non-administrative accounts or groups must only have print permissions on printer shares." - ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 non-administrative accounts or groups must only have print permissions on printer shares." + - name: "LOW | WN22-00-000180 | AUDIT | Non-administrative accounts or groups must only have print permissions on printer shares. | Get Printer List" + ansible.windows.win_shell: Get-Printer | where Shared -eq $true | fl Name, Type + changed_when: false + failed_when: false + register: wn22_00_000180_audit - - name: "LOW | WN22-00-000180 | AUDIT | Windows Server 2022 non-administrative accounts or groups must only have print permissions on printer shares. | import reuseable task." + - name: "LOW | WN22-00-000180 | AUDIT | Non-administrative accounts or groups must only have print permissions on printer shares. | Warning Message." + ansible.builtin.debug: + msg: + - "Warning!! This is a manual task. Windows Server 2022 non-administrative accounts or groups" + - "must only have print permissions on printer shares. If A Printer is showing shared please" + - "configure the permissions on shared printers to restrict standard users to only have Print permissions." + - "{{ wn22_00_000180_audit.stdout.split('\n') | trim }}" + when: wn22_00_000180_audit.stdout | length > 0 + + - name: "LOW | WN22-00-000180 | AUDIT | Non-administrative accounts or groups must only have print permissions on printer shares. | Warning Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000180' + when: wn22_00_000180_audit.stdout | length > 0 when: - wn22_00_000180 tags: @@ -136,15 +148,12 @@ - CAT3 - name: "LOW | WN22-CC-000320 | AUDIT | Windows Server 2022 turning off File Explorer heap termination on corruption must be disabled." - block: - - name: "LOW | WN22-CC-000320 | AUDIT | Windows Server 2022 turning off File Explorer heap termination on corruption must be disabled." - ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 turning off File Explorer heap termination on corruption must be disabled. " - - - name: "LOW | WN22-CC-000320 | AUDIT | Windows Server 2022 turning off File Explorer heap termination on corruption must be disabled. | import reuseable task." - ansible.builtin.import_tasks: warning_facts.yml - vars: - warn_control_id: 'WN22-CC-000320' + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer + value: NoHeapTerminationOnCorruption + state: present + data: 0 + datatype: dword when: - wn22_cc_000320 tags: From e55609d152ce68e75319d62cb15ff514441a25ae Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 18 Jul 2023 09:00:59 -0400 Subject: [PATCH 57/95] updated winrm tags Signed-off-by: Frederick Witty --- tasks/cat1.yml | 2 ++ tasks/cat2.yml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index da37f20..fccaac5 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -144,6 +144,7 @@ - SV-254378r877395_rule - CCI-000877 - CAT1 + - winrm - name: "HIGH | WN22-CC-000500 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication." ansible.windows.win_regedit: @@ -161,6 +162,7 @@ - SV-254381r877395_rule - CCI-000877 - CAT1 + - winrm - name: "HIGH | WN22-DC-000010 | AUDIT | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system." block: diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 8db6a8e..e942ab7 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -2945,6 +2945,7 @@ - CCI-002890 - CCI-003123 - CAT2 + - winrm - name: "MEDIUM | WN22-CC-000490 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication." ansible.windows.win_regedit: @@ -2979,6 +2980,7 @@ - CCI-002890 - CCI-003123 - CAT2 + - winrm - name: "MEDIUM | WN22-CC-000520 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials." ansible.windows.win_regedit: @@ -2996,6 +2998,7 @@ - SV-254383r848965_rule - CCI-002038 - CAT2 + - winrm - name: "MEDIUM | WN22-CC-000530 | PATCH | Windows Server 2022 must have PowerShell Transcription enabled." ansible.windows.win_regedit: From aecd7c046dcc9c18c8ca9c029eab27067865ca50 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 19 Jul 2023 15:46:50 -0400 Subject: [PATCH 58/95] Update cat order for cloud Signed-off-by: Frederick Witty --- tasks/cat2.yml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index e942ab7..6ed0de0 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1187,24 +1187,6 @@ - CCI-000044 - CAT2 -- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" - community.windows.win_security_policy: - section: System Access - key: ResetLockoutCount - value: "{{ wn22stig_resetlockoutcount }}" - when: - - wn22stig_resetlockoutcount >= 15 - when: - - wn22_ac_000030 - tags: - - WN22-AC-000030 - - V-254287 - - SRG-OS-000021-GPOS-00005 - - SV-254287r848677_rule - - CCI-000044 - - CCI-002238 - - CAT2 - # below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater." block: @@ -1243,6 +1225,24 @@ - CCI-002238 - CAT2 +- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" + community.windows.win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ wn22stig_resetlockoutcount }}" + when: + - wn22stig_resetlockoutcount >= 15 + when: + - wn22_ac_000030 + tags: + - WN22-AC-000030 + - V-254287 + - SRG-OS-000021-GPOS-00005 + - SV-254287r848677_rule + - CCI-000044 + - CCI-002238 + - CAT2 + # below task is dependent on WN16-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." block: From f54f88a983c457875d6305fee18e5f3711e56cc4 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 21 Jul 2023 15:22:31 -0400 Subject: [PATCH 59/95] Added cat2cloud-1 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 72 +++++++++++++-------------- tasks/cat2_cloud.yml | 115 +++++++++++++++++++++++++++++++++++++++++++ tasks/main.yml | 13 +++++ tasks/prelim.yml | 14 ++++++ 4 files changed, 178 insertions(+), 36 deletions(-) create mode 100644 tasks/cat2_cloud.yml diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 6ed0de0..23a0648 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1187,43 +1187,23 @@ - CCI-000044 - CAT2 -# below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" -- name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater." +# below task is dependent on WN16-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" +- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." block: - - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." + - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of minutes set for wn22stig_lockoutduration please read" + - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn22stig_lockoutduration < 15 - - wn22stig_lockoutduration > 0 + - wn22stig_resetlockoutcount < 15 - - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warn Count." + - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN22-AC-000010' - when: - - wn22stig_lockoutduration < 15 - - wn22stig_lockoutduration > 0 - - - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Apply Variable." - community.windows.win_security_policy: - section: System Access - key: LockoutDuration - value: "{{ wn22stig_lockoutduration }}" + warn_control_id: 'WN22-AC-000030' when: - - wn22stig_lockoutduration == 0 or - wn22stig_lockoutduration >= 15 - when: - - wn22_ac_000010 - tags: - - WN22-AC-000010 - - V-254285 - - SRG-OS-000329-GPOS-00128 - - SV-254285r848671_rule - - CCI-002238 - - CAT2 + - wn22stig_resetlockoutcount < 15 - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" community.windows.win_security_policy: @@ -1243,23 +1223,43 @@ - CCI-002238 - CAT2 -# below task is dependent on WN16-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" -- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." +# below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" +- name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater." block: - - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" + - "Warning!! You have a invalid number of minutes set for wn22stig_lockoutduration please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn22stig_resetlockoutcount < 15 + - wn22stig_lockoutduration < 15 + - wn22stig_lockoutduration > 0 - - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: - warn_control_id: 'WN22-AC-000030' + warn_control_id: 'WN22-AC-000010' when: - - wn22stig_resetlockoutcount < 15 + - wn22stig_lockoutduration < 15 + - wn22stig_lockoutduration > 0 + + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Apply Variable." + community.windows.win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ wn22stig_lockoutduration }}" + when: + - wn22stig_lockoutduration == 0 or + wn22stig_lockoutduration >= 15 + when: + - wn22_ac_000010 + tags: + - WN22-AC-000010 + - V-254285 + - SRG-OS-000329-GPOS-00128 + - SV-254285r848671_rule + - CCI-002238 + - CAT2 - name: "MEDIUM | WN22-AC-000040 | PATCH | Windows Server 2022 password history must be configured to 24 passwords remembered." community.windows.win_security_policy: diff --git a/tasks/cat2_cloud.yml b/tasks/cat2_cloud.yml new file mode 100644 index 0000000..ab1954b --- /dev/null +++ b/tasks/cat2_cloud.yml @@ -0,0 +1,115 @@ +--- +# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR CLOUD BASED SYSTEMS +# below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" +- name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less." + block: + - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of days set for wn22stig_lockoutbadcount please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn22stig_lockoutbadcount == 0 or + wn22stig_lockoutbadcount > 3 + + - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-AC-000020' + when: + - wn22stig_lockoutbadcount == 0 or + wn22stig_lockoutbadcount > 3 + + - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Apply Variable." + community.windows.win_security_policy: + section: System Access + key: LockoutBadCount + value: "{{ wn22stig_lockoutbadcount }}" + when: + - wn22stig_lockoutbadcount > 0 + - wn22stig_lockoutbadcount <= 3 + when: + - wn22_ac_000020 + tags: + - WN22-AC-000020 + - V-254286 + - SRG-OS-000021-GPOS-00005 + - SV-254286r848674_rule + - CCI-000044 + - CAT2 + +- name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater." + block: + - name: "MEDIUM | WN22-AC-000010 | AUDIT | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of minutes set for wn22stig_lockoutduration please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn22stig_lockoutduration < 15 + - wn22stig_lockoutduration > 0 + + - name: "MEDIUM | WN22-AC-000010 | AUDIT | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-AC-000010' + when: + - wn22stig_lockoutduration < 15 + - wn22stig_lockoutduration > 0 + + - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Apply Variable." + community.windows.win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ wn22stig_lockoutduration }}" + when: + - wn22stig_lockoutduration == 0 or + wn22stig_lockoutduration >= 15 + when: + - wn22_ac_000010 + tags: + - WN22-AC-000010 + - V-254285 + - SRG-OS-000329-GPOS-00128 + - SV-254285r848671_rule + - CCI-002238 + - CAT2 + +# below task is dependent on WN22-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" +- name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + block: + - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn22stig_resetlockoutcount > wn22stig_lockoutduration or + wn22stig_resetlockoutcount < 15 + + - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-AC-000030' + when: + - wn22stig_resetlockoutcount > wn22stig_lockoutduration or + wn22stig_resetlockoutcount < 15 + + - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" + community.windows.win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ wn22stig_resetlockoutcount }}" + when: + - wn22stig_resetlockoutcount >= 15 + - wn22stig_resetlockoutcount <= wn22stig_lockoutduration + when: + - wn22_ac_000030 + tags: + - WN22-AC-000030 + - V-254287 + - SRG-OS-000021-GPOS-00005 + - SV-254287r848677_rule + - CCI-000044 + - CCI-002238 + - CAT2 diff --git a/tasks/main.yml b/tasks/main.yml index 86d12f2..e4ea719 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,6 +43,19 @@ tags: - CAT1 +# We have found the order of these three tasks varies between cloud based instances +# and VM based instances. The task below breaks out to run in a different order +# for cloud based systems +- name: Execute the category 2 (medium severity) tasks for cloud based system + ansible.builtin.import_tasks: cat2_cloud.yml + when: + - win22stig_cloud_based_system + - wn22_ac_000010 or + wn22_ac_000020 or + wn22_ac_000030 + tags: + - CAT2_CLOUD2 + - name: Execute the category 2 (Medium Severity) tasks ansible.builtin.import_tasks: cat2.yml when: win2022stig_cat2_patch diff --git a/tasks/prelim.yml b/tasks/prelim.yml index d5f39ba..e00f5f5 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -8,6 +8,20 @@ tags: - always +# hvm is for amazon ami's, Hyper-V we have found for azure, kvm is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') +# This list is not complete and will be updated as we try on more cloud based services. +# As of now testing is working in azure using Hyper-V. We are curently using this for reference: +# https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205 +- name: Set Fact If Cloud Based System. + ansible.builtin.set_fact: + win22stig_cloud_based_system: true + when: + - ansible_virtualization_type == 'Hyper-V' or + ansible_virtualization_type == 'hvm' or + ansible_virtualization_type == 'kvm' + tags: + - always + # 1 = disabled 0 = enabled # this reg key may be useful detect is secure conenctions enabled, etc? - name: "PRELIM | Detect if Remote Desktop Services (RDP) is Enabled" From ceddb3c06379fbbd42160eb7d587b86202d5d334 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 21 Jul 2023 15:30:03 -0400 Subject: [PATCH 60/95] add cloudcat2-2 Signed-off-by: Frederick Witty --- defaults/main.yml | 5 +++++ tasks/cat2.yml | 3 +++ 2 files changed, 8 insertions(+) diff --git a/defaults/main.yml b/defaults/main.yml index e40a7ec..d257202 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -32,6 +32,11 @@ win2022stig_system_is_container: false # set to false to skip long running tasks long_running: false +# win22stig_cloud_based_system is a setting built into the playbook for testing locally vs azure. +# We have found certain controls need to be set in a different order when being applied in the +# different enviroments. By Default This is set to false. +win22stig_cloud_based_system: false + # win2022stig_skip_secure_winrm is used in the playbook to skip over WINRM based controls that # may cause WINRM Basic Connection Type to be disabled. # Setting win2022stig_skip_secure_winrm to 'false' will enable Secure Connection types only. diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 23a0648..869f64c 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1179,6 +1179,7 @@ when: - wn22_ac_000020 + - not win22stig_cloud_based_system tags: - WN22-AC-000020 - V-254286 @@ -1214,6 +1215,7 @@ - wn22stig_resetlockoutcount >= 15 when: - wn22_ac_000030 + - not win22stig_cloud_based_system tags: - WN22-AC-000030 - V-254287 @@ -1253,6 +1255,7 @@ wn22stig_lockoutduration >= 15 when: - wn22_ac_000010 + - not win22stig_cloud_based_system tags: - WN22-AC-000010 - V-254285 From 752db5eb0bf932dc677e7b944922e08147b1ee8d Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 1 Aug 2023 10:20:41 -0400 Subject: [PATCH 61/95] Standarization Corrections -1 Signed-off-by: Frederick Witty --- defaults/main.yml | 2 +- tasks/cat2.yml | 192 +++++++++++++++++++++---------------------- tasks/cat2_cloud.yml | 1 + tasks/prelim.yml | 8 +- 4 files changed, 102 insertions(+), 101 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d257202..fcdb969 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -46,7 +46,7 @@ win22stig_cloud_based_system: false # WN22-CC-000480 - CAT2 # WN22-CC-000510 - CAT2 # WN22-CC-000520 - CAT2 -win2022stig_skip_secure_winrm: true +win2022stig_skip_secure_winrm: false # CAT 1 rules wn22_00_000030: true diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 869f64c..b705624 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1606,16 +1606,16 @@ - CCI-001495 - CAT2 -- name: "MEDIUM | WN22-AU-000070 | PATCH | Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes." +- name: "MEDIUM | WN22-AU-000070 | PATCH | Windows Server 2022 must be configured to audit Account Logon | Credential Validation successes." block: - - name: "MEDIUM | WN22-AU-000070 | AUDIT | Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes." + - name: "MEDIUM | WN22-AU-000070 | AUDIT | Windows Server 2022 must be configured to audit Account Logon | Credential Validation successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000070_audit - - name: "MEDIUM | WN22-AU-000070 | PATCH | Windows Server 2022 must be configured to audit Account Logon - Credential Validation successes." + - name: "MEDIUM | WN22-AU-000070 | PATCH | Windows Server 2022 must be configured to audit Account Logon | Credential Validation successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable when: "'Success' not in wn22_au_000070_audit.stdout" when: @@ -1628,16 +1628,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000080 | PATCH | Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures." +- name: "MEDIUM | WN22-AU-000080 | PATCH | Windows Server 2022 must be configured to audit Account Logon | Credential Validation failures." block: - - name: "MEDIUM | WN22-AU-000080 | AUDIT | Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures." + - name: "MEDIUM | WN22-AU-000080 | AUDIT | Windows Server 2022 must be configured to audit Account Logon | Credential Validation failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000080_audit - - name: "MEDIUM | WN22-AU-000080 | PATCH | Windows Server 2022 must be configured to audit Account Logon - Credential Validation failures." + - name: "MEDIUM | WN22-AU-000080 | PATCH | Windows Server 2022 must be configured to audit Account Logon | Credential Validation failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable when: "'Failure' not in wn22_au_000080_audit.stdout" when: @@ -1650,16 +1650,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." +- name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2022 must be configured to audit Account Management | Other Account Management Events successes." block: - - name: "MEDIUM | WN22-AU-000090 | AUDIT | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." + - name: "MEDIUM | WN22-AU-000090 | AUDIT | Windows Server 2022 must be configured to audit Account Management | Other Account Management Events successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000090_audit - - name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2022 must be configured to audit Account Management - Other Account Management Events successes." + - name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2022 must be configured to audit Account Management | Other Account Management Events successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Other Account Management Events" /failure:enable when: "'Failure' not in wn22_au_000090_audit.stdout" when: @@ -1673,16 +1673,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000100 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management successes." +- name: "MEDIUM | WN22-AU-000100 | PATCH | Windows Server 2022 must be configured to audit Account Management | User Account Management successes." block: - - name: "MEDIUM | WN22-AU-000100 | AUDIT | Windows Server 2022 must be configured to audit Account Management - User Account Management successes." + - name: "MEDIUM | WN22-AU-000100 | AUDIT | Windows Server 2022 must be configured to audit Account Management | User Account Management successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000100_audit - - name: "MEDIUM | WN22-AU-000100 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management successes." + - name: "MEDIUM | WN22-AU-000100 | PATCH | Windows Server 2022 must be configured to audit Account Management | User Account Management successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable when: "'Success' not in wn22_au_000100_audit.stdout" when: @@ -1700,16 +1700,16 @@ - CCI-002130 - CAT2 -- name: "MEDIUM | WN22-AU-000110 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management successes." +- name: "MEDIUM | WN22-AU-000110 | PATCH | Windows Server 2022 must be configured to audit Account Management | User Account Management successes." block: - - name: "MEDIUM | WN22-AU-000110 | AUDIT | Windows Server 2022 must be configured to audit Account Management - User Account Management successes." + - name: "MEDIUM | WN22-AU-000110 | AUDIT | Windows Server 2022 must be configured to audit Account Management | User Account Management successes." ansible.windows.win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000110_audit - - name: "MEDIUM | WN22-AU-000110 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management successes." + - name: "MEDIUM | WN22-AU-000110 | PATCH | Windows Server 2022 must be configured to audit Account Management | User Account Management successes." ansible.windows.win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable when: "'Success' not in wn22_au_000110_audit.stdout" when: @@ -1727,16 +1727,16 @@ - CCI-002130 - CAT2 -- name: "MEDIUM | WN22-AU-000120 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management failures." +- name: "MEDIUM | WN22-AU-000120 | PATCH | Windows Server 2022 must be configured to audit Account Management | User Account Management failures." block: - - name: "MEDIUM | WN22-AU-000120 | AUDIT | Windows Server 2022 must be configured to audit Account Management - User Account Management failures." + - name: "MEDIUM | WN22-AU-000120 | AUDIT | Windows Server 2022 must be configured to audit Account Management | User Account Management failures." ansible.windows.win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000120_audit - - name: "MEDIUM | WN22-AU-000120 | PATCH | Windows Server 2022 must be configured to audit Account Management - User Account Management failures." + - name: "MEDIUM | WN22-AU-000120 | PATCH | Windows Server 2022 must be configured to audit Account Management | User Account Management failures." ansible.windows.win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable when: "'Failure' not in wn22_au_000120_audit.stdout" when: @@ -1754,16 +1754,16 @@ - CCI-002130 - CAT2 -- name: "MEDIUM | WN22-AU-000130 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes." +- name: "MEDIUM | WN22-AU-000130 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking | Plug and Play Events successes." block: - - name: "MEDIUM | WN22-AU-000130 | AUDIT | Windows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes." + - name: "MEDIUM | WN22-AU-000130 | AUDIT | Windows Server 2022 must be configured to audit Detailed Tracking | Plug and Play Events successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000130_audit - - name: "MEDIUM | WN22-AU-000130 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking - Plug and Play Events successes." + - name: "MEDIUM | WN22-AU-000130 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking | Plug and Play Events successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable when: "'Success' not in wn22_au_000130_audit.stdout" when: @@ -1776,16 +1776,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000140 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes." +- name: "MEDIUM | WN22-AU-000140 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking | Process Creation successes." block: - - name: "MEDIUM | WN22-AU-000140 | AUDIT | Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes." + - name: "MEDIUM | WN22-AU-000140 | AUDIT | Windows Server 2022 must be configured to audit Detailed Tracking | Process Creation successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000140_audit - - name: "MEDIUM | WN22-AU-000140 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking - Process Creation successes." + - name: "MEDIUM | WN22-AU-000140 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking | Process Creation successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable when: "'Success' not in wn22_au_000140_audit.stdout" when: @@ -1799,25 +1799,25 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000150 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout successes." +- name: "MEDIUM | WN22-AU-000150 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff | Account Lockout successes." block: - - name: "MEDIUM | WN22-AU-000150 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout successes." + - name: "MEDIUM | WN22-AU-000150 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff | Account Lockout successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000150_audit -- name: "MEDIUM | WN22-AU-000160 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures." +- name: "MEDIUM | WN22-AU-000160 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff | Account Lockout failures." block: - - name: "MEDIUM | WN22-AU-000160 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures." + - name: "MEDIUM | WN22-AU-000160 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff | Account Lockout failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000160_audit - - name: "MEDIUM | WN22-AU-000160 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Account Lockout failures." + - name: "MEDIUM | WN22-AU-000160 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff | Account Lockout failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable when: "'Failure' not in wn22_au_000160_audit.stdout" when: @@ -1831,16 +1831,16 @@ - CCI-001404 - CAT2 -- name: "MEDIUM | WN22-AU-000170 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes." +- name: "MEDIUM | WN22-AU-000170 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff | Group Membership successes." block: - - name: "MEDIUM | WN22-AU-000170 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes." + - name: "MEDIUM | WN22-AU-000170 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff | Group Membership successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000170_audit - - name: "MEDIUM | WN22-AU-000170 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Group Membership successes." + - name: "MEDIUM | WN22-AU-000170 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff | Group Membership successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable when: "'Success' not in wn22_au_000170_audit.stdout" when: @@ -1921,16 +1921,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000210 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes." +- name: "MEDIUM | WN22-AU-000210 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff | Special Logon successes." block: - - name: "MEDIUM | WN22-AU-000210 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes." + - name: "MEDIUM | WN22-AU-000210 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff | Special Logon successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000210_audit - - name: "MEDIUM | WN22-AU-000210 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff - Special Logon successes." + - name: "MEDIUM | WN22-AU-000210 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff | Special Logon successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable when: "'Success' not in wn22_au_000210_audit.stdout" when: @@ -1943,7 +1943,7 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000220 | PATCH | Windows Server 2022 must be configured to audit Object Access - Other Object Access Events successes." +- name: "MEDIUM | WN22-AU-000220 | PATCH | Windows Server 2022 must be configured to audit Object Access | Other Object Access Events successes." community.windows.win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure @@ -1957,7 +1957,7 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000230 | PATCH | Windows Server 2022 must be configured to audit Object Access - Other Object Access Events failures." +- name: "MEDIUM | WN22-AU-000230 | PATCH | Windows Server 2022 must be configured to audit Object Access | Other Object Access Events failures." community.windows.win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure @@ -1971,16 +1971,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000240 | PATCH | Windows Server 2022 must be configured to audit Object Access - Removable Storage successes." +- name: "MEDIUM | WN22-AU-000240 | PATCH | Windows Server 2022 must be configured to audit Object Access | Removable Storage successes." block: - - name: "MEDIUM | WN22-AU-000240 | AUDIT | Windows Server 2022 must be configured to audit Object Access - Removable Storage successes." + - name: "MEDIUM | WN22-AU-000240 | AUDIT | Windows Server 2022 must be configured to audit Object Access | Removable Storage successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000240_audit - - name: "MEDIUM | WN22-AU-000240 | PATCH | Windows Server 2022 must be configured to audit Object Access - Removable Storage successes." + - name: "MEDIUM | WN22-AU-000240 | PATCH | Windows Server 2022 must be configured to audit Object Access | Removable Storage successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable when: "'Success' not in wn22_au_000240_audit.stdout" when: @@ -1993,16 +1993,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000250 | PATCH | Windows Server 2022 must be configured to audit Object Access - Removable Storage failures." +- name: "MEDIUM | WN22-AU-000250 | PATCH | Windows Server 2022 must be configured to audit Object Access | Removable Storage failures." block: - - name: "MEDIUM | WN22-AU-000250 | AUDIT | Windows Server 2022 must be configured to audit Object Access - Removable Storage failures." + - name: "MEDIUM | WN22-AU-000250 | AUDIT | Windows Server 2022 must be configured to audit Object Access | Removable Storage failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000250_audit - - name: "MEDIUM | WN22-AU-000250 | PATCH | Windows Server 2022 must be configured to audit Object Access - Removable Storage failures." + - name: "MEDIUM | WN22-AU-000250 | PATCH | Windows Server 2022 must be configured to audit Object Access | Removable Storage failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable when: "'Failure' not in wn22_au_000250_audit.stdout" when: @@ -2015,16 +2015,16 @@ - CCI-000172 - CAT2 -- name: "MEDIUM | WN22-AU-000260 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes." +- name: "MEDIUM | WN22-AU-000260 | PATCH | Windows Server 2022 must be configured to audit Policy Change | Audit Policy Change successes." block: - - name: "MEDIUM | WN22-AU-000260 | AUDIT | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes." + - name: "MEDIUM | WN22-AU-000260 | AUDIT | Windows Server 2022 must be configured to audit Policy Change | Audit Policy Change successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000260_audit - - name: "MEDIUM | WN22-AU-000260 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change successes." + - name: "MEDIUM | WN22-AU-000260 | PATCH | Windows Server 2022 must be configured to audit Policy Change | Audit Policy Change successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable when: "'Success' not in wn22_au_000260_audit.stdout" when: @@ -2038,16 +2038,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000270 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures." +- name: "MEDIUM | WN22-AU-000270 | PATCH | Windows Server 2022 must be configured to audit Policy Change | Audit Policy Change failures." block: - - name: "MEDIUM | WN22-AU-000270 | AUDIT | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures." + - name: "MEDIUM | WN22-AU-000270 | AUDIT | Windows Server 2022 must be configured to audit Policy Change | Audit Policy Change failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000270_audit - - name: "MEDIUM | WN22-AU-000270 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Audit Policy Change failures." + - name: "MEDIUM | WN22-AU-000270 | PATCH | Windows Server 2022 must be configured to audit Policy Change | Audit Policy Change failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Audit Policy Change" /failure:enable when: "'Failure' not in wn22_au_000270_audit.stdout" when: @@ -2061,16 +2061,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000280 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes." +- name: "MEDIUM | WN22-AU-000280 | PATCH | Windows Server 2022 must be configured to audit Policy Change | Authentication Policy Change successes." block: - - name: "MEDIUM | WN22-AU-000280 | AUDIT | Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes." + - name: "MEDIUM | WN22-AU-000280 | AUDIT | Windows Server 2022 must be configured to audit Policy Change | Authentication Policy Change successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000280_audit - - name: "MEDIUM | WN22-AU-000280 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Authentication Policy Change successes." + - name: "MEDIUM | WN22-AU-000280 | PATCH | Windows Server 2022 must be configured to audit Policy Change | Authentication Policy Change successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable when: "'Success' not in wn22_au_000280_audit.stdout" when: @@ -2084,16 +2084,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000290 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes." +- name: "MEDIUM | WN22-AU-000290 | PATCH | Windows Server 2022 must be configured to audit Policy Change | Authorization Policy Change successes." block: - - name: "MEDIUM | WN22-AU-000290 | AUDIT | Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes." + - name: "MEDIUM | WN22-AU-000290 | AUDIT | Windows Server 2022 must be configured to audit Policy Change | Authorization Policy Change successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000290_audit - - name: "MEDIUM | WN22-AU-000290 | PATCH | Windows Server 2022 must be configured to audit Policy Change - Authorization Policy Change successes." + - name: "MEDIUM | WN22-AU-000290 | PATCH | Windows Server 2022 must be configured to audit Policy Change | Authorization Policy Change successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable when: "'Success' not in wn22_au_000290_audit.stdout" when: @@ -2107,16 +2107,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000300 | PATCH | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes." +- name: "MEDIUM | WN22-AU-000300 | PATCH | Windows Server 2022 must be configured to audit Privilege Use | Sensitive Privilege Use successes." block: - - name: "MEDIUM | WN22-AU-000300 | AUDIT | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes." + - name: "MEDIUM | WN22-AU-000300 | AUDIT | Windows Server 2022 must be configured to audit Privilege Use | Sensitive Privilege Use successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000300_audit - - name: "MEDIUM | WN22-AU-000300 | PATCH | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use successes." + - name: "MEDIUM | WN22-AU-000300 | PATCH | Windows Server 2022 must be configured to audit Privilege Use | Sensitive Privilege Use successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable when: "'Success' not in wn22_au_000300_audit.stdout" when: @@ -2130,16 +2130,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000310 | PATCH | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures." +- name: "MEDIUM | WN22-AU-000310 | PATCH | Windows Server 2022 must be configured to audit Privilege Use | Sensitive Privilege Use failures." block: - - name: "MEDIUM | WN22-AU-000310 | AUDIT | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures." + - name: "MEDIUM | WN22-AU-000310 | AUDIT | Windows Server 2022 must be configured to audit Privilege Use | Sensitive Privilege Use failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000310_audit - - name: "MEDIUM | WN22-AU-000310 | PATCH | Windows Server 2022 must be configured to audit Privilege Use - Sensitive Privilege Use failures." + - name: "MEDIUM | WN22-AU-000310 | PATCH | Windows Server 2022 must be configured to audit Privilege Use | Sensitive Privilege Use failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable when: "'Failure' not in wn22_au_000310_audit.stdout" when: @@ -2153,16 +2153,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000320 | PATCH | Windows Server 2022 must be configured to audit System - IPsec Driver successes." +- name: "MEDIUM | WN22-AU-000320 | PATCH | Windows Server 2022 must be configured to audit System | IPsec Driver successes." block: - - name: "MEDIUM | WN22-AU-000320 | AUDIT | Windows Server 2022 must be configured to audit System - IPsec Driver successes." + - name: "MEDIUM | WN22-AU-000320 | AUDIT | Windows Server 2022 must be configured to audit System | IPsec Driver successes." ansible.windows.win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000320_audit - - name: "MEDIUM | WN22-AU-000320 | PATCH | Windows Server 2022 must be configured to audit System - IPsec Driver successes." + - name: "MEDIUM | WN22-AU-000320 | PATCH | Windows Server 2022 must be configured to audit System | IPsec Driver successes." ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable when: "'Success' not in wn22_au_000320_audit.stdout" when: @@ -2176,16 +2176,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000330 | PATCH | Windows Server 2022 must be configured to audit System - IPsec Driver failures." +- name: "MEDIUM | WN22-AU-000330 | PATCH | Windows Server 2022 must be configured to audit System | IPsec Driver failures." block: - - name: "MEDIUM | WN22-AU-000330 | AUDIT | Windows Server 2022 must be configured to audit System - IPsec Driver failures." + - name: "MEDIUM | WN22-AU-000330 | AUDIT | Windows Server 2022 must be configured to audit System | IPsec Driver failures." ansible.windows.win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000330_audit - - name: "MEDIUM | WN22-AU-000330 | PATCH | Windows Server 2022 must be configured to audit System - IPsec Driver failures." + - name: "MEDIUM | WN22-AU-000330 | PATCH | Windows Server 2022 must be configured to audit System | IPsec Driver failures." ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable when: "'Success' not in wn22_au_000330_audit.stdout" when: @@ -2199,16 +2199,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000340 | PATCH | Windows Server 2022 must be configured to audit System - Other System Events successes." +- name: "MEDIUM | WN22-AU-000340 | PATCH | Windows Server 2022 must be configured to audit System | Other System Events successes." block: - - name: "MEDIUM | WN22-AU-000340 | AUDIT | Windows Server 2022 must be configured to audit System - Other System Events successes." + - name: "MEDIUM | WN22-AU-000340 | AUDIT | Windows Server 2022 must be configured to audit System | Other System Events successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000340_audit - - name: "MEDIUM | WN22-AU-000340 | PATCH | Windows Server 2022 must be configured to audit System - Other System Events successes." + - name: "MEDIUM | WN22-AU-000340 | PATCH | Windows Server 2022 must be configured to audit System | Other System Events successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable when: "'Success' not in wn22_au_000340_audit.stdout" when: @@ -2222,16 +2222,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000350 | PATCH | Windows Server 2022 must be configured to audit System - Other System Events failures." +- name: "MEDIUM | WN22-AU-000350 | PATCH | Windows Server 2022 must be configured to audit System | Other System Events failures." block: - - name: "MEDIUM | WN22-AU-000350 | AUDIT | Windows Server 2022 must be configured to audit System - Other System Events failures." + - name: "MEDIUM | WN22-AU-000350 | AUDIT | Windows Server 2022 must be configured to audit System | Other System Events failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000350_audit - - name: "MEDIUM | WN22-AU-000350 | PATCH | Windows Server 2022 must be configured to audit System - Other System Events failures." + - name: "MEDIUM | WN22-AU-000350 | PATCH | Windows Server 2022 must be configured to audit System | Other System Events failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable when: "'Failure' not in wn22_au_000350_audit.stdout" when: @@ -2245,16 +2245,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000360 | PATCH | Windows Server 2022 must be configured to audit System - Security State Change successes." +- name: "MEDIUM | WN22-AU-000360 | PATCH | Windows Server 2022 must be configured to audit System | Security State Change successes." block: - - name: "MEDIUM | WN22-AU-000360 | AUDIT | Windows Server 2022 must be configured to audit System - Security State Change successes." + - name: "MEDIUM | WN22-AU-000360 | AUDIT | Windows Server 2022 must be configured to audit System | Security State Change successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000360_audit - - name: "MEDIUM | WN22-AU-000360 | PATCH | Windows Server 2022 must be configured to audit System - Security State Change successes." + - name: "MEDIUM | WN22-AU-000360 | PATCH | Windows Server 2022 must be configured to audit System | Security State Change successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable when: "'Success' not in wn22_au_000360_audit.stdout" when: @@ -2268,7 +2268,7 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000370 | PATCH | Windows Server 2022 must be configured to audit System - Security System Extension successes." +- name: "MEDIUM | WN22-AU-000370 | PATCH | Windows Server 2022 must be configured to audit System | Security System Extension successes." block: - name: "MEDIUM | WN22-AU-000370 | AUDIT | Must be configured to audit System - Security System Extension successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" @@ -2277,7 +2277,7 @@ check_mode: false register: wn22_au_000370_audit - - name: "MEDIUM | WN22-AU-000370 | PATCH | Must be configured to audit System - Security System Extension successes." + - name: "MEDIUM | WN22-AU-000370 | PATCH | Must be configured to audit System | Security System Extension successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable when: "'Success' not in wn22_au_000370_audit.stdout" when: @@ -2291,16 +2291,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000380 | PATCH | Windows Server 2022 must be configured to audit System - System Integrity successes." +- name: "MEDIUM | WN22-AU-000380 | PATCH | Windows Server 2022 must be configured to audit System | System Integrity successes." block: - - name: "MEDIUM | WN22-AU-000380 | AUDIT | Windows Server 2022 must be configured to audit System - System Integrity successes." + - name: "MEDIUM | WN22-AU-000380 | AUDIT | Windows Server 2022 must be configured to audit System | System Integrity successes." ansible.windows.win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000380_audit - - name: "MEDIUM | WN22-AU-000380 | PATCH | Windows Server 2022 must be configured to audit System - System Integrity successes." + - name: "MEDIUM | WN22-AU-000380 | PATCH | Windows Server 2022 must be configured to audit System | System Integrity successes." ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable when: "'Success' not in wn22_au_000380_audit.stdout" when: @@ -2314,16 +2314,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-AU-000390 | PATCH | Windows Server 2022 must be configured to audit System - System Integrity failures." +- name: "MEDIUM | WN22-AU-000390 | PATCH | Windows Server 2022 must be configured to audit System | System Integrity failures." block: - - name: "MEDIUM | WN22-AU-000390 | AUDIT | Windows Server 2022 must be configured to audit System - System Integrity failures." + - name: "MEDIUM | WN22-AU-000390 | AUDIT | Windows Server 2022 must be configured to audit System | System Integrity failures." ansible.windows.win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_au_000390_audit - - name: "MEDIUM | WN22-AU-000390 | PATCH | Windows Server 2022 must be configured to audit System - System Integrity failures." + - name: "MEDIUM | WN22-AU-000390 | PATCH | Windows Server 2022 must be configured to audit System | System Integrity failures." ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable when: "'Failure' not in wn22_au_000390_audit.stdout" when: @@ -3386,16 +3386,16 @@ - CCI-002234 - CAT2 -- name: "MEDIUM | WN22-DC-000230 | PATCH | Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes." +- name: "MEDIUM | WN22-DC-000230 | PATCH | Windows Server 2022 must be configured to audit Account Management | Computer Account Management successes." block: - - name: "MEDIUM | WN22-DC-000230 | AUDIT | Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes." + - name: "MEDIUM | WN22-DC-000230 | AUDIT | Windows Server 2022 must be configured to audit Account Management | Computer Account Management successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_dc_000230_audit - - name: "MEDIUM | WN22-DC-000230 | PATCH | Windows Server 2022 must be configured to audit Account Management - Computer Account Management successes." + - name: "MEDIUM | WN22-DC-000230 | PATCH | Windows Server 2022 must be configured to audit Account Management | Computer Account Management successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable when: "'Success' not in wn22_dc_000230_audit.stdout" when: @@ -3419,16 +3419,16 @@ - CCI-002130 - CAT2 -- name: "MEDIUM | WN22-DC-000240 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes." +- name: "MEDIUM | WN22-DC-000240 | PATCH | Windows Server 2022 must be configured to audit DS Access | Directory Service Access successes." block: - - name: "MEDIUM | WN22-DC-000240 | AUDIT | Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes." + - name: "MEDIUM | WN22-DC-000240 | AUDIT | Windows Server 2022 must be configured to audit DS Access | Directory Service Access successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_dc_000240_audit - - name: "MEDIUM | WN22-DC-000240 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Access successes." + - name: "MEDIUM | WN22-DC-000240 | PATCH | Windows Server 2022 must be configured to audit DS Access | Directory Service Access successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable when: "'Success' not in wn22_dc_000240_audit.stdout" when: @@ -3447,16 +3447,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000250 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures." +- name: "MEDIUM | WN22-DC-000250 | PATCH | Windows Server 2022 must be configured to audit DS Access | Directory Service Access failures." block: - - name: "MEDIUM | WN22-DC-000250 | AUDIT | Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures." + - name: "MEDIUM | WN22-DC-000250 | AUDIT | Windows Server 2022 must be configured to audit DS Access | Directory Service Access failures." ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_dc_000250_audit - - name: "MEDIUM | WN22-DC-000250 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Access failures." + - name: "MEDIUM | WN22-DC-000250 | PATCH | Windows Server 2022 must be configured to audit DS Access | Directory Service Access failures." ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Access" /failure:enable when: "'Failure' not in wn22_dc_000250_audit.stdout" when: @@ -3475,16 +3475,16 @@ - CAT2 - NeedToTestDomainController -- name: "MEDIUM | WN22-DC-000260 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes." +- name: "MEDIUM | WN22-DC-000260 | PATCH | Windows Server 2022 must be configured to audit DS Access | Directory Service Changes successes." block: - - name: "MEDIUM | WN22-DC-000260 | AUDIT | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes." + - name: "MEDIUM | WN22-DC-000260 | AUDIT | Windows Server 2022 must be configured to audit DS Access | Directory Service Changes successes." ansible.windows.win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false check_mode: false register: wn22_dc_000260_audit - - name: "MEDIUM | WN22-DC-000260 | PATCH | Windows Server 2022 must be configured to audit DS Access - Directory Service Changes successes." + - name: "MEDIUM | WN22-DC-000260 | PATCH | Windows Server 2022 must be configured to audit DS Access | Directory Service Changes successes." ansible.windows.win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable when: "'Success' not in wn22_dc_000260_audit.stdout" when: diff --git a/tasks/cat2_cloud.yml b/tasks/cat2_cloud.yml index ab1954b..be6463e 100644 --- a/tasks/cat2_cloud.yml +++ b/tasks/cat2_cloud.yml @@ -1,4 +1,5 @@ --- + # THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR CLOUD BASED SYSTEMS # below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less." diff --git a/tasks/prelim.yml b/tasks/prelim.yml index e00f5f5..389daa8 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -8,9 +8,9 @@ tags: - always -# hvm is for amazon ami's, Hyper-V we have found for azure, kvm is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') -# This list is not complete and will be updated as we try on more cloud based services. -# As of now testing is working in azure using Hyper-V. We are curently using this for reference: +# HVM is Amazon AMI's, Hyper-V is Azure's, KVM is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') +# Current list is elastic and will be updated as we test more cloud based services. +# Current testing is working in Azure using Hyper-V. We are curently using this for reference: # https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205 - name: Set Fact If Cloud Based System. ansible.builtin.set_fact: @@ -34,7 +34,7 @@ tags: - always -# remove this debug or set a verb level +# remove this debug or set a verbose level - name: win2022_rdp_enabled.value var ansible.builtin.debug: var: win2022_rdp_enabled.value From c42a886bb3a0a4f0be9e4b3d4c650570779f5b9f Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 2 Aug 2023 08:16:09 -0400 Subject: [PATCH 62/95] Update .github -1 Signed-off-by: Frederick Witty --- .github/ISSUE_TEMPLATE/bug_report.md | 40 ++++ .../feature-request-or-enhancement.md | 25 +++ .github/ISSUE_TEMPLATE/question.md | 19 ++ .github/pull_request_template.md | 15 ++ .github/workflows/OS.tfvars | 9 + .github/workflows/main.tf | 193 ++++++++++++++++++ .github/workflows/update_galaxy.yml | 21 ++ .github/workflows/vars.tf | 35 ++++ .../windows_benchmark_testing_to_devel.yml | 98 +++++++++ .../windows_benchmark_testing_to_main.yml | 101 +++++++++ 10 files changed, 556 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md create mode 100644 .github/ISSUE_TEMPLATE/question.md create mode 100644 .github/pull_request_template.md create mode 100644 .github/workflows/OS.tfvars create mode 100644 .github/workflows/main.tf create mode 100644 .github/workflows/update_galaxy.yml create mode 100644 .github/workflows/vars.tf create mode 100644 .github/workflows/windows_benchmark_testing_to_devel.yml create mode 100644 .github/workflows/windows_benchmark_testing_to_main.yml diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..1c05e6c --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,40 @@ +--- +name: Report Issue +about: Create a bug issue ticket to help us improve +title: '' +labels: bug +assignees: '' + +--- + +# Describe the Issue + +A clear and concise description of what the bug is. + +## Expected Behavior + +A clear and concise description of what you expected to happen. + +## Actual Behavior** + +A clear and concise description of what's happening. + +## Control(s) Affected + +What controls are being affected by the issue + +## Environment (please complete the following information) + +- Ansible Version: [e.g. 2.10] +- Host Python Version: [e.g. Python 3.7.6] +- Ansible Server Python Version: [e.g. Python 3.7.6] +- Target server details: [e.g. Windows2016 datacenter] +- Additional Details: + +## Additional Notes + +Anything additional goes here + +## Possible Solution + +Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md new file mode 100644 index 0000000..58542d9 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md @@ -0,0 +1,25 @@ +--- +name: Feature Request or Enhancement +about: Suggest an idea for this project +title: '' +labels: enhancement +assignees: '' + +--- + +# Feature Request or Enhancement + +- Feature [] +- Enhancement [] + +## Summary of Request + +A clear and concise description of what you want to happen. + +## Describe alternatives you've considered + +A clear and concise description of any alternative solutions or features you've considered. + +## Suggested Code + +Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md new file mode 100644 index 0000000..9465964 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/question.md @@ -0,0 +1,19 @@ +--- +name: Question +about: Ask away....... +title: '' +labels: question +assignees: '' + +--- + +# Question + +Pose question here. + +## Environment (please complete the following information) + +- Ansible Version: [e.g. 2.10] +- Host Python Version: [e.g. Python 3.7.6] +- Ansible Server Python Version: [e.g. Python 3.7.6] +- Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..66d2eae --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,15 @@ +# Overall Review of Changes + +A general description of the changes made that are being requested for merge + +## Issue Fixes + +Please list (using linking) any open issues this PR addresses + +## Enhancements + +Please list any enhancements/features that are not open issue tickets + +## How has this been tested? + +Please give an overview of how these changes were tested. If they were not please use N/A diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars new file mode 100644 index 0000000..e3ee66b --- /dev/null +++ b/.github/workflows/OS.tfvars @@ -0,0 +1,9 @@ +prefix = "Lockdown_Github_Repo_Workflow_Win_STIG" +location = "eastus2" +tagname = "ansible_lockdown_actions" +system_size = "Standard_D4s_v3" +OS_publisher = "MicrosoftWindowsServer" +OS_version = "2022" +system_release = "datacenter-gensecond" +hostname = "LE2022" +product_id = "WindowsServer" diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf new file mode 100644 index 0000000..a1a1832 --- /dev/null +++ b/.github/workflows/main.tf @@ -0,0 +1,193 @@ +# Configure the Azure provider +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~> 2.65" + } + random = { + source = "hashicorp/random" + version = "~>3.5" + } + tls = { + source = "hashicorp/tls" + version = "~>4.0" + } + } + required_version = ">= 1.1.0" +} + +provider "azurerm" { + features {} +} + +#Read Username and password from file +data "external" "win_account" { + program = ["cat", "./sensitive_info.json"] +} + +resource "azurerm_resource_group" "main" { + name = "${var.prefix}-${var.OS_version}-RG" + location = var.location + tags = { + environment = var.tagname + } +} + +resource "azurerm_virtual_network" "main" { + name = "${var.prefix}-${var.OS_version}-network" + address_space = ["172.16.0.0/16"] + location = azurerm_resource_group.main.location + resource_group_name = azurerm_resource_group.main.name + tags = { + environment = var.tagname + } +} + +resource "azurerm_subnet" "internal" { + name = "${var.prefix}-${var.OS_version}-intip" + resource_group_name = azurerm_resource_group.main.name + virtual_network_name = azurerm_virtual_network.main.name + address_prefixes = ["172.16.101.0/24"] +} + +resource "azurerm_public_ip" "main" { + name = "${var.prefix}-${var.OS_version}-pubip" + location = var.location + resource_group_name = azurerm_resource_group.main.name + allocation_method = "Static" + tags = { + environment = var.tagname + } +} + +resource "azurerm_network_interface" "main" { + name = "${var.prefix}-${var.OS_version}-nic" + resource_group_name = azurerm_resource_group.main.name + location = azurerm_resource_group.main.location + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.internal.id + private_ip_address_allocation = "Dynamic" + public_ip_address_id = azurerm_public_ip.main.id + } + + tags = { + environment = var.tagname + } + +} + +resource "azurerm_network_security_group" "secgroup" { + name = "${var.prefix}-${var.OS_version}-secgroup" + resource_group_name = azurerm_resource_group.main.name + location = azurerm_resource_group.main.location + security_rule { + name = "default-allow-3389" + priority = 1000 + access = "Allow" + direction = "Inbound" + destination_port_range = 3389 + protocol = "*" # rdp uses both + source_port_range = "*" + source_address_prefix = "Internet" + destination_address_prefix = "*" + } + security_rule { + name = "default-allow-winrm" + priority = 1001 + access = "Allow" + direction = "Inbound" + destination_port_range = "5985-5986" + protocol = "*" # rdp uses both + source_port_range = "*" + source_address_prefix = "Internet" + destination_address_prefix = "*" + } + tags = { + environment = var.tagname + } +} + +# Associate subnet and network security group +resource "azurerm_subnet_network_security_group_association" "secgroup-assoc" { + subnet_id = azurerm_subnet.internal.id + network_security_group_id = azurerm_network_security_group.secgroup.id +} + +resource "azurerm_windows_virtual_machine" "main" { + name = "${var.hostname}-${var.OS_version}" + resource_group_name = azurerm_resource_group.main.name + location = azurerm_resource_group.main.location + size = var.system_size + admin_username = data.external.win_account.result.username + admin_password = data.external.win_account.result.password + network_interface_ids = [ + azurerm_network_interface.main.id, + ] + + source_image_reference { + publisher = var.OS_publisher + offer = var.product_id + sku = "${var.OS_version}-${var.system_release}" + version = "latest" + } + + os_disk { + storage_account_type = "Standard_LRS" + caching = "ReadWrite" + } + + tags = { + environment = var.tagname + } +} + +## Install the custom script VM extension to each VM. When the VM comes up, +## the extension will download the ConfigureRemotingForAnsible.ps1 script from GitHub +## and execute it to open up WinRM for Ansible to connect to it from Azure Cloud Shell. +## exit code has to be 0 +resource "azurerm_virtual_machine_extension" "enablewinrm" { + name = "enablewinrm" + virtual_machine_id = azurerm_windows_virtual_machine.main.id + publisher = "Microsoft.Compute" ## az vm extension image list --location eastus Do not use Microsoft.Azure.Extensions here + type = "CustomScriptExtension" ## az vm extension image list --location eastus Only use CustomScriptExtension here + type_handler_version = "1.10" ## az vm extension image list --location eastus + auto_upgrade_minor_version = true + settings = <> sensitive_info.json + + # Build out the server + - name: Terraform_Init + working-directory: .github/workflows + run: terraform init + + - name: Terraform_Validate + working-directory: .github/workflows + run: terraform validate + + - name: Terraform_Apply + working-directory: .github/workflows + run: terraform apply -var-file "OS.tfvars" --auto-approve + + # Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: cat hosts.yml + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/hosts.yml + galaxy_file: collections/requirements.yml + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system + + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + working-directory: .github/workflows + run: terraform destroy -var-file "OS.tfvars" --auto-approve diff --git a/.github/workflows/windows_benchmark_testing_to_main.yml b/.github/workflows/windows_benchmark_testing_to_main.yml new file mode 100644 index 0000000..5f197f8 --- /dev/null +++ b/.github/workflows/windows_benchmark_testing_to_main.yml @@ -0,0 +1,101 @@ +# This is a basic workflow to help you get started with Actions + +name: windows_testing_pipeline_to_main + +# Controls when the action will run. +# Triggers the workflow on push or pull request +# events but only for the devel branch +on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + +# A workflow run is made up of one or more jobs +# that can run sequentially or in parallel +jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + runs-on: ubuntu-latest + + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + env: + ENABLE_DEBUG: false + ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }} + WIN_USERNAME: ${{ secrets.WIN_USERNAME }} + WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, + # so your job can access it + - uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Sensitive data stored and passed to terraform + - name: user details + working-directory: .github/workflows + run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json + + # Build out the server + - name: Terraform_Init + working-directory: .github/workflows + run: terraform init + + - name: Terraform_Validate + working-directory: .github/workflows + run: terraform validate + + - name: Terraform_Apply + working-directory: .github/workflows + run: terraform apply -var-file "OS.tfvars" --auto-approve + + # Debug Section + - name: DEBUG - Show Ansible hostfile + if: env.ENABLE_DEBUG == 'true' + working-directory: .github/workflows + run: cat hosts.yml + + # Run the ansible playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/hosts.yml + galaxy_file: collections/requirements.yml + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Remove test system + + - name: Terraform_Destroy + working-directory: .github/workflows + if: always() && env.ENABLE_DEBUG == 'false' + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + run: terraform destroy -var-file "OS.tfvars" --auto-approve From 92ebf13d9d28d3cb5cb78eb5d9d23762920ee993 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 2 Aug 2023 08:32:08 -0400 Subject: [PATCH 63/95] Update .pre-commit-config.yaml Signed-off-by: Frederick Witty --- .pre-commit-config.yaml | 61 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..e6541d9 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,61 @@ +--- +##### CI for use by github no need for action to be added +##### Inherited +ci: + autofix_prs: false + skip: [detect-aws-credentials, ansible-lint ] + +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + # Safety + - id: detect-aws-credentials + - id: detect-private-key + + # git checks + - id: check-merge-conflict + - id: check-added-large-files + - id: check-case-conflict + + # General checks + - id: trailing-whitespace + name: Trim Trailing Whitespace + description: This hook trims trailing whitespace. + entry: trailing-whitespace-fixer + language: python + types: [text] + args: [--markdown-linebreak-ext=md] + - id: end-of-file-fixer + +# Scan for passwords +- repo: https://github.com/Yelp/detect-secrets + rev: v1.4.0 + hooks: + - id: detect-secrets + args: ['--baseline', '.secrets.baseline'] + exclude: package.lock.json + +- repo: https://github.com/ansible-community/ansible-lint + rev: v6.17.2 + hooks: + - id: ansible-lint + name: Ansible-lint + description: This hook runs ansible-lint. + entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint + language: python + # do not pass files to ansible-lint, see: + # https://github.com/ansible/ansible-lint/issues/611 + pass_filenames: false + always_run: true + additional_dependencies: + # https://github.com/pre-commit/pre-commit/issues/1526 + # If you want to use specific version of ansible-core or ansible, feel + # free to override `additional_dependencies` in your own hook config + # file. + - ansible-core>=2.10.1 + +- repo: https://github.com/adrienverge/yamllint.git + rev: v1.32.0 # or higher tag + hooks: + - id: yamllint From c5fa2d0edf8f4844954315683839158519464ba8 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 8 Aug 2023 15:53:31 -0400 Subject: [PATCH 64/95] Update when's to one line and update titles -2 Signed-off-by: Frederick Witty --- .pre-commit-config.yaml | 8 +- tasks/cat1.yml | 190 +++++++++--------- tasks/cat2.yml | 92 +++------ ...cloud.yml => cat2_cloud_lockout_order.yml} | 17 +- tasks/main.yml | 13 -- tasks/prelim.yml | 21 +- 6 files changed, 126 insertions(+), 215 deletions(-) rename tasks/{cat2_cloud.yml => cat2_cloud_lockout_order.yml} (89%) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e6541d9..85562e0 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -29,12 +29,10 @@ repos: - id: end-of-file-fixer # Scan for passwords -- repo: https://github.com/Yelp/detect-secrets - rev: v1.4.0 +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.1 hooks: - - id: detect-secrets - args: ['--baseline', '.secrets.baseline'] - exclude: package.lock.json + - id: gitleaks - repo: https://github.com/ansible-community/ansible-lint rev: v6.17.2 diff --git a/tasks/cat1.yml b/tasks/cat1.yml index fccaac5..cdee0d1 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -14,11 +14,11 @@ - wn22_00_000030 tags: - WN22-00-000030 - - V-254240 + - CAT1 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254240r848536_rule - - CCI-000366 - - CAT1 + - V-254240 - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes." block: @@ -43,11 +43,11 @@ - wn22_00_000130 tags: - WN22-00-000130 - - V-205663 + - CAT1 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254250r848566_rule - - CCI-000213 - - CAT1 + - V-205663 - name: "HIGH | WN22-AC-000090 | PATCH | Windows Server 2022 reversible password encryption must be disabled." community.windows.win_security_policy: @@ -58,11 +58,11 @@ - wn22_ac_000090 tags: - WN22-AC-000090 - - V-254293 + - CAT1 + - CCI-000226 - SRG-OS-000073-GPOS-00041 - SV-254293r877397_rule - - CCI-000226 - - CAT1 + - V-254293 - name: "HIGH | WN22-CC-000210 | PATCH | Windows Server 2022 AutoPlay must be turned off for non-volume devices." ansible.windows.win_regedit: @@ -74,11 +74,11 @@ - wn22_cc_000210 tags: - WN22-CC-000210 - - V-254352 + - CAT1 + - CCI-001764 - SRG-OS-000368-GPOS-00154 - SV-254352r848872_rule - - CCI-001764 - - CAT1 + - V-254352 - name: "HIGH | WN22-CC-000220 | PATCH | Windows Server 2022 default AutoRun behavior must be configured to prevent AutoRun commands." ansible.windows.win_regedit: @@ -90,11 +90,11 @@ - wn22_cc_000220 tags: - WN22-CC-000220 - - V-254353 + - CAT1 + - CCI-001764 - SRG-OS-000368-GPOS-00154 - SV-254353r848875_rule - - CCI-001764 - - CAT1 + - V-254353 - name: "HIGH | WN22-CC-000230 | PATCH | Windows Server 2022 AutoPlay must be disabled for all drives." ansible.windows.win_regedit: @@ -105,11 +105,11 @@ when: wn22_cc_000230 tags: - WN22-CC-000230 - - V-254354 - - SV-254354r848878_rule - - SRG-OS-000368-GPOS-00154 - - CCI-001764 - CAT1 + - CCI-001764 + - SRG-OS-000368-GPOS-00154 + - SV-254354r848878_rule + - V-254354 - name: "HIGH | WN22-CC-000430 | PATCH | Windows Server 2022 must disable the Windows Installer Always install with elevated privileges option." ansible.windows.win_regedit: @@ -122,11 +122,11 @@ - wn22_cc_000430 tags: - WN22-CC-000430 - - V-254374 + - CAT1 + - CCI-001812 - SRG-OS-000362-GPOS-00149 - SV-254374r848938_rule - - CCI-001812 - - CAT1 + - V-254374 - name: "HIGH | WN22-CC-000470 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) client must not use Basic authentication." ansible.windows.win_regedit: @@ -139,11 +139,11 @@ - not win2022stig_skip_secure_winrm tags: - WN22-CC-000470 - - V-254378 + - CAT1 + - CCI-000877 - SRG-OS-000125-GPOS-00065 - SV-254378r877395_rule - - CCI-000877 - - CAT1 + - V-254378 - winrm - name: "HIGH | WN22-CC-000500 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) service must not use Basic authentication." @@ -157,11 +157,11 @@ - not win2022stig_skip_secure_winrm tags: - WN22-CC-000500 - - V-254381 + - CAT1 + - CCI-000877 - SRG-OS-000125-GPOS-00065 - SV-254381r877395_rule - - CCI-000877 - - CAT1 + - V-254381 - winrm - name: "HIGH | WN22-DC-000010 | AUDIT | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system." @@ -187,12 +187,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000010 - - V-254385 + - CAT1 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254385r877392_rule - - CCI-002235 - - notest - - CAT1 + - V-254385 - name: "HIGH | WN22-DC-000070 | AUDIT | Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access." block: @@ -209,11 +208,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000070 - - V-254391 + - CAT1 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254391r877392_rule - - CCI-002235 - - CAT1 + - V-254391 - name: "HIGH | WN22-DC-000080 | AUDIT | Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions." block: @@ -230,11 +229,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000080 - - V-254392 + - CAT1 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254392r877392_rule - - CCI-002235 - - CAT1 + - V-254392 - name: "HIGH | WN22-DC-000090 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions." block: @@ -251,11 +250,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000090 - - V-205741 + - CAT1 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-205741r569188_rule - - CCI-002235 - - CAT1 + - V-205741 - name: "HIGH | WN22-DC-000100 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions." block: @@ -272,11 +271,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000100 - - V-254394 + - CAT1 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254394r877392_rule - - CCI-002235 - - CAT1 + - V-254394 - name: "HIGH | WN22-DC-000110 | AUDIT | Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions." block: @@ -293,11 +292,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000110 - - V-254395 + - CAT1 + - CCI-002235 - SV-254395r877392_rule - SRG-OS-000324-GPOS-00125 - - CCI-002235 - - CAT1 + - V-254395 - name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access." block: @@ -314,11 +313,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000150 - - V-254399 + - CAT1 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254399r849013_rule - - CCI-000366 - - CAT1 + - V-254399 - name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." block: @@ -335,13 +334,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000290 - - V-254413 + - CAT1 + - CCI-000185 - SRG-OS-000066-GPOS-00034 - SV-254413r849055_rule - - CCI-000185 - - CAT1 + - V-254413 -# add some task/external variable for approved CAs, check for DoD and how to pull programatically - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)." block: - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | Message out" @@ -357,13 +355,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000300 - - V-254414 + - CAT1 + - CCI-000185 - SRG-OS-000066-GPOS-00034 - SV-254414r849058_rule - - CCI-000185 - - CAT1 + - V-254414 -# populate a dictionary/list from customer - name: "HIGH | WN22-MS-000010 | AUDIT | Windows Server 2022 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system" block: - name: "HIGH | WN22-MS-000010 | AUDIT | Windows Server 2022 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system" @@ -388,12 +385,12 @@ - "'controller' not in ansible_windows_domain_role" tags: - WN22-MS-000010 - - V-254428 + - CAT1 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254428r877392_rule - - CCI-002235 + - V-254428 - audit - - CAT1 - name: "HIGH | WN22-MS-000140 | PATCH | Windows Server 2022 must be running Credential Guard on domain-joined member servers." ansible.windows.win_regedit: @@ -412,12 +409,11 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-MS-000140 - - V-254441 + - CAT1 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254441r849139_rule - - CCI-000366 - - NeedToTestMemberServer - - CAT1 + - V-254441 - name: "HIGH | WN22-SO-000020 | PATCH | Windows Server 2022 must prevent local accounts with blank passwords from being used from the network." ansible.windows.win_regedit: @@ -429,11 +425,11 @@ - wn22_so_000020 tags: - WN22-SO-000020 - - V-254446 + - CAT1 + - CCI-000366 - SV-254446r849154_rule - SRG-OS-000480-GPOS-00227 - - CCI-000366 - - CAT1 + - V-254446 - name: "HIGH | WN22-SO-000210 | PATCH | Windows Server 2022 must not allow anonymous SID/Name translation." community.windows.win_security_policy: @@ -444,11 +440,11 @@ - wn22_so_000210 tags: - WN22-SO-000210 - - V-254465 + - CAT1 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254465r849211_rule - - CCI-000366 - - CAT1 + - V-254465 - name: "HIGH | WN22-SO-000220 | PATCH | Windows Server 2022 must not allow anonymous enumeration of Security Account Manager (SAM) accounts." ansible.windows.win_regedit: @@ -461,11 +457,11 @@ - ansible_windows_domain_role != "Primary domain controller" tags: - WN22-SO-000220 - - V-254466 + - CAT1 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254466r849214_rule - - CCI-000366 - - CAT1 + - V-254466 - name: "HIGH | WN22-SO-000230 | PATCH | Windows Server 2022 must not allow anonymous enumeration of shares." ansible.windows.win_regedit: @@ -477,11 +473,11 @@ - wn22_so_000230 tags: - WN22-SO-000230 - - V-254467 + - CAT1 + - CCI-001090 - SRG-OS-000138-GPOS-00069 - SV-254467r849217_rule - - CCI-001090 - - CAT1 + - V-254467 - name: "HIGH | WN22-SO-000250 | PATCH | Windows Server 2022 must restrict anonymous access to Named Pipes and Shares." ansible.windows.win_regedit: @@ -493,11 +489,11 @@ - wn22_so_000250 tags: - WN22-SO-000250 - - V-254469 + - CAT1 + - CCI-001090 - SRG-OS-000138-GPOS-00069 - SV-254469r849223_rule - - CCI-001090 - - CAT1 + - V-254469 - name: "HIGH | WN22-SO-000300 | PATCH | Windows Server 2022 must be configured to prevent the storage of the LAN Manager hash of passwords." ansible.windows.win_regedit: @@ -509,11 +505,11 @@ - wn22_so_000300 tags: - WN22-SO-000300 - - V-254474 + - CAT1 + - CCI-000226 - SRG-OS-000073-GPOS-00041 - SV-254474r877397_rule - - CCI-000226 - - CAT1 + - V-254474 - name: "HIGH | WN22-SO-000310 | PATCH | Windows Server 2022 LAN Manager authentication level must be configured to send NTLMv2 response only and to refuse LM and NTLM." ansible.windows.win_regedit: @@ -525,11 +521,11 @@ - wn22_so_000310 tags: - WN22-SO-000310 - - V-254467 + - CAT1 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254467r849217_rule - - CCI-000366 - - CAT1 + - V-254467 - name: "HIGH | WN22-UR-000020 | PATCH | Windows Server 2022 Act as part of the operating system user right must not be assigned to any groups or accounts." ansible.windows.win_user_right: @@ -540,11 +536,11 @@ - wn22_ur_000020 tags: - WN22-UR-000020 - - V-254492 + - CAT1 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254492r877392_rule - - CCI-002235 - - CAT1 + - V-254492 - name: "HIGH | WN22-UR-000060 | PATCH | Windows Server 2022 Create a token object user right must not be assigned to any groups or accounts." community.windows.win_security_policy: @@ -555,16 +551,12 @@ - wn22_ur_000060 tags: - WN22-UR-000060 - - V-254496 + - CAT1 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254496r877392_rule - - CCI-002235 - - CAT1 + - V-254496 -# fails openscap - the v1r10 xml checks for "Administrators" string but secedit uses the SIDs thus -# "SeDebugPrivilege = *S-1-5-32-544" is Administrators (openscap fails) -# emailed_disa.letterkenny.re.mbx.stig-customer-support-mailbox@mail.mil -# SCC tool works - name: "HIGH | WN22-UR-000100 | PATCH | Windows Server 2022 Debug programs: user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeDebugPrivilege @@ -574,8 +566,8 @@ - wn22_ur_000100 tags: - WN22-UR-000100 - - V-254500 + - CAT1 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254500r877392_rule - - CCI-002235 - - CAT1 + - V-254500 diff --git a/tasks/cat2.yml b/tasks/cat2.yml index b705624..31bee60 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -14,18 +14,17 @@ - wn22_00_000010 tags: - WN22-00-000010 - - V-254238 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254238r848530_rule - - CCI-000366 - - CAT2 + - V-254238 + - manual -# enumerating on DC is different than standalone - name: "MEDIUM | WN22-00-000020 | AUDIT | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." block: - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." ansible.windows.win_shell: "Get-ADUser -Filter * -Property PasswordLastSet | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_pass_age }}))} | Select Name,PasswordLastSet" - # win_shell: "Get-ADUser krbtgt -Property PasswordLastSet | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_krbtgt_pass_age }}))} | Select-Object -ExpandProperty PasswordLastSet" changed_when: false check_mode: false register: wn22_00_000020_audit_dc @@ -61,8 +60,7 @@ warn_control_id: 'WN22-00-000020' when: - not wn22_00_000020_audit_dc is skipped - - wn22_00_000020_audit_dc.stdout != "" or - - wn22_00_000020_audit_dm_sa is defined + - wn22_00_000020_audit_dc.stdout != "" or wn22_00_000020_audit_dm_sa is defined - wn22_00_000020_audit_dm_sa.stdout != "" when: - wn22_00_000020 @@ -72,7 +70,6 @@ - CCI-000199 - SV-254239r915618_rule - SRG-OS-000076-GPOS-00044 - - NeedToTestDomainController - audit - CAT2 @@ -152,7 +149,6 @@ - SV-254243r848545_rule - CCI-000366 - CAT2 - # how to make this list? - name: "MEDIUM | WN22-00-000070 | AUDIT | Windows Server 2022 shared user accounts must not be permitted." block: @@ -193,10 +189,7 @@ - SV-254245r890536_rule - CCI-001774 - CAT2 - # Get-AppLockerPolicy -Effective -# Current hardware and virtual environments may not support virtualization-based security features, including Credential Guard, due to specific supporting -# requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within a virtual machine. - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." block: - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Message out" @@ -216,8 +209,6 @@ - SV-254246r848554_rule - CCI-000366 - CAT2 - # wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * - # if not enabled see "No Instance(s) Available." ? - name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level." block: @@ -508,8 +499,7 @@ warn_control_id: 'WN22-00-000200' when: - not wn22_00_000200_audit_dc is skipped - - wn22_00_000200_audit_dc.stdout != "" or - - not wn22_00_000200_audit_dm_sa is skipped + - wn22_00_000200_audit_dc.stdout != "" or not wn22_00_000200_audit_dm_sa is skipped - wn22_00_000200_audit_dm_sa.stdout != "" when: - wn22_00_000200 @@ -525,10 +515,7 @@ - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire." block: - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire." - ansible.windows.win_shell: | - Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | - Where-Object -FilterScript {$_.PasswordExpires -EQ $False -AND $_.Disabled -EQ $False} | - Format-Table -Property Name,PasswordExpires,Disabled,LocalAccount + ansible.windows.win_shell: Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | Where-Object -FilterScript {$_.PasswordExpires -EQ $False -AND $_.Disabled -EQ $False} | Format-Table -Property Name,PasswordExpires,Disabled,LocalAccount # pragma: allowlist secret changed_when: false failed_when: false check_mode: false @@ -571,7 +558,6 @@ - SV-254259r890538_rule - CCI-001744 - CAT2 - # Some third party software to monitor files - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2022 non-system-created file shares on a system must limit access to groups that require it." block: @@ -603,7 +589,6 @@ - CCI-001090 - CAT2 -# https://stackoverflow.com/questions/31049454/how-to-retrieve-recursively-any-files-with-a-specific-extensions-in-powershell/31049571 - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed." block: - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed." @@ -634,8 +619,6 @@ - SV-254261r848599_rule - CCI-000366 - CAT2 - # do we need async; its very long running to search filesystems - # get an array of drive letters to search? - name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." block: @@ -734,7 +717,7 @@ - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." block: - - name: "MEDIUM | WN16-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Warning Message" + - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Warning Message" ansible.builtin.debug: msg: - "Warning!! This is a manual task. Windows Server 2022 must employ automated mechanisms to determine the state of system" @@ -743,7 +726,7 @@ - "by Computer Network Defense Service Provider (CNDSP). Verify DoD-approved ESS software is installed and properly operating." - "Ask the site ISSM for documentation of the ESS software installation and configuration." - - name: "MEDIUM | WN16-00-000290 | PATCH | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Warn Count" + - name: "MEDIUM | WN22-00-000290 | PATCH | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Warn Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000290' @@ -1149,6 +1132,16 @@ - CAT2 # THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL BASED SYSTEMS. +# We have found the order of these three tasks varies between cloud based instances +# and VM based instances. The task below breaks out to run in a different order +# for cloud based systems +- name: "CAT2 task side load for WN22-AC-000010, WN22-AC-000020, and WN22-AC-000030" + ansible.builtin.import_tasks: cat2_cloud_lockout_order.yml + when: + - win22stig_cloud_based_system + tags: + - cat2_cloud + - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less." block: - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." @@ -1157,16 +1150,14 @@ - "Warning!! You have a invalid number of days set for wn22stig_lockoutbadcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn22stig_lockoutbadcount == 0 or - wn22stig_lockoutbadcount > 3 + - wn22stig_lockoutbadcount == 0 or wn22stig_lockoutbadcount > 3 - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000020' when: - - wn22stig_lockoutbadcount == 0 or - wn22stig_lockoutbadcount > 3 + - wn22stig_lockoutbadcount == 0 or wn22stig_lockoutbadcount > 3 - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Apply Variable." community.windows.win_security_policy: @@ -1176,7 +1167,6 @@ when: - wn22stig_lockoutbadcount > 0 - wn22stig_lockoutbadcount <= 3 - when: - wn22_ac_000020 - not win22stig_cloud_based_system @@ -1188,7 +1178,7 @@ - CCI-000044 - CAT2 -# below task is dependent on WN16-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" +# Below task is dependent on WN22-AC-000020, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." block: - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." @@ -1198,7 +1188,6 @@ - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn22stig_resetlockoutcount < 15 - - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: @@ -1225,7 +1214,6 @@ - CCI-002238 - CAT2 -# below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater." block: - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." @@ -1251,8 +1239,7 @@ key: LockoutDuration value: "{{ wn22stig_lockoutduration }}" when: - - wn22stig_lockoutduration == 0 or - wn22stig_lockoutduration >= 15 + - wn22stig_lockoutduration == 0 or wn22stig_lockoutduration >= 15 when: - wn22_ac_000010 - not win22stig_cloud_based_system @@ -1287,16 +1274,14 @@ - "Warning!! You have a invalid number of days set for wn22stig_maximumpasswordage please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn22stig_maximumpasswordage == 0 or - wn22stig_maximumpasswordage > 60 + - wn22stig_maximumpasswordage == 0 or wn22stig_maximumpasswordage > 60 - name: "MEDIUM | WN22-AC-000050 | AUDIT | Windows Server 2022 maximum password age must be configured to 60 days or less. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000050' when: - - wn22stig_maximumpasswordage == 0 or - wn22stig_maximumpasswordage > 60 + - wn22stig_maximumpasswordage == 0 or wn22stig_maximumpasswordage > 60 - name: "MEDIUM | WN22-AC-000050 | PATCH | Windows Server 2022 maximum password age must be configured to 60 days or less. | Apply Variable." community.windows.win_security_policy: @@ -3445,7 +3430,6 @@ - CCI-000172 - CCI-002234 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000250 | PATCH | Windows Server 2022 must be configured to audit DS Access | Directory Service Access failures." block: @@ -3473,7 +3457,6 @@ - CCI-000172 - CCI-002234 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000260 | PATCH | Windows Server 2022 must be configured to audit DS Access | Directory Service Changes successes." block: @@ -3501,7 +3484,6 @@ - CCI-000172 - CCI-002234 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2022 domain controllers must have a PKI server certificate." block: @@ -3571,7 +3553,6 @@ - CCI-002418 - CCI-002421 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000330 | PATCH | Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords." ansible.windows.win_regedit: @@ -3589,7 +3570,6 @@ - SV-254417r849067_rule - CCI-000366 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000340 | PATCH | Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers." ansible.windows.win_user_right: @@ -3609,7 +3589,6 @@ - SV-254418r849070_rule - CCI-000213 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000350 | PATCH | Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers." ansible.windows.win_user_right: @@ -3626,7 +3605,6 @@ - SV-254419r877392_rule - CCI-002235 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000360 | PATCH | Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers." ansible.windows.win_user_right: @@ -3643,7 +3621,6 @@ - SV-254420r849076_rule - CCI-000213 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000370 | PATCH | Windows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: @@ -3660,7 +3637,6 @@ - SV-254421r849079_rule - CCI-000213 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000380 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: @@ -3677,7 +3653,6 @@ - SV-254422r849082_rule - CCI-000213 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000390 | PATCH | Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers." community.windows.win_security_policy: @@ -3694,7 +3669,6 @@ - SV-254423r849085_rule - CCI-000213 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000400 | PATCH | Windows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: @@ -3711,7 +3685,6 @@ - SV-254424r849088_rule - CCI-000213 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000410 | PATCH | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: @@ -3728,7 +3701,6 @@ - SV-254425r849091_rule - CCI-002314 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000420 | PATCH | Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers." ansible.windows.win_user_right: @@ -3745,7 +3717,6 @@ - SV-254426r877392_rule - CCI-002235 - CAT2 - - NeedToTestDomainController - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." block: @@ -3774,7 +3745,6 @@ - SRG-OS-000480-GPOS-00227 - SV-254427r849097_rule - CCI-000366 - - NeedToTestDomainController - CAT2 - name: "MEDIUM | WN22-MS-000020 | PATCH | Windows Server 2022 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." @@ -3793,7 +3763,6 @@ - SV-254429r849103_rule - CCI-001084 - CAT2 - - NeedToTestMemberServer - name: "MEDIUM | WN22-MS-000030 | PATCH | Windows Server 2022 local users on domain-joined member servers must not be enumerated." ansible.windows.win_regedit: @@ -3811,7 +3780,6 @@ - SV-254430r849106_rule - CCI-000381 - CAT2 - - NeedToTestMemberServer - name: "MEDIUM | WN22-MS-000040 | PATCH | Windows Server 2022 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems." ansible.windows.win_regedit: @@ -3912,7 +3880,6 @@ - SV-254435r849121_rule - CCI-000213 - CAT2 - - NeedToTestMemberServer - name: "MEDIUM | WN22-MS-000090 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." block: @@ -3941,7 +3908,6 @@ - SV-254436r849124_rule - CCI-000213 - CAT2 - - NeedToTestMemberServer - name: "MEDIUM | WN22-MS-000100 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." block: @@ -3971,7 +3937,6 @@ - SV-254437r890547_rule - CCI-000213 - CAT2 - - NeedToTestMemberServer - name: "MEDIUM | WN22-MS-000110 | PATCH | Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." block: @@ -4001,7 +3966,6 @@ - SV-254438r849130_rule - CCI-000213 - CAT2 - - NeedToTestMemberServer - name: "MEDIUM | WN22-MS-000120 | PATCH | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." block: @@ -4032,7 +3996,6 @@ - SV-254439r849133_rule - CCI-002314 - CAT2 - - NeedToTestMemberServer - name: "MEDIUM | WN22-MS-000130 | PATCH | Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems." community.windows.win_security_policy: @@ -4255,7 +4218,6 @@ - CCI-002418 - CCI-002421 - CAT2 - - NeedToTestMemberServer - name: "MEDIUM | WN22-SO-000070 | PATCH | Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled." ansible.windows.win_regedit: @@ -4275,7 +4237,6 @@ - CCI-002418 - CCI-002421 - CAT2 - - NeedToTestMemberServer - name: "MEDIUM | WN22-SO-000080 | PATCH | Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." ansible.windows.win_regedit: @@ -4295,7 +4256,6 @@ - CCI-002418 - CCI-002421 - CAT2 - - NeedToTestMemberServer - name: "MEDIUM | WN22-SO-000090 | PATCH | Windows Server 2022 computer account password must not be prevented from being reset." ansible.windows.win_regedit: @@ -4313,7 +4273,6 @@ - SV-254453r877039_rule - CCI-001967 - CAT2 - - NeedToTestMemberServer - name: "MEDIUM | WN22-SO-000100 | PATCH | Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less." ansible.windows.win_regedit: @@ -4665,7 +4624,6 @@ - SV-254482r849262_rule - CCI-002038 - CAT2 - # - exclusions for server core? think its NA there - name: "MEDIUM | WN22-SO-000390 | PATCH | Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." ansible.windows.win_regedit: diff --git a/tasks/cat2_cloud.yml b/tasks/cat2_cloud_lockout_order.yml similarity index 89% rename from tasks/cat2_cloud.yml rename to tasks/cat2_cloud_lockout_order.yml index be6463e..829c975 100644 --- a/tasks/cat2_cloud.yml +++ b/tasks/cat2_cloud_lockout_order.yml @@ -10,16 +10,14 @@ - "Warning!! You have a invalid number of days set for wn22stig_lockoutbadcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn22stig_lockoutbadcount == 0 or - wn22stig_lockoutbadcount > 3 + - wn22stig_lockoutbadcount == 0 or wn22stig_lockoutbadcount > 3 - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000020' when: - - wn22stig_lockoutbadcount == 0 or - wn22stig_lockoutbadcount > 3 + - wn22stig_lockoutbadcount == 0 or wn22stig_lockoutbadcount > 3 - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Apply Variable." community.windows.win_security_policy: @@ -64,8 +62,7 @@ key: LockoutDuration value: "{{ wn22stig_lockoutduration }}" when: - - wn22stig_lockoutduration == 0 or - wn22stig_lockoutduration >= 15 + - wn22stig_lockoutduration == 0 or wn22stig_lockoutduration >= 15 when: - wn22_ac_000010 tags: @@ -76,7 +73,7 @@ - CCI-002238 - CAT2 -# below task is dependent on WN22-AC-000020, maybe custom fail when known error if WN16-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" +# The below task is dependent on WN22-AC-000020, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." block: - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." @@ -85,16 +82,14 @@ - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn22stig_resetlockoutcount > wn22stig_lockoutduration or - wn22stig_resetlockoutcount < 15 + - wn22stig_resetlockoutcount > wn22stig_lockoutduration or wn22stig_resetlockoutcount < 15 - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000030' when: - - wn22stig_resetlockoutcount > wn22stig_lockoutduration or - wn22stig_resetlockoutcount < 15 + - wn22stig_resetlockoutcount > wn22stig_lockoutduration or wn22stig_resetlockoutcount < 15 - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" community.windows.win_security_policy: diff --git a/tasks/main.yml b/tasks/main.yml index e4ea719..86d12f2 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,19 +43,6 @@ tags: - CAT1 -# We have found the order of these three tasks varies between cloud based instances -# and VM based instances. The task below breaks out to run in a different order -# for cloud based systems -- name: Execute the category 2 (medium severity) tasks for cloud based system - ansible.builtin.import_tasks: cat2_cloud.yml - when: - - win22stig_cloud_based_system - - wn22_ac_000010 or - wn22_ac_000020 or - wn22_ac_000030 - tags: - - CAT2_CLOUD2 - - name: Execute the category 2 (Medium Severity) tasks ansible.builtin.import_tasks: cat2.yml when: win2022stig_cat2_patch diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 389daa8..b767260 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -16,29 +16,10 @@ ansible.builtin.set_fact: win22stig_cloud_based_system: true when: - - ansible_virtualization_type == 'Hyper-V' or - ansible_virtualization_type == 'hvm' or - ansible_virtualization_type == 'kvm' + - ansible_virtualization_type == 'Hyper-V' or ansible_virtualization_type == 'hvm' or ansible_virtualization_type == 'kvm' tags: - always -# 1 = disabled 0 = enabled -# this reg key may be useful detect is secure conenctions enabled, etc? -- name: "PRELIM | Detect if Remote Desktop Services (RDP) is Enabled" - ansible.windows.win_reg_stat: - path: HKLM:\System\CurrentControlSet\Control\Terminal Server - name: fDenyTSConnections - changed_when: false - failed_when: false - register: win2022_rdp_enabled - tags: - - always - -# remove this debug or set a verbose level -- name: win2022_rdp_enabled.value var - ansible.builtin.debug: - var: win2022_rdp_enabled.value - - name: Get Drive Letters" ansible.windows.win_shell: Get-Volume | ?{ $_.DriveType -eq 'Fixed' } | Select-Object -ExpandProperty 'DriveLetter' changed_when: false From b9b0e64819a92639b5ba7507ec063fd8c93fb585 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 9 Aug 2023 16:04:11 -0400 Subject: [PATCH 65/95] Tag order update wn22_au_000360 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 603 +++++++++++++++-------------- tasks/cat2_cloud_lockout_order.yml | 2 +- tasks/cat3.yml | 75 ++-- tasks/main.yml | 4 +- 4 files changed, 361 insertions(+), 323 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 31bee60..65e6419 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -19,7 +19,7 @@ - SRG-OS-000480-GPOS-00227 - SV-254238r848530_rule - V-254238 - - manual + - audit - name: "MEDIUM | WN22-00-000020 | AUDIT | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." block: @@ -66,12 +66,12 @@ - wn22_00_000020 tags: - WN22-00-000020 - - V-254239 + - CAT2 - CCI-000199 - - SV-254239r915618_rule - SRG-OS-000076-GPOS-00044 + - SV-254239r915618_rule + - V-254239 - audit - - CAT2 - name: "MEDIUM | WN22-00-000040 | AUDIT | Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." block: @@ -103,12 +103,13 @@ - "'controller' not in ansible_windows_domain_role" tags: - WN22-00-000040 - - V-254241 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254241r848539_rule - - CCI-000366 + - V-254241 - audit - - CAT2 + - name: "MEDIUM | WN22-00-000050 | AUDIT | Windows Server 2022 manually managed application account passwords must be at least 15 characters in length." block: @@ -124,11 +125,11 @@ - wn22_00_000050 tags: - WN22-00-000050 - - V-254242 + - CAT2 + - CCI-000205 - SRG-OS-000078-GPOS-00046 - SV-254242r848542_rule - - CCI-000205 - - CAT2 + - V-254242 - name: "MEDIUM | WN22-00-000060 | AUDIT | Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." block: @@ -144,11 +145,11 @@ - wn22_00_000060 tags: - WN22-00-000060 - - V-254243 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254243r848545_rule - - CCI-000366 - - CAT2 + - V-254243 - name: "MEDIUM | WN22-00-000070 | AUDIT | Windows Server 2022 shared user accounts must not be permitted." block: @@ -164,11 +165,11 @@ - wn22_00_000070 tags: - WN22-00-000070 - - V-254244 + - CAT2 + - CCI-000764 - SRG-OS-000104-GPOS-00051 - SV-254244r848548_rule - - CCI-000764 - - CAT2 + - V-254244 - name: "MEDIUM | WN22-00-000080 | AUDIT | Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." block: @@ -184,11 +185,11 @@ - wn22_00_000080 tags: - WN22-00-000080 - - V-254245 + - CAT2 + - CCI-001774 - SRG-OS-000370-GPOS-00155 - SV-254245r890536_rule - - CCI-001774 - - CAT2 + - V-254245 - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." block: @@ -204,11 +205,11 @@ - wn22_00_000090 tags: - WN22-00-000090 - - V-254246 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254246r848554_rule - - CCI-000366 - - CAT2 + - V-254246 - name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level." block: @@ -224,11 +225,11 @@ - wn22_00_000100 tags: - WN22-00-000100 - - V-254247 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254247r848557_rule - - CCI-000366 - - CAT2 + - V-254247 - name: "MEDIUM | WN22-00-000110 | AUDIT | Windows Server 2022 must use an antivirus program." block: @@ -244,11 +245,11 @@ - wn22_00_000110 tags: - WN22-00-000110 - - V-254248 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254248r848560_rule - - CCI-000366 - - CAT2 + - V-254248 - name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2022 must have a host-based intrusion detection or prevention system." block: @@ -264,11 +265,11 @@ - wn22_00_000120 tags: - WN22-00-000120 - - V-254249 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254249r848563_rule - - CCI-000366 - - CAT2 + - V-254249 - name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2022 permissions for the system drive root directory usually C:\ must conform to minimum requirements." block: @@ -284,11 +285,11 @@ - wn22_00_000140 tags: - WN22-00-000140 - - V-254251 + - CAT2 + - CCI-002165 - SRG-OS-000312-GPOS-00122 - SV-254251r848569_rule - - CCI-002165 - - CAT2 + - V-254251 - name: "MEDIUM | WN22-00-000150 | AUDIT | Windows Server 2022 permissions for program file directories must conform to minimum requirements." block: @@ -323,11 +324,12 @@ - wn22_00_000150 tags: - WN22-00-000150 - - V-254252 + - CAT2 + - CCI-002165 - SRG-OS-000312-GPOS-00122 - SV-254252r848572_rule - - CCI-002165 - - CAT2 + - V-254252 + - audit - name: "MEDIUM | WN22-00-000160 | AUDIT | Windows Server 2022 permissions for the Windows installation directory must conform to minimum requirements." block: @@ -352,11 +354,12 @@ - wn22_00_000160 tags: - WN22-00-000160 - - V-254253 + - CAT2 + - CCI-002165 - SRG-OS-000312-GPOS-00122 - SV-254253r848575_rule - - CCI-002165 - - CAT2 + - V-254253 + - audit - name: "MEDIUM | WN22-00-000170 | AUDIT | Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." block: @@ -372,11 +375,11 @@ - wn22_00_000170 tags: - WN22-00-000170 - - V-254254 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254254r877392_rule - - CCI-002235 - - CAT2 + - V-254254 - name: "MEDIUM | WN22-00-000190 | AUDIT | Windows Server 2022 outdated or unused accounts must be removed from the system or disabled." block: @@ -451,11 +454,11 @@ - wn22_00_000190 tags: - WN22-00-000190 - - V-254256 + - CAT2 + - CCI-000795 - SRG-OS-000118-GPOS-00060 - SV-254256r848584_rule - - CCI-000795 - - CAT2 + - V-254256 - name: "MEDIUM | WN22-00-000200 | AUDIT | Windows Server 2022 accounts must require passwords." block: @@ -505,12 +508,12 @@ - wn22_00_000200 tags: - WN22-00-000200 - - V-254257 + - CAT2 + - CCI-000764 - SRG-OS-000104-GPOS-00051 - SV-254257r848587_rule - - CCI-000764 + - V-254257 - audit - - CAT2 - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire." block: @@ -533,11 +536,12 @@ - wn22_00_000210 tags: - WN22-00-000210 - - V-254258 - - SRG-OS-000076-GPOS-00044 - - SV-254258r848590_rule - CAT2 - CCI-000199 + - SRG-OS-000076-GPOS-00044 + - SV-254258r848590_rule + - V-254258 + - audit - name: "MEDIUM | WN22-00-000220 | AUDIT | Windows Server 2022 system files must be monitored for unauthorized changes." block: @@ -553,11 +557,11 @@ - wn22_00_000220 tags: - WN22-00-000220 - - V-254259 + - CAT2 + - CCI-001744 - SRG-OS-000363-GPOS-00150 - SV-254259r890538_rule - - CCI-001744 - - CAT2 + - V-254259 - name: "MEDIUM | WN22-00-000230 | AUDIT | Windows Server 2022 non-system-created file shares on a system must limit access to groups that require it." block: @@ -583,11 +587,12 @@ - wn22_00_000230 tags: - WN22-00-000230 - - V-254260 + - CAT2 + - CCI-001090 - SRG-OS-000138-GPOS-00069 - SV-254260r848596_rule - - CCI-001090 - - CAT2 + - V-254260 + - audit - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed." block: @@ -614,11 +619,12 @@ - wn22_00_000240 tags: - WN22-00-000240 - - V-254261 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254261r848599_rule - - CCI-000366 - - CAT2 + - V-254261 + - audit - name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." block: @@ -634,13 +640,13 @@ - wn22_00_000250 tags: - WN22-00-000250 - - V-254262 - - SRG-OS-000185-GPOS-00079 - - SV-254262r848602_rule + - CAT2 - CCI-001199 - CCI-002475 - CCI-002476 - - CAT2 + - SRG-OS-000185-GPOS-00079 + - SV-254262r848602_rule + - V-254262 - name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." block: @@ -656,12 +662,12 @@ - wn22_00_000260 tags: - WN22-00-000260 - - V-254263 - - SRG-OS-000425-GPOS-00189 - - SV-254263r848605_rule + - CAT2 - CCI-002420 - CCI-002422 - - CAT2 + - SRG-OS-000425-GPOS-00189 + - SV-254263r848605_rule + - V-254263 - name: "MEDIUM | WN22-00-000270 | AUDIT | Windows Server 2022 must have the roles and features required by the system documented." block: @@ -688,11 +694,12 @@ - wn22_00_000270 tags: - WN22-00-000270 - - V-254264 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254264r848608_rule - - CCI-000381 - - CAT2 + - V-254264 + - audit - name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2022 must have a host-based firewall installed and enabled." block: @@ -708,12 +715,12 @@ - wn22_00_000280 tags: - WN22-00-000280 - - V-254265 - - SRG-OS-000480-GPOS-00227 - - SV-254265r848611_rule + - CAT2 - CCI-000366 - CCI-002080 - - CAT2 + - SRG-OS-000480-GPOS-00227 + - SV-254265r848611_rule + - V-254265 - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." block: @@ -734,11 +741,11 @@ - wn22_00_000290 tags: - WN22-00-000290 - - V-254266 + - CAT2 + - CCI-001233 - SRG-OS-000191-GPOS-00080 - SV-254266r849353_rule - - CCI-001233 - - CAT2 + - V-254266 - name: "MEDIUM | WN22-00-000300 | AUDIT | Windows Server 2022 must automatically remove or disable temporary user accounts after 72 hours." block: @@ -785,11 +792,12 @@ - wn22_00_000300 tags: - WN22-00-000300 - - V-254267 + - CAT2 + - CCI-000016 - SRG-OS-000002-GPOS-00002 - SV-254267r848617_rule - - CCI-000016 - - CAT2 + - V-254267 + - audit - name: "MEDIUM | WN22-00-000310 | AUDIT | Windows Server 2022 must automatically remove or disable emergency accounts after the crisis is resolved or within 72 hours." block: @@ -836,11 +844,12 @@ - wn22_00_000310 tags: - WN22-00-000310 - - V-254268 + - CAT2 + - CCI-001682 - SRG-OS-000123-GPOS-00064 - SV-254268r848620_rule - - CCI-001682 - - CAT2 + - V-254268 + - audit - name: "MEDIUM | WN22-00-000320 | PATCH | Windows Server 2022 must not have the Fax Server role installed." ansible.windows.win_feature: @@ -851,11 +860,11 @@ - wn22_00_000320 tags: - WN22-00-000320 - - V-254269 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254269r848623_rule - - CCI-000381 - - CAT2 + - V-254269 - name: "MEDIUM | WN22-00-000330 | PATCH | Windows Server 2022 must not have the Microsoft FTP service installed unless required by the organization." ansible.windows.win_feature: @@ -866,11 +875,11 @@ - wn22_00_000330 tags: - WN22-00-000330 - - V-254270 + - CAT2 + - CCI-000382 - SRG-OS-000096-GPOS-00050 - SV-254270r848626_rule - - CCI-000382 - - CAT2 + - V-254270 - name: "MEDIUM | WN22-00-000340 | PATCH | Windows Server 2022 must not have the Peer Name Resolution Protocol installed." ansible.windows.win_feature: @@ -881,11 +890,11 @@ - wn22_00_000340 tags: - WN22-00-000340 - - V-254271 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254271r848629_rule - - CCI-000381 - - CAT2 + - V-254271 - name: "MEDIUM | WN22-00-000350 | PATCH | Windows Server 2022 must not have Simple TCP/IP Services installed." ansible.windows.win_feature: @@ -895,11 +904,11 @@ - wn22_00_000350 tags: - WN22-00-000350 - - V-254272 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254272r848632_rule - - CCI-000381 - - CAT2 + - V-254272 - name: "MEDIUM | WN22-00-000360 | PATCH | Windows Server 2022 must not have the Telnet Client installed." ansible.windows.win_feature: @@ -909,11 +918,11 @@ - wn22_00_000360 tags: - WN22-00-000360 - - V-254273 + - CAT2 + - CCI-000382 - SRG-OS-000096-GPOS-00050 - SV-254273r848635_rule - - CCI-000382 - - CAT2 + - V-254273 - name: "MEDIUM | WN22-00-000370 | PATCH | Windows Server 2022 must not have the TFTP Client installed." ansible.windows.win_feature: @@ -923,11 +932,11 @@ - wn22_00_000370 tags: - WN22-00-000370 - - V-254274 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254274r848638_rule - - CCI-000381 - - CAT2 + - V-254274 - name: "MEDIUM | WN22-00-000380 | PATCH | Windows Server 2022 must not have the Server Message Block (SMB) v1 protocol installed." ansible.windows.win_feature: @@ -938,11 +947,11 @@ - wn22_00_000380 tags: - WN22-00-000380 - - V-254275 - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254275r848641_rule - - CCI-000381 + - V-254275 - name: "MEDIUM | WN22-00-000390 | PATCH | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." ansible.windows.win_regedit: @@ -955,11 +964,11 @@ - wn22_00_000390 tags: - WN22-00-000390 - - V-254276 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254276r848644_rule - - CCI-000381 - - CAT2 + - V-254276 - name: "MEDIUM | WN22-00-000400 | PATCH | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." ansible.windows.win_regedit: @@ -972,11 +981,11 @@ - wn22_00_000400 tags: - WN22-00-000400 - - V-254277 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254277r848647_rule - - CCI-000381 - - CAT2 + - V-254277 - name: "MEDIUM | WN22-00-000410 | PATCH | Windows Server 2022 must not have Windows PowerShell 2.0 installed." ansible.windows.win_feature: @@ -986,11 +995,11 @@ - wn22_00_000410 tags: - WN22-00-000410 - - V-254278 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254278r848650_rule - - CCI-000381 - - CAT2 + - V-254278 - name: "MEDIUM | WN22-00-000420 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent anonymous logons." block: @@ -1020,11 +1029,12 @@ - wn22_00_000420 tags: - WN22-00-000420 - - V-254279 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254279r848653_rule - - CCI-000366 - - CAT2 + - V-254279 + - audit - name: "MEDIUM | WN22-00-000430 | AUDIT | Windows Server 2022 FTP servers must be configured to prevent access to the system drive." block: @@ -1065,11 +1075,12 @@ - wn22_00_000430 tags: - WN22-00-000430 - - V-254280 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254280r848656_rule - - CCI-000366 - - CAT2 + - V-254280 + - audit - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights" block: @@ -1085,11 +1096,11 @@ - wn22_00_000450 tags: - WN22-00-000450 - - V-254282 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254282r848662_rule - - CCI-000366 - - CAT2 + - V-254282 - name: "MEDIUM | WN22-00-000460 | AUDIT | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." block: @@ -1105,11 +1116,11 @@ - wn22_00_000460 tags: - WN22-00-000460 - - V-254283 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254283r848665_rule - - CCI-000366 - - CAT2 + - V-254283 - name: "MEDIUM | WN22-00-000470 | AUDIT | Windows Server 2022 must have Secure Boot enabled." block: @@ -1125,11 +1136,11 @@ - wn22_00_000470 tags: - WN22-00-000470 - - V-254284 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254284r848668_rule - - CCI-000366 - - CAT2 + - V-254284 # THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL BASED SYSTEMS. # We have found the order of these three tasks varies between cloud based instances @@ -1172,11 +1183,11 @@ - not win22stig_cloud_based_system tags: - WN22-AC-000020 - - V-254286 + - CAT2 + - CCI-000044 - SRG-OS-000021-GPOS-00005 - SV-254286r848674_rule - - CCI-000044 - - CAT2 + - V-254286 # Below task is dependent on WN22-AC-000020, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." @@ -1207,12 +1218,12 @@ - not win22stig_cloud_based_system tags: - WN22-AC-000030 - - V-254287 - - SRG-OS-000021-GPOS-00005 - - SV-254287r848677_rule + - CAT2 - CCI-000044 - CCI-002238 - - CAT2 + - SRG-OS-000021-GPOS-00005 + - SV-254287r848677_rule + - V-254287 - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater." block: @@ -1245,11 +1256,11 @@ - not win22stig_cloud_based_system tags: - WN22-AC-000010 - - V-254285 + - CAT2 + - CCI-002238 - SRG-OS-000329-GPOS-00128 - SV-254285r848671_rule - - CCI-002238 - - CAT2 + - V-254285 - name: "MEDIUM | WN22-AC-000040 | PATCH | Windows Server 2022 password history must be configured to 24 passwords remembered." community.windows.win_security_policy: @@ -1260,11 +1271,11 @@ - wn22_ac_000040 tags: - WN22-AC-000040 - - V-254288 + - CAT2 + - CCI-000200 - SRG-OS-000077-GPOS-00045 - SV-254288r848680_rule - - CCI-000200 - - CAT2 + - V-254288 - name: "MEDIUM | WN22-AC-000050 | PATCH | Windows Server 2022 maximum password age must be configured to 60 days or less." block: @@ -1295,11 +1306,11 @@ - wn22_ac_000050 tags: - WN22-AC-000050 - - V-254289 + - CAT2 + - CCI-000199 - SRG-OS-000076-GPOS-00044 - SV-254289r848683_rule - - CCI-000199 - - CAT2 + - V-254289 - name: "MEDIUM | WN22-AC-000060 | PATCH | Windows Server 2022 minimum password age must be configured to at least one day." block: @@ -1329,11 +1340,11 @@ - wn22_ac_000060 tags: - WN22-AC-000060 - - V-254290 + - CAT2 + - CCI-000198 - SRG-OS-000075-GPOS-00043 - SV-254290r848686_rule - - CCI-000198 - - CAT2 + - V-254290 - name: "MEDIUM | WN22-AC-000070 | PATCH | Windows Server 2022 minimum password length must be configured to 14 characters." block: @@ -1363,11 +1374,11 @@ - wn22_ac_000070 tags: - WN22-AC-000070 - - V-254291 + - CAT2 + - CCI-000205 - SRG-OS-000078-GPOS-00046 - SV-254291r890539_rule - - CCI-000205 - - CAT2 + - V-254291 - name: "MEDIUM | WN22-AC-000080 | PATCH | Windows Server 2022 must have the built-in Windows password complexity policy enabled." community.windows.win_security_policy: @@ -1378,14 +1389,14 @@ - wn22_ac_000080 tags: - WN22-AC-000080 - - V-254292 - - SRG-OS-000069-GPOS-00037 - - SV-254292r848692_rule + - CAT2 - CCI-000192 - CCI-000193 - CCI-000194 - CCI-001619 - - CAT2 + - SRG-OS-000069-GPOS-00037 + - SV-254292r848692_rule + - V-254292 - name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2022 audit records must be backed up to a different system or media than the system being audited." block: @@ -1404,11 +1415,11 @@ - wn22_au_000010 tags: - WN22-AU-000010 - - V-254294 + - CAT2 + - CCI-001851 - SRG-OS-000342-GPOS-00133 - SV-254294r877390_rule - - CCI-001851 - - CAT2 + - V-254294 - name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." block: @@ -1426,11 +1437,11 @@ - wn22_au_000020 tags: - WN22-AU-000020 - - V-254295 + - CAT2 + - CCI-001851 - SRG-OS-000479-GPOS-00224 - SV-254295r848701_rule - - CCI-001851 - - CAT2 + - V-254295 - name: "MEDIUM | WN22-AU-000030 | AUDIT | Windows Server 2022 permissions for the Application event log must prevent access by non-privileged accounts." block: @@ -1465,13 +1476,13 @@ - wn22_au_000030 tags: - WN22-AU-000030 - - V-254296 - - SRG-OS-000057-GPOS-00027 - - SV-254296r848704_rule + - CAT2 - CCI-000162 - CCI-000163 - CCI-000164 - - CAT2 + - SRG-OS-000057-GPOS-00027 + - SV-254296r848704_rule + - V-254296 - name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2022 permissions for the Security event log must prevent access by non-privileged accounts." block: @@ -1506,13 +1517,14 @@ - wn22_au_000040 tags: - WN22-AU-000040 - - V-254297 - - SRG-OS-000057-GPOS-00027 - - SV-254297r848707_rule + - CAT2 - CCI-000162 - CCI-000163 - CCI-000164 - - CAT2 + - SRG-OS-000057-GPOS-00027 + - SV-254297r848707_rule + - V-254297 + - audit - name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2022 permissions for the System event log must prevent access by non-privileged accounts." block: @@ -1547,13 +1559,14 @@ - wn22_au_000050 tags: - WN22-AU-000050 - - V-254298 - - SRG-OS-000057-GPOS-00027 - - SV-254298r848710_rule + - CAT2 - CCI-000162 - CCI-000163 - CCI-000164 - - CAT2 + - SRG-OS-000057-GPOS-00027 + - SV-254298r848710_rule + - V-254298 + - audit - name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion." block: @@ -1584,12 +1597,13 @@ - wn22_au_000060 tags: - WN22-AU-000060 - - V-254299 - - SRG-OS-000257-GPOS-00098 - - SV-254299r848713_rule + - CAT2 - CCI-001494 - CCI-001495 - - CAT2 + - SRG-OS-000257-GPOS-00098 + - SV-254299r848713_rule + - V-254299 + - audit - name: "MEDIUM | WN22-AU-000070 | PATCH | Windows Server 2022 must be configured to audit Account Logon | Credential Validation successes." block: @@ -1607,11 +1621,12 @@ - wn22_au_000070 tags: - WN22-AU-000070 - - V-254300 + - CAT2 + - CCI-000172 - SRG-OS-000470-GPOS-00214 - SV-254300r848716_rule - - CCI-000172 - - CAT2 + - V-254300 + - audit - name: "MEDIUM | WN22-AU-000080 | PATCH | Windows Server 2022 must be configured to audit Account Logon | Credential Validation failures." block: @@ -1629,11 +1644,12 @@ - wn22_au_000080 tags: - WN22-AU-000080 - - V-254301 + - CAT2 + - CCI-000172 - SRG-OS-000470-GPOS-00214 - SV-254301r848719_rule - - CCI-000172 - - CAT2 + - V-254301 + - audit - name: "MEDIUM | WN22-AU-000090 | PATCH | Windows Server 2022 must be configured to audit Account Management | Other Account Management Events successes." block: @@ -1651,12 +1667,13 @@ - wn22_au_000090 tags: - WN22-AU-000090 - - V-254302 - - SRG-OS-000327-GPOS-00127 - - SV-254302r848722_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254302r848722_rule + - V-254302 + - audit - name: "MEDIUM | WN22-AU-000100 | PATCH | Windows Server 2022 must be configured to audit Account Management | User Account Management successes." block: @@ -1674,16 +1691,16 @@ - wn22_au_000100 tags: - WN22-AU-000100 - - V-254303 - - SRG-OS-000004-GPOS-00004 - - SV-254303r848725_rule + - CAT2 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-001405 - CCI-002130 - - CAT2 + - SRG-OS-000004-GPOS-00004 + - SV-254303r848725_rule + - V-254303 - name: "MEDIUM | WN22-AU-000110 | PATCH | Windows Server 2022 must be configured to audit Account Management | User Account Management successes." block: @@ -1701,16 +1718,17 @@ - wn22_au_000110 tags: - WN22-AU-000110 - - V-254304 - - SRG-OS-000004-GPOS-00004 - - SV-254304r848728_rule + - CAT2 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-001405 - CCI-002130 - - CAT2 + - SRG-OS-000004-GPOS-00004 + - SV-254304r848728_rule + - V-254304 + - audit - name: "MEDIUM | WN22-AU-000120 | PATCH | Windows Server 2022 must be configured to audit Account Management | User Account Management failures." block: @@ -1728,16 +1746,17 @@ - wn22_au_000120 tags: - WN22-AU-000120 - - V-254305 - - SRG-OS-000004-GPOS-00004 - - SV-254305r848731_rule + - CAT2 - CCI-000018 - CCI-000172 - CCI-001403 - CCI-001404 - CCI-001405 - CCI-002130 - - CAT2 + - SRG-OS-000004-GPOS-00004 + - SV-254305r848731_rule + - V-254305 + - audit - name: "MEDIUM | WN22-AU-000130 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking | Plug and Play Events successes." block: @@ -1755,11 +1774,12 @@ - wn22_au_000130 tags: - WN22-AU-000130 - - V-254306 + - CAT2 + - CCI-000172 - SRG-OS-000474-GPOS-00219 - SV-254306r848734_rule - - CCI-000172 - - CAT2 + - V-254306 + - name: "MEDIUM | WN22-AU-000140 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking | Process Creation successes." block: @@ -1777,12 +1797,13 @@ - wn22_au_000140 tags: - WN22-AU-000140 - - V-254307 - - SRG-OS-000327-GPOS-00127 - - SV-254307r848737_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254307r848737_rule + - V-254307 + - audit - name: "MEDIUM | WN22-AU-000150 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff | Account Lockout successes." block: @@ -1809,12 +1830,13 @@ - wn22_au_000160 tags: - WN22-AU-000160 - - V-254309 - - SRG-OS-000240-GPOS-00090 - - SV-254309r848743_rule + - CAT2 - CCI-000172 - CCI-001404 - - CAT2 + - SRG-OS-000240-GPOS-00090 + - SV-254309r848743_rule + - V-254309 + - audit - name: "MEDIUM | WN22-AU-000170 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff | Group Membership successes." block: @@ -1832,11 +1854,12 @@ - wn22_au_000170 tags: - WN22-AU-000170 - - V-254310 + - CAT2 + - CCI-000172 - SRG-OS-000470-GPOS-00214 - SV-254310r848746_rule - - CCI-000172 - - CAT2 + - V-254310 + - audit - name: "MEDIUM | WN22-AU-000180 | PATCH | Windows Server 2022 must be configured to audit logoff successes." block: @@ -1854,11 +1877,12 @@ - wn22_au_000180 tags: - WN22-AU-000180 - - V-254311 + - CAT2 + - CCI-000172 - SRG-OS-000472-GPOS-00217 - SV-254311r848749_rule - - CCI-000172 - - CAT2 + - V-254311 + - audit - name: "MEDIUM | WN22-AU-000190 | PATCH | Windows Server 2022 must be configured to audit logon successes." block: @@ -1876,12 +1900,13 @@ - wn22_au_000190 tags: - WN22-AU-000190 - - V-254312 - - SRG-OS-000032-GPOS-00013 - - SV-254312r848752_rule + - CAT2 - CCI-000067 - CCI-000172 - - CAT2 + - SRG-OS-000032-GPOS-00013 + - SV-254312r848752_rule + - V-254312 + - audit - name: "MEDIUM | WN22-AU-000200 | PATCH | Windows Server 2022 must be configured to audit logon failures" block: @@ -1899,12 +1924,13 @@ - wn22_au_000200 tags: - WN22-AU-000200 - - V-254313 - - SRG-OS-000032-GPOS-00013 - - SV-254313r848755_rule + - CAT2 - CCI-000067 - CCI-000172 - - CAT2 + - SRG-OS-000032-GPOS-00013 + - SV-254313r848755_rule + - V-254313 + - audit - name: "MEDIUM | WN22-AU-000210 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff | Special Logon successes." block: @@ -1922,11 +1948,12 @@ - wn22_au_000210 tags: - WN22-AU-000210 - - V-254314 + - CAT2 + - CCI-000172 - SRG-OS-000470-GPOS-00214 - SV-254314r848758_rule - - CCI-000172 - - CAT2 + - V-254314 + - audit - name: "MEDIUM | WN22-AU-000220 | PATCH | Windows Server 2022 must be configured to audit Object Access | Other Object Access Events successes." community.windows.win_audit_policy_system: @@ -1936,11 +1963,11 @@ - wn22_au_000220 tags: - WN22-AU-000220 - - V-254315 + - CAT2 + - CCI-000172 - SRG-OS-000470-GPOS-00214 - SV-254315r848761_rule - - CCI-000172 - - CAT2 + - V-254315 - name: "MEDIUM | WN22-AU-000230 | PATCH | Windows Server 2022 must be configured to audit Object Access | Other Object Access Events failures." community.windows.win_audit_policy_system: @@ -1950,11 +1977,11 @@ - wn22_au_000230 tags: - WN22-AU-000230 - - V-254316 + - CAT2 + - CCI-000172 - SRG-OS-000470-GPOS-00214 - SV-254316r848764_rule - - CCI-000172 - - CAT2 + - V-254316 - name: "MEDIUM | WN22-AU-000240 | PATCH | Windows Server 2022 must be configured to audit Object Access | Removable Storage successes." block: @@ -1972,11 +1999,11 @@ - wn22_au_000240 tags: - WN22-AU-000240 - - V-254317 + - CAT2 + - CCI-000172 - SRG-OS-000474-GPOS-00219 - SV-254317r848767_rule - - CCI-000172 - - CAT2 + - V-254317 - name: "MEDIUM | WN22-AU-000250 | PATCH | Windows Server 2022 must be configured to audit Object Access | Removable Storage failures." block: @@ -1994,11 +2021,11 @@ - wn22_au_000250 tags: - WN22-AU-000250 - - V-254318 + - CAT2 + - CCI-000172 - SRG-OS-000474-GPOS-00219 - SV-254318r848770_rule - - CCI-000172 - - CAT2 + - V-254318 - name: "MEDIUM | WN22-AU-000260 | PATCH | Windows Server 2022 must be configured to audit Policy Change | Audit Policy Change successes." block: @@ -2016,12 +2043,12 @@ - wn22_au_000260 tags: - WN22-AU-000260 - - V-254319 - - SRG-OS-000327-GPOS-00127 - - SV-254319r848773_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254319r848773_rule + - V-254319 - name: "MEDIUM | WN22-AU-000270 | PATCH | Windows Server 2022 must be configured to audit Policy Change | Audit Policy Change failures." block: @@ -2039,12 +2066,13 @@ - wn22_au_000270 tags: - WN22-AU-000270 - - V-254320 - - SRG-OS-000327-GPOS-00127 - - SV-254320r848776_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254320r848776_rule + - V-254320 + - audit - name: "MEDIUM | WN22-AU-000280 | PATCH | Windows Server 2022 must be configured to audit Policy Change | Authentication Policy Change successes." block: @@ -2062,12 +2090,13 @@ - wn22_au_000280 tags: - WN22-AU-000280 - - V-254321 - - SRG-OS-000327-GPOS-00127 - - SV-254321r848779_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254321r848779_rule + - V-254321 + - audit - name: "MEDIUM | WN22-AU-000290 | PATCH | Windows Server 2022 must be configured to audit Policy Change | Authorization Policy Change successes." block: @@ -2085,12 +2114,13 @@ - wn22_au_000290 tags: - WN22-AU-000290 - - V-254322 - - SRG-OS-000327-GPOS-00127 - - SV-254322r848782_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254322r848782_rule + - V-254322 + - audit - name: "MEDIUM | WN22-AU-000300 | PATCH | Windows Server 2022 must be configured to audit Privilege Use | Sensitive Privilege Use successes." block: @@ -2108,12 +2138,13 @@ - wn22_au_000300 tags: - WN22-AU-000300 - - V-254323 - - SRG-OS-000327-GPOS-00127 - - SV-254323r848785_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254323r848785_rule + - V-254323 + - audit - name: "MEDIUM | WN22-AU-000310 | PATCH | Windows Server 2022 must be configured to audit Privilege Use | Sensitive Privilege Use failures." block: @@ -2131,12 +2162,13 @@ - wn22_au_000310 tags: - WN22-AU-000310 - - V-254324 - - SRG-OS-000327-GPOS-00127 - - SV-254324r848788_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254324r848788_rule + - V-254324 + - audit - name: "MEDIUM | WN22-AU-000320 | PATCH | Windows Server 2022 must be configured to audit System | IPsec Driver successes." block: @@ -2154,12 +2186,13 @@ - wn22_au_000320 tags: - WN22-AU-000320 - - V-254325 - - SRG-OS-000327-GPOS-00127 - - SV-254325r848791_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254325r848791_rule + - V-254325 + - audit - name: "MEDIUM | WN22-AU-000330 | PATCH | Windows Server 2022 must be configured to audit System | IPsec Driver failures." block: @@ -2177,12 +2210,13 @@ - wn22_au_000330 tags: - WN22-AU-000330 - - V-254326 - - SRG-OS-000327-GPOS-00127 - - SV-254326r848794_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254326r848794_rule + - V-254326 + - audit - name: "MEDIUM | WN22-AU-000340 | PATCH | Windows Server 2022 must be configured to audit System | Other System Events successes." block: @@ -2200,12 +2234,13 @@ - wn22_au_000340 tags: - WN22-AU-000340 - - V-254327 - - SRG-OS-000327-GPOS-00127 - - SV-254327r848797_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254327r848797_rule + - V-254327 + - audit - name: "MEDIUM | WN22-AU-000350 | PATCH | Windows Server 2022 must be configured to audit System | Other System Events failures." block: @@ -2223,12 +2258,13 @@ - wn22_au_000350 tags: - WN22-AU-000350 - - V-254328 - - SRG-OS-000327-GPOS-00127 - - SV-254328r848800_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254328r848800_rule + - V-254328 + - audit - name: "MEDIUM | WN22-AU-000360 | PATCH | Windows Server 2022 must be configured to audit System | Security State Change successes." block: @@ -2246,12 +2282,13 @@ - wn22_au_000360 tags: - WN22-AU-000360 - - V-254329 - - SRG-OS-000327-GPOS-00127 - - SV-254329r848803_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254329r848803_rule + - V-254329 + - audit - name: "MEDIUM | WN22-AU-000370 | PATCH | Windows Server 2022 must be configured to audit System | Security System Extension successes." block: diff --git a/tasks/cat2_cloud_lockout_order.yml b/tasks/cat2_cloud_lockout_order.yml index 829c975..0e12f31 100644 --- a/tasks/cat2_cloud_lockout_order.yml +++ b/tasks/cat2_cloud_lockout_order.yml @@ -1,7 +1,7 @@ --- # THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR CLOUD BASED SYSTEMS -# below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" +# The below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less." block: - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." diff --git a/tasks/cat3.yml b/tasks/cat3.yml index 61a474f..5ee2c7e 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -26,11 +26,11 @@ - wn22_00_000180 tags: - WN22-00-000180 - - V-205664 + - CAT3 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-205664r569188_rule - - CCI-000213 - - CAT3 + - V-205664 - name: "LOW | WN22-00-000440 | AUDIT | The Windows Server 2022 time service must synchronize with an appropriate DoD time source." block: @@ -45,11 +45,11 @@ when: wn22_00_000440 tags: - WN22-00-000440 - - V-205800 + - CAT3 + - CCI-001891 - SRG-OS-000355-GPOS-00143 - SV-205800r859311_rule - - CCI-001891 - - CAT3 + - V-205800 - name: "LOW | WN22-CC-000030 | PATCH | Windows Server 2022 internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." ansible.windows.win_regedit: @@ -61,11 +61,11 @@ - wn22_cc_000030 tags: - WN22-CC-000030 - - V-205858 + - CAT3 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-205858r569188_rule - - CCI-000366 - - CAT3 + - V-205858 - name: "LOW | WN22-CC-000040 | PATCH | Windows Server 2022 source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing." ansible.windows.win_regedit: @@ -77,11 +77,11 @@ - wn22_cc_000040 tags: - WN22-CC-000040 - - V-205859 + - CAT3 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-205859r569188_rule - - CCI-000366 - - CAT3 + - V-205859 - name: "LOW | WN22-CC-000050 | PATCH | Windows Server 2022 must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes." ansible.windows.win_regedit: @@ -93,11 +93,11 @@ - wn22_cc_000050 tags: - WN22-CC-000050 - - V-205860 + - CAT3 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-205860r569188_rule - - CCI-000366 - - CAT3 + - V-205860 - name: "LOW | WN22-CC-000060 | PATCH | Windows Server 2022 Must be configured to ignore NetBIOS name release requests except from WINS servers." ansible.windows.win_regedit: @@ -109,11 +109,11 @@ - wn22_cc_000060 tags: - WN22-CC-000060 - - V-205822 + - CAT3 + - CCI-002385 - SRG-OS-000420-GPOS-00186 - SV-205822r569188_rule - - CCI-002385 - - CAT3 + - V-205822 - name: "LOW | WN22-CC-000200 | PATCH | Windows Server 2022 Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft." ansible.windows.win_regedit: @@ -125,11 +125,11 @@ - wn22_cc_000200 tags: - WN22-CC-000200 - - V-205691 + - CAT3 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-205691r569188_rule - - CCI-000381 - - CAT3 + - V-205691 - name: "LOW | WN22-CC-000260 | PATCH | Windows Server 2022 Windows Update must not obtain updates from other PCs on the Internet." ansible.windows.win_regedit: @@ -141,11 +141,11 @@ - wn22_cc_000260 tags: - WN22-CC-000260 - - V-205870 + - CAT3 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-205870r569188_rule - - CCI-000366 - - CAT3 + - V-205870 - name: "LOW | WN22-CC-000320 | AUDIT | Windows Server 2022 turning off File Explorer heap termination on corruption must be disabled." ansible.windows.win_regedit: @@ -158,11 +158,11 @@ - wn22_cc_000320 tags: - WN22-CC-000320 - - SV-205871r569188_rule - - V-205871 + - CAT3 - CCI-000366 - SRG-OS-000480-GPOS-00227 - - CAT3 + - SV-205871r569188_rule + - V-205871 - name: "LOW | WN22-DC-000160 | AUDIT | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." block: @@ -178,11 +178,11 @@ - wn22_dc_000160 tags: - WN22-DC-000160 - - V-205726 + - CAT3 + - CCI-001133 - SRG-OS-000163-GPOS-00072 - SV-205726r569188_rule - - CCI-001133 - - CAT3 + - V-205726 - name: "LOW | WN22-SO-000140 | PATCH | Windows Server 2022 title for the legal banner must be configured with the appropriate text." ansible.windows.win_regedit: @@ -194,16 +194,17 @@ - wn22_so_000140 tags: - WN22-SO-000140 - - V-205632 - - SRG-OS-000023-GPOS-00006 - - SRG-OS-000228-GPOS-00088 - - SV-205632r569188_rule + - CAT3 - CCI-000048 - CCI-001384 - CCI-001385 - CCI-001386 - CCI-001387 - CCI-001388 + - SRG-OS-000023-GPOS-00006 + - SRG-OS-000228-GPOS-00088 + - SV-205632r569188_rule + - V-205632 - name: "LOW | WN22-SO-000370 | PATCH | Windows Server 2022 default permissions of global system objects must be strengthened." ansible.windows.win_regedit: @@ -215,8 +216,8 @@ - wn22_so_000370 tags: - WN22-SO-000370 - - V-205871 + - CAT3 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-205871r569188_rule - - CCI-000366 - - CAT3 + - V-205871 diff --git a/tasks/main.yml b/tasks/main.yml index 86d12f2..75b508b 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -43,13 +43,13 @@ tags: - CAT1 -- name: Execute the category 2 (Medium Severity) tasks +- name: Execute the Category 2 (Medium Severity) tasks ansible.builtin.import_tasks: cat2.yml when: win2022stig_cat2_patch tags: - CAT2 -- name: Execute the category 3 (Lowest Severity) tasks +- name: Execute the Category 3 (Lowest Severity) tasks ansible.builtin.import_tasks: cat3.yml when: win2022stig_cat3_patch tags: From 2be9a6ec3b0a70a350f05cc6038422482ff3cc61 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 10 Aug 2023 09:54:56 -0400 Subject: [PATCH 66/95] Tag order update cat 2-1 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 965 +++++++++++++++++++++++++------------------------ 1 file changed, 484 insertions(+), 481 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 65e6419..f999f28 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -2329,12 +2329,13 @@ - wn22_au_000380 tags: - WN22-AU-000380 - - V-254331 - - SRG-OS-000327-GPOS-00127 - - SV-254331r848809_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254331r848809_rule + - V-254331 + - audit - name: "MEDIUM | WN22-AU-000390 | PATCH | Windows Server 2022 must be configured to audit System | System Integrity failures." block: @@ -2352,14 +2353,14 @@ - wn22_au_000390 tags: - WN22-AU-000390 - - V-254332 - - SRG-OS-000327-GPOS-00127 - - SV-254332r848812_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254332r848812_rule + - V-254332 + - audit -# some versions may be core/no gui, may need a prelim to detect? - name: "MEDIUM | WN22-CC-000010 | PATCH | Windows Server 2022 must prevent the display of slide shows on the lock screen." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization @@ -2370,11 +2371,11 @@ - wn22_cc_000010 tags: - WN22-CC-000010 - - V-254333 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254333r848815_rule - - CCI-000381 - - CAT2 + - V-254333 - name: "MEDIUM | WN22-CC-000020 | PATCH | Windows Server 2022 must have WDigest Authentication disabled." ansible.windows.win_regedit: @@ -2386,11 +2387,11 @@ - wn22_cc_000020 tags: - WN22-CC-000020 - - V-254334 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254334r848818_rule - - CCI-000381 - - CAT2 + - V-254334 - name: "MEDIUM | WN22-CC-000070 | PATCH | Windows Server 2022 insecure logons to an SMB server must be disabled." ansible.windows.win_regedit: @@ -2402,13 +2403,12 @@ - wn22_cc_000070 tags: - WN22-CC-000070 - - V-254339 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254339r848833_rule - - CCI-000366 - - CAT2 + - V-254339 -# verify if this applies to DC or only MS? - name: "MEDIUM | WN22-CC-000080 | PATCH | Windows Server 2022 hardened Universal Naming Convention (UNC) paths must be defined to require mutual authentication and integrity for at least the SYSVOL and NETLOGON shares." ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths @@ -2423,11 +2423,11 @@ - ansible_windows_domain_member tags: - WN22-CC-000080 - - V-254340 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254340r848836_rule - - CCI-000366 - - CAT2 + - V-254340 - name: "MEDIUM | WN22-CC-000090 | PATCH | Windows Server 2022 command line data must be included in process creation events." ansible.windows.win_regedit: @@ -2439,11 +2439,11 @@ - wn22_cc_000090 tags: - WN22-CC-000090 - - V-254341 + - CAT2 + - CCI-000135 - SRG-OS-000042-GPOS-00020 - SV-254341r848839_rule - - CCI-000135 - - CAT2 + - V-254341 - name: "MEDIUM | WN22-CC-000100 | PATCH | Windows Server 2022 must be configured to enable Remote host allows delegation of nonexportable credentials." ansible.windows.win_regedit: @@ -2455,11 +2455,11 @@ - wn22_cc_000100 tags: - WN22-CC-000100 - - V-254342 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254342r848842_rule - - CCI-000366 - - CAT2 + - V-254342 - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." block: @@ -2476,11 +2476,11 @@ - ansible_windows_domain_member tags: - WN22-CC-000110 - - V-254343 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254343r848845_rule - - CCI-000366 - - CAT2 + - V-254343 - name: "MEDIUM | WN22-CC-000130 | PATCH | Windows Server 2022 early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." ansible.windows.win_regedit: @@ -2492,11 +2492,11 @@ - wn22_cc_000130 tags: - WN22-CC-000130 - - V-254344 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254344r848848_rule - - CCI-000366 - - CAT2 + - V-254344 - name: "MEDIUM | WN22-CC-000140 | PATCH | Windows Server 2022 group policy objects must be reprocessed even if they have not changed." ansible.windows.win_regedit: @@ -2508,11 +2508,11 @@ - wn22_cc_000140 tags: - WN22-CC-000140 - - V-254345 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254345r848851_rule - - CCI-000366 - - CAT2 + - V-254345 - name: "MEDIUM | WN22-CC-000150 | PATCH | Windows Server 2022 downloading print driver packages over HTTP must be turned off." ansible.windows.win_regedit: @@ -2524,11 +2524,11 @@ - wn22_cc_000150 tags: - WN22-CC-000150 - - V-254346 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254346r848854_rule - - CCI-000381 - - CAT2 + - V-254346 - name: "MEDIUM | WN22-CC-000160 | PATCH | Windows Server 2022 printing over HTTP must be turned off." ansible.windows.win_regedit: @@ -2540,11 +2540,11 @@ - wn22_cc_000160 tags: - WN22-CC-000160 - - V-254347 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254347r848857_rule - - CCI-000381 - - CAT2 + - V-254347 - name: "MEDIUM | WN22-CC-000170 | PATCH | Windows Server 2022 network selection user interface (UI) must not be displayed on the logon screen." ansible.windows.win_regedit: @@ -2556,11 +2556,11 @@ - wn22_cc_000170 tags: - WN22-CC-000170 - - V-254348 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254348r848860_rule - - CCI-000381 - - CAT2 + - V-254348 - name: "MEDIUM | WN22-CC-000180 | PATCH | Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (on battery)." ansible.windows.win_regedit: @@ -2572,11 +2572,11 @@ - wn22_cc_000180 tags: - WN22-CC-000180 - - V-254349 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254349r848863_rule - - CCI-000366 - - CAT2 + - V-254349 - name: "MEDIUM | WN22-CC-000190 | PATCH | Windows Server 2022 users must be prompted to authenticate when the system wakes from sleep (plugged in)." ansible.windows.win_regedit: @@ -2588,11 +2588,11 @@ - wn22_cc_000190 tags: - WN22-CC-000190 - - V-254350 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254350r848866_rule - - CCI-000366 - - CAT2 + - V-254350 - name: "MEDIUM | WN22-CC-000240 | PATCH | Windows Server 2022 administrator accounts must not be enumerated during elevation." ansible.windows.win_regedit: @@ -2604,11 +2604,11 @@ - wn22_cc_000240 tags: - WN22-CC-000240 - - V-254355 + - CAT2 + - CCI-001084 - SRG-OS-000134-GPOS-00068 - SV-254355r848881_rule - - CCI-001084 - - CAT2 + - V-254355 - name: "MEDIUM | WN22-CC-000250 | PATCH | Windows Server 2022 Telemetry must be configured to Security or Basic." ansible.windows.win_regedit: @@ -2620,11 +2620,11 @@ - wn22_cc_000250 tags: - WN22-CC-000250 - - V-254356 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254356r916220_rule - - CCI-000366 - - CAT2 + - V-254356 - name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2022 Application event log size must be configured to 32768 KB or greater." block: @@ -2648,11 +2648,11 @@ - wn22_cc_000270 tags: - WN22-CC-000270 - - V-254358 + - CAT2 + - CCI-001849 - SRG-OS-000341-GPOS-00132 - SV-254358r877391_rule - - CCI-001849 - - CAT2 + - V-254358 - name: "MEDIUM | WN22-CC-000280 | PATCH | Windows Server 2022 Security event log size must be configured to 196608 KB or greater." block: @@ -2676,11 +2676,11 @@ - wn22_cc_000280 tags: - WN22-CC-000280 - - V-254359 + - CAT2 + - CCI-001849 - SRG-OS-000341-GPOS-00132 - SV-254359r877391_rule - - CCI-001849 - - CAT2 + - V-254359 - name: "MEDIUM | WN22-CC-000290 | PATCH | Windows Server 2022 System event log size must be configured to 32768 KB or greater." block: @@ -2704,11 +2704,11 @@ - wn22_cc_000290 tags: - WN22-CC-000290 - - V-254360 + - CAT2 + - CCI-001849 - SRG-OS-000341-GPOS-00132 - SV-254360r877391_rule - - CCI-001849 - - CAT2 + - V-254360 - name: "MEDIUM | WN22-CC-000300 | PATCH | Windows Server 2022 Windows Defender SmartScreen must be enabled." ansible.windows.win_regedit: @@ -2720,11 +2720,11 @@ - wn22_cc_000300 tags: - WN22-CC-000300 - - V-254361 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254361r848899_rule - - CCI-000381 - - CAT2 + - V-254361 - name: "MEDIUM | WN22-CC-000310 | PATCH | Windows Server 2022 Explorer Data Execution Prevention must be enabled." ansible.windows.win_regedit: @@ -2736,11 +2736,11 @@ - wn22_cc_000310 tags: - WN22-CC-000310 - - V-254362 + - CAT2 + - CCI-002824 - SRG-OS-000433-GPOS-00192 - SV-254362r848902_rule - - CCI-002824 - - CAT2 + - V-254362 - name: "MEDIUM | WN22-CC-000330 | PATCH | Windows Server 2022 File Explorer shell protocol must run in protected mode." ansible.windows.win_regedit: @@ -2752,11 +2752,11 @@ - wn22_cc_000330 tags: - WN22-CC-000330 - - V-254364 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254364r848908_rule - - CCI-000366 - - CAT2 + - V-254364 - name: "MEDIUM | WN22-CC-000340 | PATCH | Windows Server 2022 must not save passwords in the Remote Desktop Client." ansible.windows.win_regedit: @@ -2768,11 +2768,11 @@ - wn22_cc_000340 tags: - WN22-CC-000340 - - V-254365 + - CAT2 + - CCI-002038 - SRG-OS-000373-GPOS-00156 - SV-254365r848911_rule - - CCI-002038 - - CAT2 + - V-254365 - name: "MEDIUM | WN22-CC-000350 | PATCH | Windows Server 2022 Remote Desktop Services must prevent drive redirection." ansible.windows.win_regedit: @@ -2784,11 +2784,11 @@ - wn22_cc_000350 tags: - WN22-CC-000350 - - V-254366 + - CAT2 + - CCI-001090 - SRG-OS-000138-GPOS-00069 - SV-254366r848914_rule - - CCI-001090 - - CAT2 + - V-254366 - name: "MEDIUM | WN22-CC-000360 | PATCH | Windows Server 2022 remote Desktop Services must always prompt a client for passwords upon connection." ansible.windows.win_regedit: @@ -2800,11 +2800,11 @@ - wn22_cc_000360 tags: - WN22-CC-000360 - - V-254367 + - CAT2 + - CCI-002038 - SRG-OS-000373-GPOS-00156 - SV-254367r848917_rule - - CCI-002038 - - CAT2 + - V-254367 - name: "MEDIUM | WN22-CC-000370 | PATCH | Windows Server 2022 Remote Desktop Services must require secure Remote Procedure Call (RPC) communications." ansible.windows.win_regedit: @@ -2816,12 +2816,12 @@ - wn22_cc_000370 tags: - WN22-CC-000370 - - V-254368 - - SRG-OS-000033-GPOS-00014 - - SV-254368r877398_rule + - CAT2 - CCI-000068 - CCI-001453 - - CAT2 + - SRG-OS-000033-GPOS-00014 + - SV-254368r877398_rule + - V-254368 - name: "MEDIUM | WN22-CC-000380 | PATCH | Windows Server 2022 remote Desktop Services must be configured with the client connection encryption set to High Level." ansible.windows.win_regedit: @@ -2833,13 +2833,13 @@ - wn22_cc_000380 tags: - WN22-CC-000380 - - V-254369 + - CAT2 + - CCI-000068 + - CCI-001453 - SRG-OS-000033-GPOS-00014 - SRG-OS-000250-GPOS-00093 - SV-254369r877398_rule - - CCI-000068 - - CCI-001453 - - CAT2 + - V-254369 - name: "MEDIUM | WN22-CC-000390 | PATCH | Windows Server 2022 must prevent attachments from being downloaded from RSS feeds." ansible.windows.win_regedit: @@ -2851,11 +2851,11 @@ - wn22_cc_000390 tags: - WN22-CC-000390 - - V-254370 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254370r848926_rule - - CCI-000366 - - CAT2 + - V-254370 - name: "MEDIUM | WN22-CC-000400 | PATCH | Windows Server 2022 must disable Basic authentication for RSS feeds over HTTP." ansible.windows.win_regedit: @@ -2867,11 +2867,11 @@ - wn22_cc_000400 tags: - WN22-CC-000400 - - V-254371 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254371r848929_rule - - CCI-000381 - - CAT2 + - V-254371 - name: "MEDIUM | WN22-CC-000410 | PATCH | Windows Server 2022 must prevent Indexing of encrypted files." ansible.windows.win_regedit: @@ -2883,11 +2883,11 @@ - wn22_cc_000410 tags: - WN22-CC-000410 - - V-254372 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254372r848932_rule - - CCI-000381 - - CAT2 + - V-254372 - name: "MEDIUM | WN22-CC-000420 | PATCH | Windows Server 2022 must prevent users from changing installation options." ansible.windows.win_regedit: @@ -2899,11 +2899,11 @@ - wn22_cc_000420 tags: - WN22-CC-000420 - - V-254373 + - CAT2 + - CCI-001812 - SRG-OS-000362-GPOS-00149 - SV-254373r848935_rule - - CCI-001812 - - CAT2 + - V-254373 - name: "MEDIUM | WN22-CC-000440 | PATCH | Windows Server 2022 users must be notified if a web-based program attempts to install software." ansible.windows.win_regedit: @@ -2915,11 +2915,11 @@ - wn22_cc_000440 tags: - WN22-CC-000440 - - V-254375 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254375r848941_rule - - CCI-000366 - - CAT2 + - V-254375 - name: "MEDIUM | WN22-CC-000450 | PATCH | Windows Server 2022 must disable automatically signing in the last interactive user after a system-initiated restart." ansible.windows.win_regedit: @@ -2931,11 +2931,11 @@ - wn22_cc_000450 tags: - WN22-CC-000450 - - V-254376 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00229 - SV-254376r877377_rule - - CCI-000366 - - CAT2 + - V-254376 - name: "MEDIUM | WN22-CC-000460 | PATCH | Windows Server 2022 PowerShell script block logging must be enabled." ansible.windows.win_regedit: @@ -2947,11 +2947,11 @@ - wn22_cc_000460 tags: - WN22-CC-000460 - - V-254377 + - CAT2 + - CCI-000135 - SRG-OS-000042-GPOS-00020 - SV-254377r848947_rule - - CCI-000135 - - CAT2 + - V-254377 - name: "MEDIUM | WN22-CC-000480 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) client must not allow unencrypted traffic." ansible.windows.win_regedit: @@ -2964,12 +2964,12 @@ - not win2022stig_skip_secure_winrm tags: - WN22-CC-000480 - - V-254379 - - SRG-OS-000393-GPOS-00173 - - SV-254379r877382_rule + - CAT2 - CCI-002890 - CCI-003123 - - CAT2 + - SRG-OS-000393-GPOS-00173 + - SV-254379r877382_rule + - V-254379 - winrm - name: "MEDIUM | WN22-CC-000490 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) client must not use Digest authentication." @@ -2982,11 +2982,11 @@ - wn22_cc_000490 tags: - WN22-CC-000490 - - V-254380 + - CAT2 + - CCI-000877 - SRG-OS-000125-GPOS-00065 - SV-254380r877395_rule - - CCI-000877 - - CAT2 + - V-254380 - name: "MEDIUM | WN22-CC-000510 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) service must not allow unencrypted traffic." ansible.windows.win_regedit: @@ -2999,12 +2999,12 @@ - not win2022stig_skip_secure_winrm tags: - WN22-CC-000510 - - V-254382 - - SRG-OS-000393-GPOS-00173 - - SV-254382r877382_rule + - CAT2 - CCI-002890 - CCI-003123 - - CAT2 + - SRG-OS-000393-GPOS-00173 + - SV-254382r877382_rule + - V-254382 - winrm - name: "MEDIUM | WN22-CC-000520 | PATCH | Windows Server 2022 Windows Remote Management (WinRM) service must not store RunAs credentials." @@ -3018,11 +3018,11 @@ - not win2022stig_skip_secure_winrm tags: - WN22-CC-000520 - - V-254383 + - CAT2 + - CCI-002038 - SRG-OS-000373-GPOS-00156 - SV-254383r848965_rule - - CCI-002038 - - CAT2 + - V-254383 - winrm - name: "MEDIUM | WN22-CC-000530 | PATCH | Windows Server 2022 must have PowerShell Transcription enabled." @@ -3035,11 +3035,11 @@ - wn22_cc_000530 tags: - WN22-CC-000530 - - V-254384 - - SRG-OS-000041-GPOS-00019 - - SV-254384r848968_rule - - CCI-000134 - CAT2 + - CCI-000134 + - SRG-OS-000041-GPOS-00019 + - SV-254384r848968_rule + - V-254384 - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2022 Kerberos user logon restrictions must be enforced." block: @@ -3060,12 +3060,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000020 - - V-254386 - - SRG-OS-000112-GPOS-00057 - - SV-254386r848974_rule + - CAT2 - CCI-001941 - CCI-001942 - - CAT2 + - SRG-OS-000112-GPOS-00057 + - SV-254386r848974_rule + - V-254386 - name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." block: @@ -3087,12 +3087,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000030 - - V-254387 - - SRG-OS-000112-GPOS-00057 - - SV-254387r848977_rule + - CAT2 - CCI-001941 - CCI-001942 - - CAT2 + - SRG-OS-000112-GPOS-00057 + - SV-254387r848977_rule + - V-254387 - name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less." block: @@ -3113,12 +3113,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000040 - - V-254388 - - SRG-OS-000112-GPOS-00057 - - SV-254388r848980_rule + - CAT2 - CCI-001941 - CCI-001942 - - CAT2 + - SRG-OS-000112-GPOS-00057 + - SV-254388r848980_rule + - V-254388 - name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less." block: @@ -3139,12 +3139,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000050 - - V-254389 - - SRG-OS-000112-GPOS-00057 - - SV-254389r848983_rule + - CAT2 - CCI-001941 - CCI-001942 - - CAT2 + - SRG-OS-000112-GPOS-00057 + - SV-254389r848983_rule + - V-254389 - name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2022 computer clock synchronization tolerance must be limited to 5 minutes or less." block: @@ -3165,12 +3165,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000060 - - V-254390 - - SRG-OS-000112-GPOS-00057 - - SV-254390r848986_rule + - CAT2 - CCI-001941 - CCI-001942 - - CAT2 + - SRG-OS-000112-GPOS-00057 + - SV-254390r848986_rule + - V-254390 - name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files." block: @@ -3207,11 +3207,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000120 - - V-254396 + - CAT2 + - CCI-001090 - SRG-OS-000138-GPOS-00069 - SV-254396r849004_rule - - CCI-001090 - - CAT2 + - V-254396 + - audit - name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2022 domain controllers must run on a machine dedicated to that function." block: @@ -3231,11 +3232,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000130 - - V-254397 + - CAT2 + - CCI-000381 - SRG-OS-000095-GPOS-00049 - SV-254397r849007_rule - - CCI-000381 - - CAT2 + - V-254397 - name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data." block: @@ -3257,11 +3258,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000140 - - V-254398 + - CAT2 + - CCI-002450 - SRG-OS-000396-GPOS-00176 - SV-254398r877380_rule - - CCI-002450 - - CAT2 + - V-254398 - name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings." block: @@ -3280,12 +3281,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000170 - - V-254401 - - SRG-OS-000327-GPOS-00127 - - SV-254401r849019_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254401r849019_rule + - V-254401 - name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2022 Active Directory Domain object must be configured with proper audit settings." block: @@ -3304,12 +3305,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000180 - - V-254402 - - SRG-OS-000327-GPOS-00127 - - SV-254402r849022_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254402r849022_rule + - V-254402 - name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings." block: @@ -3328,12 +3329,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000190 - - V-254403 - - SRG-OS-000327-GPOS-00127 - - SV-254403r849025_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254403r849025_rule + - V-254403 - name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings." block: @@ -3353,12 +3354,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000200 - - V-254404 - - SRG-OS-000327-GPOS-00127 - - SV-254404r849028_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254404r849028_rule + - V-254404 - name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings." block: @@ -3377,12 +3378,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000210 - - V-254405 - - SRG-OS-000327-GPOS-00127 - - SV-254405r849031_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254405r849031_rule + - V-254405 - name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings." block: @@ -3401,12 +3402,12 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000220 - - V-254406 - - SRG-OS-000327-GPOS-00127 - - SV-254406r849034_rule + - CAT2 - CCI-000172 - CCI-002234 - - CAT2 + - SRG-OS-000327-GPOS-00127 + - SV-254406r849034_rule + - V-254406 - name: "MEDIUM | WN22-DC-000230 | PATCH | Windows Server 2022 must be configured to audit Account Management | Computer Account Management successes." block: @@ -3425,7 +3426,13 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000230 - - V-254407 + - CAT2 + - CCI-000018 + - CCI-000172 + - CCI-001403 + - CCI-001404 + - CCI-001405 + - CCI-002130 - SRG-OS-000004-GPOS-00004 - SRG-OS-000239-GPOS-00089 - SRG-OS-000240-GPOS-00090 @@ -3433,13 +3440,8 @@ - SRG-OS-000303-GPOS-00120 - SRG-OS-000476-GPOS-00221 - SV-254407r849037_rule - - CCI-000018 - - CCI-000172 - - CCI-001403 - - CCI-001404 - - CCI-001405 - - CCI-002130 - - CAT2 + - V-254407 + - audit - name: "MEDIUM | WN22-DC-000240 | PATCH | Windows Server 2022 must be configured to audit DS Access | Directory Service Access successes." block: @@ -3458,15 +3460,15 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000240 - - V-254408 + - CAT2 + - CCI-000172 + - CCI-002234 - SRG-OS-000327-GPOS-00127 - SRG-OS-000458-GPOS-00203 - SRG-OS-000463-GPOS-00207 - SRG-OS-000468-GPOS-00212 - SV-254408r849040_rule - - CCI-000172 - - CCI-002234 - - CAT2 + - V-254408 - name: "MEDIUM | WN22-DC-000250 | PATCH | Windows Server 2022 must be configured to audit DS Access | Directory Service Access failures." block: @@ -3485,15 +3487,15 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000250 - - V-254409 + - CAT2 + - CCI-000172 + - CCI-002234 - SRG-OS-000327-GPOS-00127 - SV-254409r849043_rule - SRG-OS-000458-GPOS-00203 - SRG-OS-000463-GPOS-00207 - SRG-OS-000468-GPOS-00212 - - CCI-000172 - - CCI-002234 - - CAT2 + - V-254409 - name: "MEDIUM | WN22-DC-000260 | PATCH | Windows Server 2022 must be configured to audit DS Access | Directory Service Changes successes." block: @@ -3512,15 +3514,15 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000260 - - V-254410 + - CAT2 + - CCI-000172 + - CCI-002234 - SRG-OS-000327-GPOS-00127 - SRG-OS-000458-GPOS-00203 - SRG-OS-000463-GPOS-00207 - SRG-OS-000468-GPOS-00212 - SV-254410r849046_rule - - CCI-000172 - - CCI-002234 - - CAT2 + - V-254410 - name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2022 domain controllers must have a PKI server certificate." block: @@ -3537,11 +3539,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000280 - - V-254412 + - CAT2 + - CCI-000185 - SRG-OS-000066-GPOS-00034 - SV-254412r849052_rule - - CCI-000185 - - CAT2 + - V-254412 - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." block: @@ -3558,19 +3560,19 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000310 - - V-254415 + - CAT2 + - CCI-000765 + - CCI-000766 + - CCI-000767 + - CCI-000768 + - CCI-001948 - SRG-OS-000105-GPOS-00052 - SRG-OS-000106-GPOS-00053 - SRG-OS-000107-GPOS-00054 - SRG-OS-000108-GPOS-00055 - SRG-OS-000375-GPOS-00160 - SV-254415r849355_rule - - CCI-000765 - - CCI-000766 - - CCI-000767 - - CCI-000768 - - CCI-001948 - - CAT2 + - V-254415 - name: "MEDIUM | WN22-DC-000320 | PATCH | Windows Server 2022 domain controllers must require LDAP access signing." ansible.windows.win_regedit: @@ -3583,13 +3585,13 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000320 - - V-254416 + - CAT2 + - CCI-002418 + - CCI-002421 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 - SV-254416r849064_rule - - CCI-002418 - - CCI-002421 - - CAT2 + - V-254416 - name: "MEDIUM | WN22-DC-000330 | PATCH | Windows Server 2022 domain controllers must be configured to allow reset of machine account passwords." ansible.windows.win_regedit: @@ -3602,11 +3604,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000330 - - V-254417 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254417r849067_rule - - CCI-000366 - - CAT2 + - V-254417 - name: "MEDIUM | WN22-DC-000340 | PATCH | Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers." ansible.windows.win_user_right: @@ -3621,11 +3623,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000340 - - V-254418 + - CAT2 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254418r849070_rule - - CCI-000213 - - CAT2 + - V-254418 - name: "MEDIUM | WN22-DC-000350 | PATCH | Windows Server 2022 Add workstations to domain user right must only be assigned to the Administrators group on domain controllers." ansible.windows.win_user_right: @@ -3637,11 +3639,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000350 - - V-254419 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254419r877392_rule - - CCI-002235 - - CAT2 + - V-254419 - name: "MEDIUM | WN22-DC-000360 | PATCH | Windows Server 2022 Allow log on through Remote Desktop Services user right must only be assigned to the Administrators group on domain controllers." ansible.windows.win_user_right: @@ -3653,11 +3655,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000360 - - V-254420 + - CAT2 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254420r849076_rule - - CCI-000213 - - CAT2 + - V-254420 - name: "MEDIUM | WN22-DC-000370 | PATCH | Windows Server 2022 Deny access to this computer from the network user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: @@ -3669,11 +3671,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000370 - - V-254421 + - CAT2 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254421r849079_rule - - CCI-000213 - - CAT2 + - V-254421 - name: "MEDIUM | WN22-DC-000380 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: @@ -3685,11 +3687,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000380 - - V-254422 + - CAT2 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254422r849082_rule - - CCI-000213 - - CAT2 + - V-254422 - name: "MEDIUM | WN22-DC-000390 | PATCH | Windows Server 2022 Deny log on as a service user right must be configured to include no accounts or groups (blank) on domain controllers." community.windows.win_security_policy: @@ -3701,11 +3703,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000390 - - V-254423 + - CAT2 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254423r849085_rule - - CCI-000213 - - CAT2 + - V-254423 - name: "MEDIUM | WN22-DC-000400 | PATCH | Windows Server 2022 Deny log on locally user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: @@ -3717,11 +3719,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000400 - - V-254424 + - CAT2 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254424r849088_rule - - CCI-000213 - - CAT2 + - V-254424 - name: "MEDIUM | WN22-DC-000410 | PATCH | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain controllers must be configured to prevent unauthenticated access." ansible.windows.win_user_right: @@ -3733,11 +3735,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000410 - - V-254425 + - CAT2 + - CCI-002314 - SRG-OS-000297-GPOS-00115 - SV-254425r849091_rule - - CCI-002314 - - CAT2 + - V-254425 - name: "MEDIUM | WN22-DC-000420 | PATCH | Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers." ansible.windows.win_user_right: @@ -3749,11 +3751,11 @@ - ansible_windows_domain_role == "Primary domain controller" tags: - WN22-DC-000420 - - V-254426 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254426r877392_rule - - CCI-002235 - - CAT2 + - V-254426 - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." block: @@ -3778,11 +3780,11 @@ - win2022stig_complexity_high tags: - WN22-DC-000430 - - V-254427 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254427r849097_rule - - CCI-000366 - - CAT2 + - V-254427 - name: "MEDIUM | WN22-MS-000020 | PATCH | Windows Server 2022 local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems." ansible.windows.win_regedit: @@ -3795,11 +3797,11 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-MS-000020 - - V-254429 + - CAT2 + - CCI-001084 - SRG-OS-000134-GPOS-00068 - SV-254429r849103_rule - - CCI-001084 - - CAT2 + - V-254429 - name: "MEDIUM | WN22-MS-000030 | PATCH | Windows Server 2022 local users on domain-joined member servers must not be enumerated." ansible.windows.win_regedit: @@ -3812,11 +3814,11 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-MS-000030 - - V-254430 - - SRG-OS-000095-GPOS-00049 - - SV-254430r849106_rule - - CCI-000381 - CAT2 + - CCI-000381 + - SRG-OS-000095-GPOS-00049 + - SV-254430r849106_rule + - V-254430 - name: "MEDIUM | WN22-MS-000040 | PATCH | Windows Server 2022 must restrict unauthenticated Remote Procedure Call (RPC) clients from connecting to the RPC server on domain-joined member servers and standalone or nondomain-joined systems." ansible.windows.win_regedit: @@ -3829,11 +3831,11 @@ - not ansible_windows_domain_role == "Primary domain controller" tags: - WN22-MS-000040 - - V-254431 + - CAT2 + - CCI-001967 - SRG-OS-000379-GPOS-00164 - SV-254431r877039_rule - - CCI-001967 - - CAT2 + - V-254431 - name: "MEDIUM | WN22-MS-000050 | PATCH | Windows Server 2022 must limit the caching of logon credentials to four or less on domain-joined member servers." ansible.windows.win_regedit: @@ -3846,11 +3848,11 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-MS-000050 - - V-254432 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254432r849112_rule - - CCI-000366 - - CAT2 + - V-254432 - name: "MEDIUM | WN22-MS-000060 | PATCH | Windows Server 2022 must restrict remote calls to the Security Account Manager (SAM) to Administrators on domain-joined member servers and standalone or nondomain-joined systems." ansible.windows.win_regedit: @@ -3863,11 +3865,11 @@ - not ansible_windows_domain_role == "Primary domain controller" tags: - WN22-MS-000060 - - V-254433 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254433r877392_rule - - CCI-002235 - - CAT2 + - V-254433 - name: "MEDIUM | WN22-MS-000070 | PATCH | Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems." ansible.windows.win_user_right: @@ -3881,11 +3883,11 @@ - not ansible_windows_domain_role == "Primary domain controller" tags: - WN22-MS-000070 - - V-254434 + - CAT2 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254434r849118_rule - - CCI-000213 - - CAT2 + - V-254434 - name: "MEDIUM | WN22-MS-000080 | PATCH | Windows Server 2022 Deny access to this computer from the network user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and local accounts and from unauthenticated access on all systems." block: @@ -3912,11 +3914,11 @@ - not ansible_windows_domain_role == "Primary domain controller" tags: - WN22-MS-000080 - - V-254435 + - CAT2 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254435r849121_rule - - CCI-000213 - - CAT2 + - V-254435 - name: "MEDIUM | WN22-MS-000090 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." block: @@ -3940,11 +3942,11 @@ - not ansible_windows_domain_role == "Primary domain controller" tags: - WN22-MS-000090 - - V-254436 + - CAT2 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254436r849124_rule - - CCI-000213 - - CAT2 + - V-254436 - name: "MEDIUM | WN22-MS-000100 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." block: @@ -3969,11 +3971,11 @@ - wn22_ms_000100 tags: - WN22-MS-000100 - - V-254437 + - CAT2 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254437r890547_rule - - CCI-000213 - - CAT2 + - V-254437 - name: "MEDIUM | WN22-MS-000110 | PATCH | Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." block: @@ -3998,11 +4000,11 @@ - wn22_ms_000110 tags: - WN22-MS-000110 - - V-254438 + - CAT2 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254438r849130_rule - - CCI-000213 - - CAT2 + - V-254438 - name: "MEDIUM | WN22-MS-000120 | PATCH | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." block: @@ -4028,11 +4030,11 @@ - wn22_ms_000120 tags: - WN22-MS-000120 - - V-254439 + - CAT2 + - CCI-002314 - SRG-OS-000297-GPOS-00115 - SV-254439r849133_rule - - CCI-002314 - - CAT2 + - V-254439 - name: "MEDIUM | WN22-MS-000130 | PATCH | Windows Server 2022 Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined member servers and standalone or nondomain-joined systems." community.windows.win_security_policy: @@ -4043,11 +4045,11 @@ - wn22_ms_000130 tags: - WN22-MS-000130 - - V-254440 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254440r877392_rule - - CCI-002235 - - CAT2 + - V-254440 - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." block: @@ -4069,12 +4071,12 @@ - wn22_pk_000010 tags: - WN22-PK-000010 - - V-254442 - - SRG-OS-000066-GPOS-00034 - - SV-254442r894653_rule + - CAT2 - CCI-000185 - CCI-002470 - - CAT2 + - SRG-OS-000066-GPOS-00034 + - SV-254442r894653_rule + - V-254442 - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." block: @@ -4100,12 +4102,12 @@ - wn22_pk_000020 tags: - WN22-PK-000020 - - V-254443 - - SRG-OS-000066-GPOS-00034 - - SV-254443r890553_rule + - CAT2 - CCI-000185 - CCI-002470 - - CAT2 + - SRG-OS-000066-GPOS-00034 + - SV-254443r890553_rule + - V-254443 - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." block: @@ -4131,12 +4133,13 @@ - wn22_pk_000030 tags: - WN22-PK-000030 - - V-254444 - - SRG-OS-000066-GPOS-00034 - - SV-254444r894343_rule + - CAT2 - CCI-000185 - CCI-002470 - - CAT2 + - SRG-OS-000066-GPOS-00034 + - SV-254444r894343_rule + - V-254444 + - audit - name: "MEDIUM | WN22-SO-000010 | PATCH | Windows Server 2022 must have the built-in guest account disabled." community.windows.win_security_policy: @@ -4147,11 +4150,11 @@ - wn22_so_000010 tags: - WN22-SO-000010 - - V-254445 + - CAT2 + - CCI-000804 - SRG-OS-000121-GPOS-00062 - SV-254445r849151_rule - - CCI-000804 - - CAT2 + - V-254445 - name: "MEDIUM | WN22-SO-000030 | PATCH | Windows Server 2022 built-in administrator account must be renamed." block: @@ -4181,11 +4184,11 @@ - wn22_so_000030 tags: - WN22-SO-000030 - - V-254447 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254447r849157_rule - - CCI-000366 - - CAT2 + - V-254447 - name: "MEDIUM | WN22-SO-000040 | PATCH | Windows Server 2022 built-in guest account must be renamed." block: @@ -4215,11 +4218,11 @@ - wn22_so_000040 tags: - WN22-SO-000040 - - V-254448 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254448r849160_rule - - CCI-000366 - - CAT2 + - V-254448 - name: "MEDIUM | WN22-SO-000050 | PATCH | Windows Server 2022 must force audit policy subcategory settings to override audit policy category settings." ansible.windows.win_regedit: @@ -4231,11 +4234,11 @@ - wn22_so_000050 tags: - WN22-SO-000050 - - V-254449 + - CAT2 + - CCI-000169 - SRG-OS-000062-GPOS-00031 - SV-254449r849163_rule - - CCI-000169 - - CAT2 + - V-254449 - name: "MEDIUM | WN22-SO-000060 | PATCH | Windows Server 2022 setting Domain member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled." ansible.windows.win_regedit: @@ -4248,13 +4251,13 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-SO-000060 - - V-254450 + - CAT2 + - CCI-002418 + - CCI-002421 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 - SV-254450r849166_rule - - CCI-002418 - - CCI-002421 - - CAT2 + - V-254450 - name: "MEDIUM | WN22-SO-000070 | PATCH | Windows Server 2022 setting Domain member: Digitally encrypt secure channel data (when possible) must be configured to Enabled." ansible.windows.win_regedit: @@ -4267,13 +4270,13 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-SO-000070 - - V-254451 + - CAT2 + - CCI-002418 + - CCI-002421 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 - SV-254451r849169_rule - - CCI-002418 - - CCI-002421 - - CAT2 + - V-254451 - name: "MEDIUM | WN22-SO-000080 | PATCH | Windows Server 2022 setting Domain member: Digitally sign secure channel data (when possible) must be configured to Enabled." ansible.windows.win_regedit: @@ -4286,13 +4289,13 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-SO-000080 - - V-254452 + - CAT2 + - CCI-002418 + - CCI-002421 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 - SV-254452r849172_rule - - CCI-002418 - - CCI-002421 - - CAT2 + - V-254452 - name: "MEDIUM | WN22-SO-000090 | PATCH | Windows Server 2022 computer account password must not be prevented from being reset." ansible.windows.win_regedit: @@ -4305,11 +4308,11 @@ - ansible_windows_domain_role == "Member server" tags: - WN22-SO-000090 - - V-254453 + - CAT2 + - CCI-001967 - SRG-OS-000379-GPOS-00164 - SV-254453r877039_rule - - CCI-001967 - - CAT2 + - V-254453 - name: "MEDIUM | WN22-SO-000100 | PATCH | Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less." ansible.windows.win_regedit: @@ -4321,11 +4324,11 @@ - wn22_so_000100 tags: - WN22-SO-000100 - - V-254454 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254454r849178_rule - - CCI-000366 - - CAT2 + - V-254454 - name: "MEDIUM | WN22-SO-000110 | PATCH | Windows Server 2022 must be configured to require a strong session key." ansible.windows.win_regedit: @@ -4337,12 +4340,12 @@ - wn22_so_000110 tags: - WN22-SO-000110 - - V-254455 - - SRG-OS-000423-GPOS-00187 - - SV-254455r849181_rule + - CAT2 - CCI-002418 - CCI-002421 - - CAT2 + - SRG-OS-000423-GPOS-00187 + - SV-254455r849181_rule + - V-254455 - name: "MEDIUM | WN22-SO-000120 | PATCH | Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver." ansible.windows.win_regedit: @@ -4354,13 +4357,13 @@ - wn22_so_000120 tags: - WN22-SO-000120 - - V-254456 - - SRG-OS-000028-GPOS-00009 - - SV-254456r849184_rule + - CAT2 - CCI-000056 - CCI-000057 - CCI-000060 - - CAT2 + - SRG-OS-000028-GPOS-00009 + - SV-254456r849184_rule + - V-254456 - name: "MEDIUM | WN22-SO-000130 | PATCH | Windows Server 2022 required legal notice must be configured to display before console logon." ansible.windows.win_regedit: @@ -4372,9 +4375,7 @@ - wn22_so_000130 tags: - WN22-SO-000130 - - V-254457 - - SRG-OS-000023-GPOS-00006 - - SV-254457r849187_rule + - CAT2 - CCI-000048 - CCI-000050 - CCI-001384 @@ -4382,7 +4383,9 @@ - CCI-001386 - CCI-001387 - CCI-001388 - - CAT2 + - SRG-OS-000023-GPOS-00006 + - SV-254457r849187_rule + - V-254457 - name: "MEDIUM | WN22-SO-000150 | PATCH | Windows Server 2022 Smart Card removal option must be configured to Force Logoff or Lock Workstation." ansible.windows.win_regedit: @@ -4394,11 +4397,11 @@ - wn22_so_000150 tags: - WN22-SO-000150 - - V-254459 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254459r849193_rule - - CCI-000366 - - CAT2 + - V-254459 - name: "MEDIUM | WN22-SO-000160 | PATCH | Windows Server 2022 etting Microsoft network client: Digitally sign communications (always) must be configured to Enabled." ansible.windows.win_regedit: @@ -4410,13 +4413,13 @@ - wn22_so_000160 tags: - WN22-SO-000160 - - V-254460 + - CAT2 + - CCI-002418 + - CCI-002421 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 - SV-254460r849196_rule - - CCI-002418 - - CCI-002421 - - CAT2 + - V-254460 - name: "MEDIUM | WN22-SO-000170 | PATCH | Windows Server 2022 setting Microsoft network client: Digitally sign communications (if server agrees) must be configured to Enabled." ansible.windows.win_regedit: @@ -4428,13 +4431,13 @@ - wn22_so_000170 tags: - WN22-SO-000170 - - V-254461 + - CAT2 + - CCI-002421 + - CCI-002418 - SRG-OS-000423-GPOS-00187 - SRG-OS-000424-GPOS-00188 - SV-254461r849199_rule - - CCI-002421 - - CCI-002418 - - CAT2 + - V-254461 - name: "MEDIUM | WN22-SO-000180 | PATCH | Windows Server 2022 unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers." ansible.windows.win_regedit: @@ -4446,11 +4449,11 @@ - wn22_so_000180 tags: - WN22-SO-000180 - - V-254462 + - CAT2 + - CCI-000197 - SRG-OS-000074-GPOS-00042 - SV-254462r877396_rule - - CCI-000197 - - CAT2 + - V-254462 - name: "MEDIUM | WN22-SO-000190 | PATCH | Windows Server 2022 setting Microsoft network server: Digitally sign communications (always) must be configured to Enabled." ansible.windows.win_regedit: @@ -4462,12 +4465,12 @@ - wn22_so_000190 tags: - WN22-SO-000190 - - V-254463 - - SRG-OS-000423-GPOS-00187 - - SV-254463r849205_rule + - CAT2 - CCI-002418 - CCI-002421 - - CAT2 + - SRG-OS-000423-GPOS-00187 + - SV-254463r849205_rule + - V-254463 - name: "MEDIUM | WN22-SO-000200 | PATCH | Windows Server 2022 setting Microsoft network server: Digitally sign communications (if client agrees) must be configured to Enabled." ansible.windows.win_regedit: @@ -4479,12 +4482,12 @@ - wn22_so_000200 tags: - WN22-SO-000200 - - V-254464 - - SRG-OS-000423-GPOS-00187 - - SV-254464r849208_rule + - CAT2 - CCI-002418 - CCI-002421 - - CAT2 + - SRG-OS-000423-GPOS-00187 + - SV-254464r849208_rule + - V-254464 - name: "MEDIUM | WN22-SO-000240 | PATCH | Windows Server 2022 must be configured to prevent anonymous users from having the same permissions as the Everyone group." ansible.windows.win_regedit: @@ -4496,11 +4499,11 @@ - wn22_so_000240 tags: - WN22-SO-000240 - - V-254468 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254468r849220_rule - - CCI-000366 - - CAT2 + - V-254468 - name: "MEDIUM | WN22-SO-000260 | PATCH | Windows Server 2022 services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity instead of authenticating anonymously." ansible.windows.win_regedit: @@ -4512,11 +4515,11 @@ - wn22_so_000260 tags: - WN22-SO-000260 - - V-254470 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254470r849226_rule - - CCI-000366 - - CAT2 + - V-254470 - name: "MEDIUM | WN22-SO-000270 | PATCH | Windows Server 2022 must prevent NTLM from falling back to a Null session." ansible.windows.win_regedit: @@ -4528,11 +4531,11 @@ - wn22_so_000270 tags: - WN22-SO-000270 - - V-254471 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254471r849229_rule - - CCI-000366 - - CAT2 + - V-254471 - name: "MEDIUM | WN22-SO-000280 | PATCH | Windows Server 2022 Must prevent PKU2U authentication using online identities." ansible.windows.win_regedit: @@ -4544,11 +4547,11 @@ - wn22_so_000280 tags: - WN22-SO-000280 - - V-254472 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254472r849232_rule - - CCI-000366 - - CAT2 + - V-254472 - name: "MEDIUM | WN22-SO-000290 | PATCH | Windows Server 2022 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites." ansible.windows.win_regedit: @@ -4560,11 +4563,11 @@ - wn22_so_000290 tags: - WN22-SO-000290 - - V-254473 + - CAT2 + - CCI-000803 - SRG-OS-000120-GPOS-00061 - SV-254473r849235_rule - - CCI-000803 - - CAT2 + - V-254473 - name: "MEDIUM | WN22-SO-000320 | PATCH | Windows Server 2022 must be configured to at least negotiate signing for LDAP client signing." ansible.windows.win_regedit: @@ -4576,11 +4579,11 @@ - wn22_so_000320 tags: - WN22-SO-000320 - - V-254476 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254476r849244_rule - - CCI-000366 - - CAT2 + - V-254476 - name: "MEDIUM | WN22-SO-000330 | PATCH | Windows Server 2022 session security for NTLM SSP-based clients must be configured to require NTLMv2 session security and 128-bit encryption." ansible.windows.win_regedit: @@ -4592,11 +4595,11 @@ - wn22_so_000330 tags: - WN22-SO-000330 - - V-254477 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254477r849247_rule - - CCI-000366 - - CAT2 + - V-254477 - name: "MEDIUM | WN22-SO-000340 | PATCH | Windows Server 2022 session security for NTLM SSP-based servers must be configured to require NTLMv2 session security and 128-bit encryption." ansible.windows.win_regedit: @@ -4608,11 +4611,11 @@ - wn22_so_000340 tags: - WN22-SO-000340 - - V-254478 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254478r849250_rule - - CCI-000366 - - CAT2 + - V-254478 - name: "MEDIUM | WN22-SO-000350 | PATCH | Windows Server 2022 users must be required to enter a password to access private keys stored on the computer." ansible.windows.win_regedit: @@ -4624,11 +4627,11 @@ - wn22_so_000350 tags: - WN22-SO-000350 - - V-254479 + - CAT2 + - CCI-000186 - SRG-OS-000067-GPOS-00035 - SV-254479r849253_rule - - CCI-000186 - - CAT2 + - V-254479 - name: "MEDIUM | WN22-SO-000360 | PATCH | Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." ansible.windows.win_regedit: @@ -4640,11 +4643,11 @@ - wn22_so_000360 tags: - WN22-SO-000360 - - V-254480 + - CAT2 + - CCI-002450 - SRG-OS-000478-GPOS-00223 - SV-254480r877466_rule - - CCI-002450 - - CAT2 + - V-254480 - name: "MEDIUM | WN22-SO-000380 | PATCH | Windows Server 2022 User Account Control approval mode for the built-in Administrator must be enabled." ansible.windows.win_regedit: @@ -4656,11 +4659,11 @@ - wn22_so_000380 tags: - WN22-SO-000380 - - V-254482 + - CAT2 + - CCI-002038 - SRG-OS-000373-GPOS-00156 - SV-254482r849262_rule - - CCI-002038 - - CAT2 + - V-254482 - name: "MEDIUM | WN22-SO-000390 | PATCH | Windows Server 2022 UIAccess applications must not be allowed to prompt for elevation without using the secure desktop." ansible.windows.win_regedit: @@ -4672,11 +4675,11 @@ - wn22_so_000390 tags: - WN22-SO-000390 - - V-254483 + - CAT2 + - CCI-001084 - SRG-OS-000134-GPOS-00068 - SV-254483r849265_rule - - CCI-001084 - - CAT2 + - V-254483 - name: "MEDIUM | WN22-SO-000400 | PATCH | Windows Server 2022 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop." ansible.windows.win_regedit: @@ -4688,11 +4691,11 @@ - wn22_so_000400 tags: - WN22-SO-000400 - - V-254484 + - CAT2 + - CCI-001084 - SRG-OS-000134-GPOS-00068 - SV-254484r849268_rule - - CCI-001084 - - CAT2 + - V-254484 - name: "MEDIUM | WN22-SO-000410 | PATCH | Windows Server 2022 User Account Control must automatically deny standard user requests for elevation." ansible.windows.win_regedit: @@ -4705,12 +4708,12 @@ - wn22_so_000410 tags: - WN22-SO-000410 - - V-254485 + - CAT2 + - CCI-002038 - SRG-OS-000373-GPOS-00157 - SRG-OS-000373-GPOS-00156 - SV-254485r849271_rule - - CCI-002038 - - CAT2 + - V-254485 - name: "MEDIUM | WN22-SO-000420 | PATCH | Windows Server 2022 User Account Control must be configured to detect application installations and prompt for elevation." ansible.windows.win_regedit: @@ -4722,11 +4725,11 @@ - wn22_so_000420 tags: - WN22-SO-000420 - - V-254486 + - CAT2 + - CCI-001084 - SRG-OS-000134-GPOS-00068 - SV-254486r849274_rule - - CCI-001084 - - CAT2 + - V-254486 - name: "MEDIUM | WN22-SO-000430 | PATCH | Windows Server 2022 User Account Control (UAC) must only elevate UIAccess applications that are installed in secure locations." ansible.windows.win_regedit: @@ -4738,11 +4741,11 @@ - wn22_so_000430 tags: - WN22-SO-000430 - - V-254487 + - CAT2 + - CCI-001084 - SRG-OS-000134-GPOS-00068 - SV-254487r849277_rule - - CCI-001084 - - CAT2 + - V-254487 - name: "MEDIUM | WN22-SO-000440 | PATCH | Windows Server 2022 User Account Control must run all administrators in Admin Approval Mode, enabling UAC." ansible.windows.win_regedit: @@ -4754,12 +4757,12 @@ - wn22_so_000440 tags: - WN22-SO-000440 - - V-254488 + - CAT2 + - CCI-002038 - SRG-OS-000373-GPOS-00157 - SRG-OS-000373-GPOS-00156 - SV-254488r849280_rule - - CCI-002038 - - CAT2 + - V-254488 - name: "MEDIUM | WN22-SO-000450 | PATCH | Windows Server 2022 User Account Control (UAC) must virtualize file and registry write failures to per-user locations." ansible.windows.win_regedit: @@ -4771,11 +4774,11 @@ - wn22_so_000450 tags: - WN22-SO-000450 - - V-254489 + - CAT2 + - CCI-001084 - SRG-OS-000134-GPOS-00068 - SV-254489r849283_rule - - CCI-001084 - - CAT2 + - V-254489 - name: "MEDIUM | WN22-UC-000010 | PATCH | Windows Server 2022 must preserve zone information when saving attachments." ansible.windows.win_regedit: @@ -4787,11 +4790,11 @@ - wn22_uc_000010 tags: - WN22-UC-000010 - - V-254490 + - CAT2 + - CCI-000366 - SRG-OS-000480-GPOS-00227 - SV-254490r849286_rule - - CCI-000366 - - CAT2 + - V-254490 # [WARNING]: Using this module to edit rights and privileges is error-prone, use the win_user_right module instead - name: "MEDIUM | WN22-UR-000010 | PATCH | Windows Server 2022 Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts." @@ -4803,11 +4806,11 @@ - wn22_ur_000010 tags: - WN22-UR-000010 - - V-254491 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254491r877392_rule - - CCI-002235 - - CAT2 + - V-254491 - name: "MEDIUM | WN22-UR-000030 | PATCH | Windows Server 2022 Allow log on locally user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -4818,11 +4821,11 @@ - wn22_ur_000030 tags: - WN22-UR-000030 - - V-254493 + - CAT2 + - CCI-000213 - SRG-OS-000080-GPOS-00048 - SV-254493r849295_rule - - CCI-000213 - - CAT2 + - V-254493 - name: "MEDIUM | WN22-UR-000040 | PATCH | Windows Server 2022 Back up files and directories user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -4833,11 +4836,11 @@ - wn22_ur_000040 tags: - WN22-UR-000040 - - V-254494 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254494r877392_rule - - CCI-002235 - - CAT2 + - V-254494 - name: "MEDIUM | WN22-UR-000050 | PATCH | Windows Server 2022 Create a pagefile user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -4848,11 +4851,11 @@ - wn22_ur_000050 tags: - WN22-UR-000050 - - V-254495 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254495r877392_rule - - CCI-002235 - - CAT2 + - V-254495 - name: "MEDIUM | WN22-UR-000070 | PATCH | Windows Server 2022 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." ansible.windows.win_user_right: @@ -4867,11 +4870,11 @@ - wn22_ur_000070 tags: - WN22-UR-000070 - - V-254497 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254497r877392_rule - - CCI-002235 - - CAT2 + - V-254497 - name: "MEDIUM | WN22-UR-000080 | PATCH | Windows Server 2022 Create permanent shared objects user right must not be assigned to any groups or accounts." community.windows.win_security_policy: @@ -4882,11 +4885,11 @@ - wn22_ur_000080 tags: - WN22-UR-000080 - - V-254498 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254498r877392_rule - - CCI-002235 - - CAT2 + - V-254498 - name: "MEDIUM | WN22-UR-000090 | PATCH | Windows Server 2022 Create symbolic links user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -4897,11 +4900,11 @@ - wn22_ur_000090 tags: - WN22-UR-000090 - - V-254499 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254499r877392_rule - - CCI-002235 - - CAT2 + - V-254499 - name: "MEDIUM | WN22-UR-000110 | PATCH | Windows Server 2022 Force shutdown from a remote system user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -4912,11 +4915,11 @@ - wn22_ur_000110 tags: - WN22-UR-000110 - - V-254501 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254501r877392_rule - - CCI-002235 - - CAT2 + - V-254501 - name: "MEDIUM | WN22-UR-000120 | PATCH | Windows Server 2022 Generate security audits user right must only be assigned to Local Service and Network Service." ansible.windows.win_user_right: @@ -4929,11 +4932,11 @@ - wn22_ur_000120 tags: - WN22-UR-000120 - - V-254502 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254502r877392_rule - - CCI-002235 - - CAT2 + - V-254502 - name: "MEDIUM | WN22-UR-000130 | PATCH | Windows Server 2022 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." ansible.windows.win_user_right: @@ -4948,11 +4951,11 @@ - wn22_ur_000130 tags: - WN22-UR-000130 - - V-254503 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254503r877392_rule - - CCI-002235 - - CAT2 + - V-254503 - name: "MEDIUM | WN22-UR-000140 | PATCH | Windows Server 2022 Increase scheduling priority: user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -4963,11 +4966,11 @@ - wn22_ur_000140 tags: - WN22-UR-000140 - - V-254504 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254504r877392_rule - - CCI-002235 - - CAT2 + - V-254504 - name: "MEDIUM | WN22-UR-000150 | PATCH | Windows Server 2022 Load and unload device drivers user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -4978,11 +4981,11 @@ - wn22_ur_000150 tags: - WN22-UR-000150 - - V-254505 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254505r877392_rule - - CCI-002235 - - CAT2 + - V-254505 - name: "MEDIUM | WN22-UR-000160 | PATCH | Windows Server 2022 Lock pages in memory user right must not be assigned to any groups or accounts." community.windows.win_security_policy: @@ -4993,12 +4996,12 @@ - wn22_ur_000160 tags: - WN22-UR-000160 - - V-254506 - - SRG-OS-000324-GPOS-00125 - - SV-254506r877392_rule + - CAT2 - CCI-002235 - CCI-002824 - - CAT2 + - SRG-OS-000324-GPOS-00125 + - SV-254506r877392_rule + - V-254506 - name: "MEDIUM | WN22-UR-000170 | PATCH | Windows Server 2022 Manage auditing and security log user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -5009,15 +5012,15 @@ - wn22_ur_000170 tags: - WN22-UR-000170 - - V-254507 - - SRG-OS-000057-GPOS-00027 - - SV-254507r849337_rule + - CAT2 - CCI-000162 - CCI-000163 - CCI-000164 - CCI-000171 - CCI-001914 - - CAT2 + - SRG-OS-000057-GPOS-00027 + - SV-254507r849337_rule + - V-254507 - name: "MEDIUM | WN22-UR-000180 | PATCH | Windows Server 2022 Modify firmware environment values user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -5028,11 +5031,11 @@ - wn22_ur_000180 tags: - WN22-UR-000180 - - V-254508 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254508r877392_rule - - CCI-002235 - - CAT2 + - V-254508 - name: "MEDIUM | WN22-UR-000190 | PATCH | Windows Server 2022 Perform volume maintenance tasks user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -5043,11 +5046,11 @@ - wn22_ur_000190 tags: - WN22-UR-000190 - - V-254509 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254509r877392_rule - - CCI-002235 - - CAT2 + - V-254509 - name: "MEDIUM | WN22-UR-000200 | PATCH | Windows Server 2022 Profile single process user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -5058,11 +5061,11 @@ - wn22_ur_000200 tags: - WN22-UR-000200 - - V-254510 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254510r877392_rule - - CCI-002235 - - CAT2 + - V-254510 - name: "MEDIUM | WN22-UR-000210 | PATCH | Windows Server 2022 Restore files and directories user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -5073,11 +5076,11 @@ - wn22_ur_000210 tags: - WN22-UR-000210 - - V-254511 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254511r877392_rule - - CCI-002235 - - CAT2 + - V-254511 - name: "MEDIUM | WN22-UR-000220 | PATCH | Windows Server 2022 Take ownership of files or other objects user right must only be assigned to the Administrators group." ansible.windows.win_user_right: @@ -5088,8 +5091,8 @@ - wn22_ur_000220 tags: - WN22-UR-000220 - - V-254512 + - CAT2 + - CCI-002235 - SRG-OS-000324-GPOS-00125 - SV-254512r877392_rule - - CCI-002235 - - CAT2 + - V-254512 From a79e211defb03a027c2c17c69c4842292c97fda4 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 10 Aug 2023 14:48:10 -0400 Subject: [PATCH 67/95] Tag order update OR's to multiline -a Signed-off-by: Frederick Witty --- .ansible-lint | 5 +---- .yamllint | 4 +--- tasks/cat1.yml | 2 ++ tasks/cat2.yml | 31 +++++++++++++++++++++--------- tasks/cat2_cloud_lockout_order.yml | 15 ++++++++++----- tasks/prelim.yml | 4 +++- 6 files changed, 39 insertions(+), 22 deletions(-) diff --git a/.ansible-lint b/.ansible-lint index 9a75749..47f63b5 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -5,16 +5,13 @@ quiet: true skip_list: - 'schema' - 'no-changed-when' - - 'fqcn-builtins' - 'experimental' - - 'fqcn[action-core]' - - 'fqcn[action]' - 'name[casing]' - 'name[template]' - 'jinja[spacing]' - 'yaml[line-length]' + - 'key-order[task]' - 'var-naming' # Older playbook no new release - - 'key-order' - '204' - '208' - '305' diff --git a/.yamllint b/.yamllint index a49f497..78e8353 100644 --- a/.yamllint +++ b/.yamllint @@ -1,14 +1,12 @@ --- extends: default - ignore: | tests/ molecule/ .github/ .gitlab-ci.yml *molecule.yml - rules: indentation: # Requiring 4 space indentation @@ -31,4 +29,4 @@ rules: trailing-spaces: enable truthy: allowed-values: ['true', 'false'] - check-keys: false + check-keys: true diff --git a/tasks/cat1.yml b/tasks/cat1.yml index cdee0d1..721fca9 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -48,6 +48,7 @@ - SRG-OS-000080-GPOS-00048 - SV-254250r848566_rule - V-205663 + - audit - name: "HIGH | WN22-AC-000090 | PATCH | Windows Server 2022 reversible password encryption must be disabled." community.windows.win_security_policy: @@ -192,6 +193,7 @@ - SRG-OS-000324-GPOS-00125 - SV-254385r877392_rule - V-254385 + - audit - name: "HIGH | WN22-DC-000070 | AUDIT | Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access." block: diff --git a/tasks/cat2.yml b/tasks/cat2.yml index f999f28..1928633 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -449,7 +449,9 @@ ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000190' - when: wn22_00_000190_account_audit_dc is not skipped and wn22_00_000190_account_audit_dc.stdout != "" or wn22_00_000190_account_audit_dm_sa is not skipped and wn22_00_000190_account_audit_dm_sa.stdout != "" + when: + - wn22_00_000190_account_audit_dc is not skipped and wn22_00_000190_account_audit_dc.stdout != "" or + wn22_00_000190_account_audit_dm_sa is not skipped and wn22_00_000190_account_audit_dm_sa.stdout != "" when: - wn22_00_000190 tags: @@ -502,7 +504,8 @@ warn_control_id: 'WN22-00-000200' when: - not wn22_00_000200_audit_dc is skipped - - wn22_00_000200_audit_dc.stdout != "" or not wn22_00_000200_audit_dm_sa is skipped + - wn22_00_000200_audit_dc.stdout != "" or + not wn22_00_000200_audit_dm_sa is skipped - wn22_00_000200_audit_dm_sa.stdout != "" when: - wn22_00_000200 @@ -787,7 +790,9 @@ ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000300' - when: wn22_00_000330_audit_dc is not skipped and wn22_00_000330_audit_dc.stdout != "" or wn22_00_000330_audit_dc is not skipped and wn22_00_000330_audit_dc.stdout != "" + when: + - wn22_00_000330_audit_dc is not skipped and wn22_00_000330_audit_dc.stdout != "" or + wn22_00_000330_audit_dc is not skipped and wn22_00_000330_audit_dc.stdout != "" when: - wn22_00_000300 tags: @@ -839,7 +844,9 @@ ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000310' - when: wn22_00_000310_audit_dc is not skipped and wn22_00_000310_audit_dc.stdout != "" or wn22_00_000310_audit_dc is not skipped and wn22_00_000310_audit_dc.stdout != "" + when: + - wn22_00_000310_audit_dc is not skipped and wn22_00_000310_audit_dc.stdout != "" or + wn22_00_000310_audit_dc is not skipped and wn22_00_000310_audit_dc.stdout != "" when: - wn22_00_000310 tags: @@ -1058,7 +1065,7 @@ when: "'Installed' in wn22_00_000430_audit" - name: "MEDIUM | WN22-00-000430 | AUDIT | FTP servers must be configured to prevent access to the system drive. | Warning Message." - debug: + ansible.builtin.debug: msg: - "Warning!! This is a manual task. For any sites with a Binding that lists FTP, right-click the site and select Explore." - "If the site includes any system areas such as root of the drive, Program Files, or Windows directories, this is a finding" @@ -1161,14 +1168,16 @@ - "Warning!! You have a invalid number of days set for wn22stig_lockoutbadcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn22stig_lockoutbadcount == 0 or wn22stig_lockoutbadcount > 3 + - wn22stig_lockoutbadcount == 0 or + wn22stig_lockoutbadcount > 3 - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000020' when: - - wn22stig_lockoutbadcount == 0 or wn22stig_lockoutbadcount > 3 + - wn22stig_lockoutbadcount == 0 or + wn22stig_lockoutbadcount > 3 - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Apply Variable." community.windows.win_security_policy: @@ -1285,14 +1294,16 @@ - "Warning!! You have a invalid number of days set for wn22stig_maximumpasswordage please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn22stig_maximumpasswordage == 0 or wn22stig_maximumpasswordage > 60 + - wn22stig_maximumpasswordage == 0 or + wn22stig_maximumpasswordage > 60 - name: "MEDIUM | WN22-AC-000050 | AUDIT | Windows Server 2022 maximum password age must be configured to 60 days or less. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000050' when: - - wn22stig_maximumpasswordage == 0 or wn22stig_maximumpasswordage > 60 + - wn22stig_maximumpasswordage == 0 or + wn22stig_maximumpasswordage > 60 - name: "MEDIUM | WN22-AC-000050 | PATCH | Windows Server 2022 maximum password age must be configured to 60 days or less. | Apply Variable." community.windows.win_security_policy: @@ -4077,6 +4088,7 @@ - SRG-OS-000066-GPOS-00034 - SV-254442r894653_rule - V-254442 + - audit - name: "MEDIUM | WN22-PK-000020 | AUDIT | Windows Server 2022 must have the DoD Interoperability Root Certificate Authority (CA) cross-certificates installed in the Untrusted Certificates Store on unclassified systems." block: @@ -4108,6 +4120,7 @@ - SRG-OS-000066-GPOS-00034 - SV-254443r890553_rule - V-254443 + - audit - name: "MEDIUM | WN22-PK-000030 | AUDIT | Windows Server 2022 must have the US DoD CCEB Interoperability Root CA cross-certificates in the Untrusted Certificates Store on unclassified systems." block: diff --git a/tasks/cat2_cloud_lockout_order.yml b/tasks/cat2_cloud_lockout_order.yml index 0e12f31..f4d0b5d 100644 --- a/tasks/cat2_cloud_lockout_order.yml +++ b/tasks/cat2_cloud_lockout_order.yml @@ -10,14 +10,16 @@ - "Warning!! You have a invalid number of days set for wn22stig_lockoutbadcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn22stig_lockoutbadcount == 0 or wn22stig_lockoutbadcount > 3 + - wn22stig_lockoutbadcount == 0 or + wn22stig_lockoutbadcount > 3 - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000020' when: - - wn22stig_lockoutbadcount == 0 or wn22stig_lockoutbadcount > 3 + - wn22stig_lockoutbadcount == 0 or + wn22stig_lockoutbadcount > 3 - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Apply Variable." community.windows.win_security_policy: @@ -62,7 +64,8 @@ key: LockoutDuration value: "{{ wn22stig_lockoutduration }}" when: - - wn22stig_lockoutduration == 0 or wn22stig_lockoutduration >= 15 + - wn22stig_lockoutduration == 0 or + wn22stig_lockoutduration >= 15 when: - wn22_ac_000010 tags: @@ -82,14 +85,16 @@ - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - - wn22stig_resetlockoutcount > wn22stig_lockoutduration or wn22stig_resetlockoutcount < 15 + - wn22stig_resetlockoutcount > wn22stig_lockoutduration or + wn22stig_resetlockoutcount < 15 - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AC-000030' when: - - wn22stig_resetlockoutcount > wn22stig_lockoutduration or wn22stig_resetlockoutcount < 15 + - wn22stig_resetlockoutcount > wn22stig_lockoutduration or + wn22stig_resetlockoutcount < 15 - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. | Apply Variable" community.windows.win_security_policy: diff --git a/tasks/prelim.yml b/tasks/prelim.yml index b767260..fb423bc 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -16,7 +16,9 @@ ansible.builtin.set_fact: win22stig_cloud_based_system: true when: - - ansible_virtualization_type == 'Hyper-V' or ansible_virtualization_type == 'hvm' or ansible_virtualization_type == 'kvm' + - ansible_virtualization_type == 'Hyper-V' or + ansible_virtualization_type == 'hvm' or + ansible_virtualization_type == 'kvm' tags: - always From f1ae091ed707dc47f300a8776fd39a8e6d63428b Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 10 Aug 2023 14:51:20 -0400 Subject: [PATCH 68/95] Update module-1 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 721fca9..9e8201e 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -30,7 +30,7 @@ register: wn22_00_000130_audit - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | Message out" - debug: + ansible.builtin.debug: msg: - "Warning!! This is a manual task. Windows Server 2022 local volumes must use a format that supports NTFS attributes." - "{{ wn22_00_000130_audit.stdout.split('\n') }}" From a1c7ce9274fe5e381d376739357c0e5f4e7e9d39 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 10 Aug 2023 15:04:31 -0400 Subject: [PATCH 69/95] Update OR on when to multiline -3 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 1928633..edf148f 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1259,7 +1259,8 @@ key: LockoutDuration value: "{{ wn22stig_lockoutduration }}" when: - - wn22stig_lockoutduration == 0 or wn22stig_lockoutduration >= 15 + - wn22stig_lockoutduration == 0 or + wn22stig_lockoutduration >= 15 when: - wn22_ac_000010 - not win22stig_cloud_based_system From 470598819a84479555bf13aa690ceeea2d1fa079 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 15 Aug 2023 09:36:59 -0400 Subject: [PATCH 70/95] Update manual tasks with new audit -1 Signed-off-by: Frederick Witty --- defaults/main.yml | 11 ++- tasks/cat1.yml | 6 +- tasks/cat2.yml | 146 ++++++++++++++++++++++------- tasks/cat2_cloud_lockout_order.yml | 3 + tasks/prelim.yml | 5 +- 5 files changed, 131 insertions(+), 40 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index fcdb969..fcb7518 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -29,8 +29,11 @@ win2022stig_audit_disruptive: true # tweak role to run in a non-privileged container win2022stig_system_is_container: false -# set to false to skip long running tasks -long_running: false +# This parameter disables controls that could have a very lengthy find. For example +# removing all files of a specific file type that search the entire drive. +# If there is an action tied to the lengthy search the action task will be disabled as well. +# WN22-00-000240 - CAT2 +win22stig_lengthy_search: false # win22stig_cloud_based_system is a setting built into the playbook for testing locally vs azure. # We have found certain controls need to be set in a different order when being applied in the @@ -335,8 +338,8 @@ wn22_so_000370: true # WN22-00-000020 # Windows Server 2022 passwords for the built-in Administrator account must be changed at least every 60 days. -# If the PasswordLastSet date is greater than wn22stig_pass_age days old, this is a finding. -wn22stig_pass_age: 60 +# If the PasswordLastSet date is greater than wn22stig_pass_age_administrator days old, this is a finding. +wn22stig_pass_age_administrator: 60 # WN22-AC-000010 # Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 9e8201e..92c2ae7 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -32,8 +32,10 @@ - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | Message out" ansible.builtin.debug: msg: - - "Warning!! This is a manual task. Windows Server 2022 local volumes must use a format that supports NTFS attributes." - - "{{ wn22_00_000130_audit.stdout.split('\n') }}" + - "Warning!! This is a manual task. Windows Server 2022 local volumes must use a format" + - "that supports NTFS attributes. Please check to verify your system is in compliance." + - "ReFS (resilient file system) is also acceptable and would not be a finding." + - "This does not apply to system partitions such the Recovery and EFI System Partition." - "{{ wn22_00_000130_audit.stdout.split('\n') }}" - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml diff --git a/tasks/cat2.yml b/tasks/cat2.yml index edf148f..9b15595 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -21,38 +21,40 @@ - V-254238 - audit -- name: "MEDIUM | WN22-00-000020 | AUDIT | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." +- name: "MEDIUM | WN22-00-000020 | AUDIT | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age_administrator }} days." block: - - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." - ansible.windows.win_shell: "Get-ADUser -Filter * -Property PasswordLastSet | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_pass_age }}))} | Select Name,PasswordLastSet" + - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age_administrator }} days." + ansible.windows.win_shell: "Get-ADUser -Filter * -Property PasswordLastSet | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_pass_age_administrator }}))} | Select Name,PasswordLastSet" changed_when: false check_mode: false register: wn22_00_000020_audit_dc when: "'controller' in ansible_windows_domain_role" - - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." + - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age_administrator }} days." ansible.builtin.debug: msg: - - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn22stig_pass_age }}" - - "{{ wn9_00_000020_audit_dc.stdout.split('\n') }}" + - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn22stig_pass_age_administrator }}" + - "{{ wn22_00_000020_audit_dc.stdout.split('\n') }}" when: - not wn22_00_000020_audit_dc is skipped - wn22_00_000020_audit_dc.stdout != "" + - wn22stig_pass_age_administrator <= 60 - - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." - ansible.windows.win_shell: "Get-Localuser -Name * | Select * | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_pass_age }}))} | Select Name,PasswordLastSet" + - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age_administrator }} days." + ansible.windows.win_shell: "Get-Localuser -Name * | Select * | Where SID -like S-1-5-21-*-500 | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_pass_age_administrator }}))} | Select Name,PasswordLastSet" changed_when: false check_mode: false register: wn22_00_000020_audit_dm_sa - - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age }} days." + - name: "MEDIUM | WN22-00-000020 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 passwords for the built-in Administrator account must be changed at least every {{ wn22stig_pass_age_administrator }} days." ansible.builtin.debug: msg: - - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn22stig_pass_age }}" + - "The following account appears to be the default admin account and the password does not meet the control specific age of {{ wn22stig_pass_age_administrator }}" - "{{ wn22_00_000020_audit_dm_sa.stdout.split('\n') }}" when: - wn22_00_000020_audit_dm_sa is defined - wn22_00_000020_audit_dm_sa.stdout != "" + - wn22stig_pass_age_administrator <= 60 - name: Warn Count." ansible.builtin.import_tasks: warning_facts.yml @@ -60,8 +62,12 @@ warn_control_id: 'WN22-00-000020' when: - not wn22_00_000020_audit_dc is skipped - - wn22_00_000020_audit_dc.stdout != "" or wn22_00_000020_audit_dm_sa is defined + - wn22_00_000020_audit_dc.stdout != "" + - wn22stig_pass_age_administrator <= 60 or + wn22_00_000020_audit_dm_sa is defined - wn22_00_000020_audit_dm_sa.stdout != "" + - wn22stig_pass_age_administrator <= 60 or + wn22stig_pass_age_administrator > 60 when: - wn22_00_000020 tags: @@ -84,7 +90,8 @@ - name: "MEDIUM | WN22-00-000040 | AUDIT - STAND-ALONE AND MEMBER SERVERS | Windows Server 2022 members of the Backup Operators group must have separate accounts for backup duties and normal operational tasks." ansible.builtin.debug: msg: - - The accounts listed are members of the Backup Operators group + - "Warning!! This is a manual task. The accounts listed are members of the Backup Operators group." + - "Please verify these accounts have separate accounts for backup duties and normal operational tasks." - "{{ wn22_00_000040_audit.stdout.split('\n') }}" when: - not wn22_00_000040_audit is skipped @@ -193,16 +200,43 @@ - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." block: - - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Message out" + - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Get TPM Settings" + ansible.windows.win_command: wmic /namespace:\\root\cimv2\security\microsofttpm path win32_tpm get * /format:textvaluelist.xsl + changed_when: false + failed_when: false + register: wn22_00_000090_tpm_status + + - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Running Instances Check." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use." + msg: + - "Warning!! Please confirm TPM status is Ready for use, there are no instances currently running." + when: "'No Instance' in wn22_00_000090_tpm_status.stderr_lines | string" + + - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Full TPM Check." + ansible.builtin.debug: + msg: + - "Warning!! Please confirm TPM status is Ready for use. Current settings do not meet STIG requirements." + when: + - "'No Instance' not in wn22_00_000090_tpm_status.stderr_lines | string" + - "'IsActivated_InitialValue=TRUE' in wn22_00_000090_tpm_status.stderr_lines | string" + - "'IsEnabled_InitialValue=TRUE' in wn22_00_000090_tpm_status.stderr_lines | string" + - "'IsOwned_InitialValue=TRUE' in wn22_00_000090_tpm_status.stderr_lines | string" + - "'SpecVersion=2' or 'SpecVersion=1.2' in wn22_00_000090_tpm_status.stderr_lines | string" - - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | import reuseable task." + - name: "MEDIUM | WN22-00-000090 | AUDIT | Windows Server 2022 domain-joined systems must have a Trusted Platform Module (TPM) enabled and ready for use. | Warning Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000090' + when: + - "'No Instance' not in wn22_00_000090_tpm_status.stderr_lines | string" + - "'IsActivated_InitialValue=TRUE' in wn22_00_000090_tpm_status.stderr_lines | string" + - "'IsEnabled_InitialValue=TRUE' in wn22_00_000090_tpm_status.stderr_lines | string" + - "'IsOwned_InitialValue=TRUE' in wn22_00_000090_tpm_status.stderr_lines | string" + - "'SpecVersion=2.0' or 'SpecVersion=1.2' in wn22_00_000090_tpm_status.stderr_lines | string or + 'No Instance' in wn22_00_000090_tpm_status.stderr_lines | string" when: - wn22_00_000090 + - ansible_windows_domain_member tags: - WN22-00-000090 - CAT2 @@ -450,8 +484,10 @@ vars: warn_control_id: 'WN22-00-000190' when: - - wn22_00_000190_account_audit_dc is not skipped and wn22_00_000190_account_audit_dc.stdout != "" or - wn22_00_000190_account_audit_dm_sa is not skipped and wn22_00_000190_account_audit_dm_sa.stdout != "" + - wn22_00_000190_account_audit_dc is not skipped + - wn22_00_000190_account_audit_dc.stdout != "" or + wn22_00_000190_account_audit_dm_sa is not skipped + - wn22_00_000190_account_audit_dm_sa.stdout != "" when: - wn22_00_000190 tags: @@ -521,20 +557,42 @@ - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire." block: - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire." - ansible.windows.win_shell: Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | Where-Object -FilterScript {$_.PasswordExpires -EQ $False -AND $_.Disabled -EQ $False} | Format-Table -Property Name,PasswordExpires,Disabled,LocalAccount # pragma: allowlist secret + ansible.windows.win_shell: Search-ADAccount -PasswordNeverExpires -UsersOnly | FT Name, PasswordNeverExpires, Enabled changed_when: false failed_when: false check_mode: false - register: wn22_00_000210_audit + register: wn22_00_000210_audit_dc + when: ansible_windows_domain_role == "Primary domain controller" - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire.| Message out" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 passwords must be configured to expire." + msg: + - "Warning!! This is a manual task. Windows Server 2022 passwords must be configured to expire." + - "The Following Accounts may not conform To STIG Standards." + - "{{ wn22_00_000210_audit_dc.stdout.split('\n') }}" + when: + - wn22_00_000210_audit_dc is not skipped + - wn22_00_000210_audit_dc.stdout != "" - - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire.| import reuseable task." + - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire. | Audit Local Accounts." + ansible.windows.win_shell: | + Get-CimInstance -Class Win32_Useraccount -Filter "PasswordExpires=False and LocalAccount=True" | + Where-Object -FilterScript {$_.PasswordExpires -EQ $False -AND $_.Disabled -EQ $False} | + Format-Table -Property Name,PasswordExpires,Disabled,LocalAccount + changed_when: false + failed_when: false + register: wn22_00_000210_audit_dm_sa + when: not ansible_windows_domain_role == "Primary domain controller" + + - name: "MEDIUM | WN22-00-000210 | AUDIT | Windows Server 2022 passwords must be configured to expire. | Warning Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000210' + when: + - wn22_00_000210_audit_dc is not skipped + - wn22_00_000210_audit_dc.stdout != "" or + wn22_00_000210_audit_dm_sa is not skipped + - wn22_00_000210_audit_dm_sa.stdout != "" when: - wn22_00_000210 tags: @@ -599,27 +657,49 @@ - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed." block: - - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed." + - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed. | Search for files" ansible.windows.win_find: - paths: c:\ + paths: '{{ item }}:\' patterns: ['*.p12', '*.pfx'] - hidden: true recurse: true - follow: true - check_mode: false - register: wn22_00_000240_audit - when: long_running + hidden: true + register: wn22_00_000240_files + with_items: "{{ wn22_drive_letters.stdout_lines }}" + + - name: "MEDIUM | WN22-00-000240 | PATCH | Windows Server 2022 must have software certificate installation files removed. | Remove Files" + ansible.windows.win_file: + path: "{{ item.path }}" + state: absent + with_items: + - "{{ wn22_00_000240_files.results[0].files }}" + loop_control: + label: "{{ item.path }}" + when: + - win2022stig_disruption_high + - wn22_00_000240_files.results[0].files | length > 0 - - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed." + - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed. | Alert on files if not Disruptive High" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must have software certificate installation files removed." + msg: + - "Warning!! You have .p12 and/or .pfx files on your system" + - "Please review and remove the following files manually. If you" + - "would like them removed with automation set win2022stig_disruption_high: true" + - "Any files not removed must be documented with the ISSO." + - "{{ wn22_00_000240_files.results[0].files | map(attribute='path') | list }}" + when: + - not win2022stig_disruption_high + - wn22_00_000240_files.results[0].files | length > 0 - - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed. | import reuseable task." + - name: "MEDIUM | WN22-00-000240 | AUDIT | Windows Server 2022 must have software certificate installation files removed. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000240' + when: + - not win2022stig_disruption_high + - wn22_00_000240_files.results[0].files | length > 0 when: - wn22_00_000240 + - win22stig_lengthy_search tags: - WN22-00-000240 - CAT2 @@ -1158,7 +1238,7 @@ when: - win22stig_cloud_based_system tags: - - cat2_cloud + - cat2_cloud_lockout_order - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less." block: @@ -1198,7 +1278,7 @@ - SV-254286r848674_rule - V-254286 -# Below task is dependent on WN22-AC-000020, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" +# The below task is dependent on WN22-AC-000020, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." block: - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." diff --git a/tasks/cat2_cloud_lockout_order.yml b/tasks/cat2_cloud_lockout_order.yml index f4d0b5d..5931a68 100644 --- a/tasks/cat2_cloud_lockout_order.yml +++ b/tasks/cat2_cloud_lockout_order.yml @@ -38,6 +38,7 @@ - SV-254286r848674_rule - CCI-000044 - CAT2 + - lockout - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater." block: @@ -75,6 +76,7 @@ - SV-254285r848671_rule - CCI-002238 - CAT2 + - lockout # The below task is dependent on WN22-AC-000020, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." @@ -114,3 +116,4 @@ - CCI-000044 - CCI-002238 - CAT2 + - lockout diff --git a/tasks/prelim.yml b/tasks/prelim.yml index fb423bc..3c26c86 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -28,4 +28,7 @@ failed_when: false register: wn22_drive_letters when: - - wn22_au_000060 + - wn19_00_000240 or + wn19_au_000060 or + wn19_00_000390 or + wn19_00_000400 From 2e701f9bb3b24f6a2cf43057b21af465fda81537 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 15 Aug 2023 11:25:04 -0400 Subject: [PATCH 71/95] Update manual tasks with new audit -2 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 92c2ae7..e7847bc 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -35,7 +35,8 @@ - "Warning!! This is a manual task. Windows Server 2022 local volumes must use a format" - "that supports NTFS attributes. Please check to verify your system is in compliance." - "ReFS (resilient file system) is also acceptable and would not be a finding." - - "This does not apply to system partitions such the Recovery and EFI System Partition." - "{{ wn22_00_000130_audit.stdout.split('\n') }}" + - "This does not apply to system partitions such the Recovery and EFI System Partition." + - "{{ wn22_00_000130_audit.stdout.split('\n') }}" - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml From 0fffcc651f72622d4b03b667c46f28e7e582615b Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 15 Aug 2023 11:35:05 -0400 Subject: [PATCH 72/95] Update manual tasks with new audit -3 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 9b15595..a3f0835 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -117,7 +117,6 @@ - V-254241 - audit - - name: "MEDIUM | WN22-00-000050 | AUDIT | Windows Server 2022 manually managed application account passwords must be at least 15 characters in length." block: - name: "MEDIUM | WN22-00-000050 | AUDIT | Windows Server 2022 manually managed application account passwords must be at least 15 characters in length. | Message out" @@ -1872,7 +1871,6 @@ - SV-254306r848734_rule - V-254306 - - name: "MEDIUM | WN22-AU-000140 | PATCH | Windows Server 2022 must be configured to audit Detailed Tracking | Process Creation successes." block: - name: "MEDIUM | WN22-AU-000140 | AUDIT | Windows Server 2022 must be configured to audit Detailed Tracking | Process Creation successes." From 058b18625df2c4ff7ca902d732b19c062de91eb5 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 15 Aug 2023 11:36:25 -0400 Subject: [PATCH 73/95] Update manual tasks with new audit -4 Signed-off-by: Frederick Witty --- tasks/prelim.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 3c26c86..e622377 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -28,7 +28,7 @@ failed_when: false register: wn22_drive_letters when: - - wn19_00_000240 or - wn19_au_000060 or - wn19_00_000390 or - wn19_00_000400 + - wn22_00_000240 or + wn22_au_000060 or + wn22_00_000390 or + wn22_00_000400 From e97bf3e6f97525ec019b0b3160681b33d46ca067 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 15 Aug 2023 14:48:29 -0400 Subject: [PATCH 74/95] Update manual tasks with new audit -5 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 177 +++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 157 insertions(+), 20 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index a3f0835..0d17187 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -712,7 +712,9 @@ block: - name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." + msg: + - "Warning!! This is a manual task. Windows Server 2022 systems requiring data at rest protections" + - "must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." - name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -734,7 +736,10 @@ block: - name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process." + msg: + - "Warning!! This is a manual task. Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs," + - "or IPsec if the data owner has a strict requirement for ensuring" + - "data integrity and confidentiality is maintained at every step of the data transfer and handling process." - name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -786,8 +791,55 @@ - name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2022 must have a host-based firewall installed and enabled." block: - name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2022 must have a host-based firewall installed and enabled." + ansible.windows.win_shell: | + $FWProfiles = (Get-NetFirewallProfile); + Write-Host "Windows Firewall Profile Statuses" -Foregroundcolor Yellow; + $FWProfiles | %{ + If($_.Enabled -eq 1){ + Write-Host "The Windows Firewall $($_.Name) profile is enabled" + }Else{ + Write-Host "The Windows Firewall $($_.Name) profile is disabled" + } + }; + changed_when: false + failed_when: false + register: wn22_00_000280_firewall_audit + + - name: "MEDIUM | wn22-00-000280 | AUDIT | Windows Server 2022 must have a host-based firewall installed and enabled. | Warning Message No Windows Firewall Enabled" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must have a host-based firewall installed and enabled." + msg: + - "Warning!! This is a manual task. Windows Server 2022 must have a host-based firewall installed and enabled." + - "Windows does not currently have its built in firewall enabled." + - "Please check for 3rd party firewall and verify the configuration requirements conform to firewall STIG standards." + - "{{ wn22_00_000280_firewall_audit.stdout_lines }}" + when: + - "'Domain profile is disabled' in wn22_00_000280_firewall_audit.stdout_lines | string" + - "'Private profile is disabled' in wn22_00_000280_firewall_audit.stdout_lines | string" + - "'Public profile is disabled' in wn22_00_000280_firewall_audit.stdout_lines | string" + + - name: "MEDIUM | wn22-00-000280 | AUDIT | Windows Server 2022 must have a host-based firewall installed and enabled. | Warning Message Windows Firewall On" + ansible.builtin.debug: + msg: + - "Warning!! This is a manual task. Windows Server 2022 must have a host-based firewall installed and enabled." + - "Windows host based firewall currently is enabled on Domain, Private, And Public Profiles." + - "Please check the firewall and verify the configuration requirements conform to firewall STIG standards." + - "{{ wn22_00_000280_firewall_audit.stdout_lines }}" + when: + - "'Domain profile is enabled' in wn22_00_000280_firewall_audit.stdout_lines | string" + - "'Private profile is enabled' in wn22_00_000280_firewall_audit.stdout_lines | string" + - "'Public profile is enabled' in wn22_00_000280_firewall_audit.stdout_lines | string" + + - name: "MEDIUM | wn22-00-000280 | AUDIT | Windows Server 2022 must have a host-based firewall installed and enabled. | Warning Message Windows Firewall Not Completely On" + ansible.builtin.debug: + msg: + - "Warning!! This is a manual task. Windows Server 2022 must have a host-based firewall installed and enabled." + - "Windows host based firewall currently is partially enabled on Domain, Private, And Public Profiles." + - "Please check the firewall and verify the configuration requirements conform to firewall STIG standards." + - "{{ wn22_00_000280_firewall_audit.stdout_lines }}" + when: + - "'Domain profile is enabled' not in wn22_00_000280_firewall_audit.stdout_lines | string or + 'Private profile is enabled' not in wn22_00_000280_firewall_audit.stdout_lines | string or + 'Public profile is enabled' not in wn22_00_000280_firewall_audit.stdout_lines | string" - name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2022 must have a host-based firewall installed and enabled. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -924,8 +976,10 @@ vars: warn_control_id: 'WN22-00-000310' when: - - wn22_00_000310_audit_dc is not skipped and wn22_00_000310_audit_dc.stdout != "" or - wn22_00_000310_audit_dc is not skipped and wn22_00_000310_audit_dc.stdout != "" + - wn22_00_000310_audit_dc is not skipped + - wn22_00_000310_audit_dc.stdout != "" or + wn22_00_000310_audit_sa is not skipped + - wn22_00_000310_audit_sa.stdout != "" when: - wn22_00_000310 tags: @@ -1040,12 +1094,39 @@ - V-254275 - name: "MEDIUM | WN22-00-000390 | PATCH | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." - ansible.windows.win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters - name: SMB1 - data: 0x00000000 - type: dword - notify: reboot_windows + block: + - name: "MEDIUM | WN22-00-000390 | PATCH | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. | Registry Edit" + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + state: present + value: SMB1 + data: 0 + datatype: dword + notify: reboot_windows + + - name: "MEDIUM | WN22-00-000390 | AUDIT | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. | Warning Message No SecGuide.admx" + ansible.builtin.debug: + msg: + - "Warning!! SecGuide.admx is not installed in C:\\Windows\\PolicyDefinitions folder." + - "This policy setting requires the installation of the SecGuide.admx custom templates" + - "included with the STIG package." + when: wn22_secguide_admx_audit.results[0].matched != 1 + + - name: "MEDIUM | WN22-00-000390 | AUDIT | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. | Warning Message No SecGuide.adml" + ansible.builtin.debug: + msg: + - "Warning!! SecGuide.adml is not installed in C:\\Windows\\PolicyDefinitions\\en-US folder" + - "This policy setting requires the installation of the SecGuide.adml custom templates" + - "included with the STIG package." + when: wn22_secguide_adml_audit.results[0].matched != 1 + + - name: "MEDIUM | WN22-00-000390 | AUDIT | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000390' + when: + - wn22_secguide_admx_audit.results[0].matched != 1 or + wn22_secguide_adml_audit.results[0].matched != 1 when: - wn22_00_000390 tags: @@ -1057,12 +1138,39 @@ - V-254276 - name: "MEDIUM | WN22-00-000400 | PATCH | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server." - ansible.windows.win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 - name: Start - data: 0x00000004 - type: dword - notify: reboot_windows + block: + - name: "MEDIUM | WN22-00-000400 | PATCH | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server - mrxsmb10 | Registry Edit." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 + state: present + value: Start + data: 4 + datatype: dword + notify: reboot_windows + + - name: "MEDIUM | WN22-00-000400 | AUDIT | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server - mrxsmb10 | Warning Message No SecGuide.admx" + ansible.builtin.debug: + msg: + - "Warning!! SecGuide.admx is not installed in C:\\Windows\\PolicyDefinitions folder." + - "This policy setting requires the installation of the SecGuide.admx custom templates" + - "included with the STIG package." + when: wn22_secguide_admx_audit.results[0].matched != 1 + + - name: "MEDIUM | WN22-00-000400 | AUDIT | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server - mrxsmb10 | Warning Message No SecGuide.adml" + ansible.builtin.debug: + msg: + - "Warning!! SecGuide.adml is not installed in C:\\Windows\\PolicyDefinitions\\en-US folder" + - "This policy setting requires the installation of the SecGuide.adml custom templates" + - "included with the STIG package." + when: wn22_secguide_adml_audit.results[0].matched != 1 + + - name: "MEDIUM | WN22-00-000400 | AUDIT | Windows Server 2022 must have the Server Message Block (SMB) v1 protocol disabled on the SMB server - mrxsmb10 | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-00-000400' + when: + - wn22_secguide_admx_audit.results[0].matched != 1 or + wn22_secguide_adml_audit.results[0].matched != 1 when: - wn22_00_000400 tags: @@ -1170,14 +1278,43 @@ - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights" block: - - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights" + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights. | Get User List" + ansible.windows.win_shell: Get-WmiObject Win32_UserAccount | Where-Object {$_.SID -match "*S"} | Select Name,SID,DOMAIN + changed_when: false + failed_when: false + register: wn22_00_000450_orphaned_user_accounts + + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights. | Check For Orphaned Group Accounts. | Get Group List" + ansible.windows.win_shell: Get-WmiObject -Class Win32_UserAccount | Where-Object {$_.SID -match "*S"} | Select Name,SID,DOMAIN + changed_when: false + failed_when: false + register: wn22_00_000450_orphaned_group_accounts + + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warning Message User Accounts" ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights" + msg: + - "Warning!! Please review the User Rights listed for each of any unresolved SID to determine whether they are valid." + - "User Accounts" + - "----------------------------------------------------------------------" + - "{{ wn22_00_000450_orphaned_user_accounts.stdout_lines }}" + when: wn22_00_000450_orphaned_user_accounts.stdout_lines | select() | length > 0 - - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights | import reuseable task." + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warning Message Group Accounts." + ansible.builtin.debug: + msg: + - "Warning!! Please review the Group Rights listed for each of any unresolved SID to determine whether they are valid." + - "Group Accounts" + - "----------------------------------------------------------------------" + - "{{ wn22_00_000450_orphaned_group_accounts.stdout_lines }}" + when: wn22_00_000450_orphaned_group_accounts.stdout_lines | select() | length > 0 + + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000450' + when: + - wn22_00_000450_orphaned_user_accounts.stdout_lines | select() | length > 0 or + wn22_00_000450_orphaned_group_accounts.stdout_lines | select() | length > 0 when: - wn22_00_000450 tags: From c5eea8be165051c95d5f10dd913e488eefc5d46c Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 15 Aug 2023 15:11:36 -0400 Subject: [PATCH 75/95] Update manual tasks with new audit -6 Signed-off-by: Frederick Witty --- tasks/prelim.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tasks/prelim.yml b/tasks/prelim.yml index e622377..939e5d0 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -32,3 +32,17 @@ wn22_au_000060 or wn22_00_000390 or wn22_00_000400 + +- name: Check For SecGuide.admx In PolicyDefinitions + ansible.windows.win_find: + paths: '{{ item }}:\Windows\PolicyDefinitions' + patterns: SecGuide.admx + hidden: true + changed_when: false + failed_when: false + with_items: + - "{{ wn22_drive_letters.stdout_lines }}" + register: wn22_secguide_admx_audit + when: + - wn22_00_000390 or + wn22_00_000400 From 86ab461f63f2001a37ec8e3845c7f5cfc3c3dee7 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 15 Aug 2023 15:48:37 -0400 Subject: [PATCH 76/95] Update manual tasks with new audit -7 Signed-off-by: Frederick Witty --- .gitattributes | 6 ++++++ tasks/prelim.yml | 14 ++++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9a24540 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,6 @@ +# adding github settings to show correct language +*.sh linguist-detectable=true +*.yml linguist-detectable=true +*.ps1 linguist-detectable=true +*.j2 linguist-detectable=true +*.md linguist-documentation \ No newline at end of file diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 939e5d0..6341339 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -46,3 +46,17 @@ when: - wn22_00_000390 or wn22_00_000400 + +- name: Check For SecGuide.admx In PolicyDefinitions\en-US + ansible.windows.win_find: + paths: '{{ item }}:\Windows\PolicyDefinitions\en-US' + patterns: SecGuide.adml + hidden: true + changed_when: false + failed_when: false + with_items: + - "{{ wn22_drive_letters.stdout_lines }}" + register: wn22_secguide_adml_audit + when: + - wn22_00_000390 or + wn22_00_000400 From 5e7d5749b9871a999002af877bf3e748e7523438 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 16 Aug 2023 16:19:24 -0400 Subject: [PATCH 77/95] Update manual tasks with new audit -8 Signed-off-by: Frederick Witty --- defaults/main.yml | 203 +++++++++++++++++++++++++- meta/main.yml | 5 - tasks/cat2.yml | 354 ++++++++++++++++++++++++++++------------------ 3 files changed, 420 insertions(+), 142 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index fcb7518..0076bd3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -357,6 +357,13 @@ wn22stig_lockoutbadcount: 3 # wn22stig_resetlockoutcount is the Reset account lockout counter after value in mintues. wn22stig_resetlockoutcount: 15 +# WN22-AC-000040 +# Windows Server 2022 password history must be configured to 24 passwords remembered. +# wn22stig_passwordhistorysize is the number of passwords windows will remember before you may +# be able to reuse that same password. The default value is "24" for Windows domain systems. +# DoD has decided this is the appropriate value for all Windows systems. +wn22stig_passwordhistorysize: 24 + # WN22-AC-000050 # Windows Server 2022 maximum password age must be configured to 60 days or less and cannot be 0. # wn22stig_maximumpasswordage is the Maximum password age value in days. @@ -372,6 +379,68 @@ wn22stig_minimumpasswordage: 1 # wn22stig_minimumpasswordlength is the Minimum password characters length value. wn22stig_minimumpasswordlength: 14 +# WN22-CC-000110 +# Windows Server 20122virtualization-based security must be enabled with the platform security +# level configured to Secure Boot or Secure Boot with DMA Protection. +# wn22stig_dma_protection is the level that they would like to setup. +# Valid settings are as follows. +# 1 (Secure Boot only) +# 3 (Secure Boot and DMA Protection) +wn22stig_dma_protection: 3 + +# WN22-CC-000140 +# Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. +# wn22stig_driver_load_policy is the registry value that will be applied. The default behavior is for +# Early Launch Antimalware - Boot-Start Driver Initialization policy to enforce "Good, unknown and bad but +# critical" (preventing "bad"). +# Approved values are below: +# 8 - Good only +# 1 - Good and unknown +# 3 - Good, unknown and bad but critical +wn22stig_driver_load_policy: 1 + +# WN22-CC-000270 +# Windows Server 2022 Application event log size must be configured to 32768 KB or greater. +# wn22stig_app_maxsize is the EventLog Application max log size value in KB. +wn22stig_application_event_log_max_size: 32768 + +# WN22-CC-000280 +# Windows Server 2022 Security event log size must be configured to 196608 KB or greater. +# wn22stig_security_event_log_max_size: 196608 is the EventLog Security max log size value in KB. +wn22stig_security_event_log_max_size: 196608 + +# WN22-CC-000290 +# Windows Server 2022 System event log size must be configured to 32768 KB or greater. +# wn22stig_system_event_log_max_size is the EventLog System max log size value in KB. +wn22stig_system_event_log_max_size: 32768 + +# WN22-DC-000340 +# Windows Server 2022 Access this computer from the network user right must only be assigned to the +# Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers. +# If any SIDs other than the following are granted the "SeNetworkLogonRight" user right, this is a finding. +# If an application requires this user right, this would not be a finding. Vendor documentation must support the +# requirement for having the user right. The requirement must be documented with the ISSO. +# NOTE: Improper Accounts Or Groups listed here will FAIL task. +# Default: Administrators,Authenticated Users,Enterprise Domain Controllers +wn22stig_senetworklogonright_dc: Administrators,Authenticated Users,Enterprise Domain Controllers + +# WN22-DC-000430 +# The password for the krbtgt account on a domain must be reset at least every 180 days. +# The default setting here matches the STIG requirements. If you would like to +# enforce a more strcit policy you may do so for auditing purposes. +# NOTE: Valid Days are 180 or less. +wn22stig_krbtgt_account_pass_age: 180 + +# WN22-MS-000070 +# Windows Server 2022 "Access this computer from the network" user right must only be assigned to the Administrators +# and Authenticated Users groups on domain-joined member servers and standalone or nondomain-joined systems. +# If any SIDs other than the following are granted the "SeNetworkLogonRight" user right, this is a finding. +# If an application requires this user right, this would not be a finding. Vendor documentation must support the +# requirement for having the user right. The requirement must be documented with the ISSO. +# NOTE: Improper Accounts Or Groups listed here will FAIL task. +# Default: Administrators,Authenticated Users +wn22stig_senetworklogonright: Administrators,Authenticated Users + # WN22-SO-000030 # Windows Server 2022 built-in administrator account must be renamed. # wn22stig_newadministratorname is the non-default name for the Administror Account. @@ -382,6 +451,20 @@ wn22stig_newadministratorname: adminchangethis # wn22stig_newguestname is the non-default name for the guest Account. wn22stig_newguestname: guestchangethis +# WN22-SO-000100 +# The maximum age for machine account passwords must be configured to 30 days or less. +# wn22stig_machineaccountpsswd_max_age is the setting for the Computer account passwords +# are changed automatically on a regular basis. This setting controls the maximum password +# age that a machine account may have. This must be set to no more than 30 days, ensuring +# the machine changes its password monthly. +wn22stig_machineaccountpsswd_max_age: 30 + +# WN22-SO-000120 +# The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver. +# wn22stig_inactivitytimeoutsecs is the time in seconds that will be set in the registry that +# enagages the screen saver. Default setting is "900" seconds or less excluding "0" +wn22stig_inactivitytimeoutsecs: 900 + # WN22-SO-000130 # Windows Server 2022 required legal notice must be configured to display before console logon. # wn22stig_legalnoticetext is the LegalNoticeText for Win logon. @@ -415,14 +498,128 @@ wn22stig_sec_maxsize: 196608 # wn22stig_sys_maxsize is the EventLog System max log size value in KB. wn22stig_sys_maxsize: 32768 +# WN22-SO-000400 +# User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. +# The more secure option for this setting, "Prompt for credenti +# Default setting is 2 +# 2 -(Prompt for consent on the secure desktop) +# 1 -(Prompt for credentials on the secure desktop) +wn22stig_consentprompt: 2 + # WN22-DC-000430 # The password for the krbtgt account on a domain must be reset at least every 180 days. # wn22stig_krbtgt_pass_age is the PasswordLastSet value in days for the krbtgt account. wn22stig_krbtgt_pass_age: 180 +# WN22-UR-000030 +# The Allow log on locally user right must only be assigned to the Administrators group. +# If any SIDs other than the following are granted the "SeInteractiveLogonRight" user right, this is a finding. +# If an application requires this user right, this would not be a finding. Vendor documentation must support the +# requirement for having the user right. The requirement must be documented with the ISSO. +# NOTE: Improper Accounts Or Groups listed here will FAIL task. +# Default: Administrators +wn22stig_seinteractivelogonright: Administrators + +# WN22-UR-000040 +# The Back up files and directories user right must only be assigned to the Administrators group. +# If any SIDs other than the following are granted the "SeBackupPrivilege" user right, this is a finding. +# If an application requires this user right, this would not be a finding. Vendor documentation must support the +# requirement for having the user right. The requirement must be documented with the ISSO. +# NOTE: Improper Accounts Or Groups listed here will FAIL task. +# Default: Administrators +wn22stig_sebackuprivilege: Administrators + +# WN22-UR-000070 +# The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. +# If any SIDs other than the following are granted the "SeCreateGlobalPrivilege" user right, this is a finding. +# If an application requires this user right, this would not be a finding. Vendor documentation must support the +# requirement for having the user right. The requirement must be documented with the ISSO. +# NOTE: Improper Accounts Or Groups listed here will FAIL task. +# Default: Administrators,Service,Local Service,Network Service +wn22stig_secreateglobalprivilege: Administrators,Service,Local Service,Network Service + +# WN22-UR-000120 +# The Generate security audits user right must only be assigned to Local Service and Network Service. +# If any SIDs other than the following are granted the "SeAuditPrivilege" user right, this is a finding. +# If an application requires this user right, this would not be a finding. Vendor documentation must support the +# requirement for having the user right. The requirement must be documented with the ISSO. +# NOTE: Improper Accounts Or Groups listed here will FAIL task. +# Default: Local Service,Network Service +wn22stig_seauditprivilege: Local Service,Network Service + +# WN22-UR-000130 +# The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. +# If any SIDs other than the following are granted the "SeImpersonatePrivilege" user right, this is a finding. +# If an application requires this user right, this would not be a finding. Vendor documentation must support the +# requirement for having the user right. The requirement must be documented with the ISSO. +# NOTE: Improper Accounts Or Groups listed here will FAIL task. +# Default: Administrators,Service,Local Service,Network Service +wn22stig_seimpersonateprivilege: Administrators,Service,Local Service,Network Service + +# WN22-UR-000140 +# The Increase scheduling priority user right must only be assigned to the Administrators group. +# If any SIDs other than the following are granted the "SeIncreaseBasePriorityPrivilege" user right, this is a finding. +# If an application requires this user right, this would not be a finding. Vendor documentation must support the +# requirement for having the user right. The requirement must be documented with the ISSO. +# NOTE: Improper Accounts Or Groups listed here will FAIL task. +# Default: Administrators +wn22stig_seincreasebasepriorityprivilege: Administrators + +# WN22-UR-000160 +# The Lock pages in memory user right must not be assigned to any groups or accounts. +# If any SIDs are granted the "SeLockMemoryPrivilege" user right, this is a finding. +# If an application requires this user right, this would not be a finding. Vendor documentation must support the +# requirement for having the user right. The requirement must be documented with the ISSO. +# NOTE: Improper Accounts Or Groups listed here will FAIL task. +# Default: "" +wn22stig_selockmemorprivilege: "" + +# WN22-UR-000170 +# The Manage auditing and security log user right must only be assigned to the Administrators group. +# If any SIDs other than the following are granted the "SeSecurityPrivilege" user right, this is a finding. +# If an application requires this user right, this would not be a finding. Vendor documentation must support the +# requirement for having the user right. The requirement must be documented with the ISSO. +# If the organization has an Auditors group, the assignment of this group to the user right would not be a finding. +# NOTE: Improper Accounts Or Groups listed here will FAIL task. +# Default: Administrators +wn22stig_sesecurityprivilege: Administrators + +# WN22-UR-000210 +# The Restore files and directories user right must only be assigned to the Administrators group. +# If any SIDs other than the following are granted the "SeRestorePrivilege" user right, this is a finding. +# If an application requires this user right, this would not be a finding. Vendor documentation must support the +# requirement for having the user right. The requirement must be documented with the ISSO. +# NOTE: Improper Accounts Or Groups listed here will FAIL task. +# Default: Administrators +wn22stig_serestoreprivilege: Administrators + +# WN22-UR-000220 +# The Take ownership of files or other objects user right must only be assigned to the Administrators group. +# If any SIDs other than the following are granted the "SeTakeOwnershipPrivilege" user right, this is a finding. +# If an application requires this user right, this would not be a finding. Vendor documentation must support the +# requirement for having the user right. The requirement must be documented with the ISSO. +# NOTE: Improper Accounts Or Groups listed here will FAIL task. +# Default: Administrators +wn22stig_setakeownershipprivilege: Administrators + # CAT 3 defaults +# WN22-CC-000260 +# Windows Server 2022 Windows Update must not obtain updates from other PCs on the Internet. +# Valid Settings are as follows. +# 0x00000000 (0) - No peering (HTTP Only) +# 0x00000001 (1) - Peers on same NAT only (LAN) +# 0x00000002 (2) - Local Network / Private group peering (Group) +# 0x00000063 (99) - Simple download mode, no peering (Simple) +# 0x00000064 (100) - Bypass mode, Delivery Optimization not used (Bypass) +wn22stig_dodownloadmode: 1 + # WN22-SO-000140 -# Windows Server 2022 title for legal banner dialog box must be configured with the appropriate text. -# wn22stig_legalnoticecaption is the DoD Notice and Consent Banner text. -wn22stig_legalnoticecaption: "DoD Notice and Consent Banner" +# The Windows dialog box title for the legal banner must be configured with the appropriate text. +# "DoD Notice and Consent Banner", "US Department of Defense Warning Statement", or an organization-defined equivalent. +# If an organization-defined title is used, it can in no case contravene or modify the language of the banner text required in WN22-SO-000130. +# Automated tools may only search for the titles defined above. If an organization-defined title is used, a manual review will be required. +# "{{ wn22stig_legalnoticetext }}" will call to the default DoD Notice and Consent Banner. +# Upon creating this both "DoD Notice and Consent Banner", "US Department of Defense Warning Statement" are the same: +# wn22stig_legalnoticecaption: "{{ wn22stig_legalnoticetext }}" +wn22stig_legalnoticecaption: "{{ wn22stig_legalnoticetext }}" diff --git a/meta/main.yml b/meta/main.yml index ff0d7f9..a026b88 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -9,11 +9,6 @@ galaxy_info: namespace: mindpointgroup min_ansible_version: 2.10.1 - platforms: - - name: Windows Server - versions: - - 2022 - galaxy_tags: - system - security diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 0d17187..7a62f6f 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1212,13 +1212,13 @@ msg: - "Warning!! This is a manual task. Internet Information Services (IIS) Manager FTP is currently" - "installed on the system. Anonymous Authentication must be set to diabled per STIG Requirements." - when: "'Installed' in wn22_00_000420_audit" + when: "'Installed' in wn22_00_000420_ftp_audit" - name: "MEDIUM | WN22-00-000420 | AUDIT | FTP servers must be configured to prevent anonymous logons. | Warn Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000420' - when: "'Installed' in wn22_00_000420_audit" + when: "'Installed' in wn22_00_000420_ftp__audit" when: - wn22_00_000420 tags: @@ -1240,7 +1240,7 @@ - name: "MEDIUM | WN22-00-000430 | AUDIT | FTP servers must be configured to prevent access to the system drive. | Set Fact." ansible.builtin.set_fact: - wn22_00_000430_audit: "{{ wn22_00_000430_audit.stdout_lines | regex_search('Installed') }}" + wn22_00_000430_ftp_audit: "{{ wn22_00_000430_audit.stdout_lines | regex_search('Installed') }}" - name: "MEDIUM | WN22-00-000430 | AUDIT | FTP servers must be configured to prevent access to the system drive. | Get Sites Info." ansible.windows.win_shell: | @@ -1249,7 +1249,7 @@ changed_when: false failed_when: false register: wn22_00_000430_isssite_audit - when: "'Installed' in wn22_00_000430_audit" + when: "'Installed' in wn22_00_000430_ftp_audit" - name: "MEDIUM | WN22-00-000430 | AUDIT | FTP servers must be configured to prevent access to the system drive. | Warning Message." ansible.builtin.debug: @@ -1258,13 +1258,13 @@ - "If the site includes any system areas such as root of the drive, Program Files, or Windows directories, this is a finding" - "Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system." - "{{ wn22_00_000430_isssite_audit.stdout.split('\n') }}" - when: "'Installed' in wn22_00_000430_audit" + when: "'Installed' in wn22_00_000430_ftp_audit" - name: "MEDIUM | WN22-00-000430 | AUDIT | FTP servers must be configured to prevent access to the system drive. | Warn Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000430' - when: "'Installed' in wn22_00_000430_audit" + when: "'Installed' in wn22_00_000430_ftp_audit" when: - wn22_00_000430 tags: @@ -1278,19 +1278,19 @@ - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights" block: - - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights. | Get User List" + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights. | Get User List" ansible.windows.win_shell: Get-WmiObject Win32_UserAccount | Where-Object {$_.SID -match "*S"} | Select Name,SID,DOMAIN changed_when: false failed_when: false register: wn22_00_000450_orphaned_user_accounts - - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights. | Check For Orphaned Group Accounts. | Get Group List" + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights. | Check For Orphaned Group Accounts. | Get Group List" ansible.windows.win_shell: Get-WmiObject -Class Win32_UserAccount | Where-Object {$_.SID -match "*S"} | Select Name,SID,DOMAIN changed_when: false failed_when: false register: wn22_00_000450_orphaned_group_accounts - - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warning Message User Accounts" + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warning Message User Accounts" ansible.builtin.debug: msg: - "Warning!! Please review the User Rights listed for each of any unresolved SID to determine whether they are valid." @@ -1299,7 +1299,7 @@ - "{{ wn22_00_000450_orphaned_user_accounts.stdout_lines }}" when: wn22_00_000450_orphaned_user_accounts.stdout_lines | select() | length > 0 - - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warning Message Group Accounts." + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warning Message Group Accounts." ansible.builtin.debug: msg: - "Warning!! Please review the Group Rights listed for each of any unresolved SID to determine whether they are valid." @@ -1308,7 +1308,7 @@ - "{{ wn22_00_000450_orphaned_group_accounts.stdout_lines }}" when: wn22_00_000450_orphaned_group_accounts.stdout_lines | select() | length > 0 - - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2019 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warn Count." + - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000450' @@ -1381,7 +1381,7 @@ - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn22stig_lockoutbadcount please read" + - "Warning!! You have an invalid number of days set for wn22stig_lockoutbadcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn22stig_lockoutbadcount == 0 or @@ -1420,7 +1420,7 @@ - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" + - "Warning!! You have an invalid number of days set for wn22stig_resetlockoutcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn22stig_resetlockoutcount < 15 @@ -1455,7 +1455,7 @@ - name: "MEDIUM | WN22-AC-000010 | PATCH | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of minutes set for wn22stig_lockoutduration please read" + - "Warning!! You have an invalid number of minutes set for wn22stig_lockoutduration please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn22stig_lockoutduration < 15 @@ -1489,26 +1489,33 @@ - V-254285 - name: "MEDIUM | WN22-AC-000040 | PATCH | Windows Server 2022 password history must be configured to 24 passwords remembered." - community.windows.win_security_policy: - section: System Access - key: PasswordHistorySize - value: 24 - when: - - wn22_ac_000040 - tags: - - WN22-AC-000040 - - CAT2 - - CCI-000200 - - SRG-OS-000077-GPOS-00045 - - SV-254288r848680_rule - - V-254288 + block: + - name: "MEDIUM | WN22-22-000040 | AUDIT | Windows Server 2022 password history must be configured to 24 passwords remembered. | Warning Message" + ansible.builtin.debug: + msg: + - "Warning!! You have an invalid number remembered passwords set for wn22stig_passwordhistorysize please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: wn22stig_passwordhistorysize < 24 + + - name: "MEDIUM | WN22-AC-000040 | AUDIT | Windows Server 2022 password history must be configured to 24 passwords remembered. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-AC-000040 ' + when: wn22stig_passwordhistorysize < 24 + + - name: "MEDIUM | WN22-AC-000040 | PATCH | Windows Server 2022 password history must be configured to 24 passwords remembered. | Apply Variable" + community.windows.win_security_policy: + section: System Access + key: PasswordHistorySize + value: "{{ wn22stig_passwordhistorysize }}" + when: wn22stig_passwordhistorysize >= 24 - name: "MEDIUM | WN22-AC-000050 | PATCH | Windows Server 2022 maximum password age must be configured to 60 days or less." block: - name: "MEDIUM | WN22-AC-000050 | AUDIT | Windows Server 2022 maximum password age must be configured to 60 days or less. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn22stig_maximumpasswordage please read" + - "Warning!! You have an invalid number of days set for wn22stig_maximumpasswordage please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn22stig_maximumpasswordage == 0 or @@ -1545,7 +1552,7 @@ - name: "MEDIUM | WN22-AC-000060 | AUDIT | Windows Server 2022 minimum password age must be configured to at least one day. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn22stig_minimumpasswordage please read" + - "Warning!! You have an invalid number of days set for wn22stig_minimumpasswordage please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn22stig_minimumpasswordage == 0 @@ -1579,7 +1586,7 @@ - name: "MEDIUM | WN22-AC-000070 | AUDIT | Windows Server 2022 minimum password length must be configured to 14 characters. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid password length for wn22stig_minimumpasswordlength please read" + - "Warning!! You have an invalid password length for wn22stig_minimumpasswordlength please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn22stig_minimumpasswordlength < 14 @@ -2032,15 +2039,6 @@ - V-254307 - audit -- name: "MEDIUM | WN22-AU-000150 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff | Account Lockout successes." - block: - - name: "MEDIUM | WN22-AU-000150 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff | Account Lockout successes." - ansible.windows.win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - changed_when: false - failed_when: false - check_mode: false - register: wn22_au_000150_audit - - name: "MEDIUM | WN22-AU-000160 | PATCH | Windows Server 2022 must be configured to audit Logon/Logoff | Account Lockout failures." block: - name: "MEDIUM | WN22-AU-000160 | AUDIT | Windows Server 2022 must be configured to audit Logon/Logoff | Account Lockout failures." @@ -2182,33 +2180,25 @@ - V-254314 - audit -- name: "MEDIUM | WN22-AU-000220 | PATCH | Windows Server 2022 must be configured to audit Object Access | Other Object Access Events successes." +- name: | + "MEDIUM | WN22-AU-000220 | PATCH | Windows Server 2022 must be configured to audit Object Access | Other Object Access Events successes." + "MEDIUM | WN22-AU-000230 | PATCH | Windows Server 2022 must be configured to audit Object Access | Other Object Access Events failures." community.windows.win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure when: - - wn22_au_000220 + - wn22_au_000220 or + wn22_au_000230 tags: + - WN22-AU-000230 - WN22-AU-000220 - CAT2 - CCI-000172 - SRG-OS-000470-GPOS-00214 - SV-254315r848761_rule - - V-254315 - -- name: "MEDIUM | WN22-AU-000230 | PATCH | Windows Server 2022 must be configured to audit Object Access | Other Object Access Events failures." - community.windows.win_audit_policy_system: - subcategory: Other Object Access Events - audit_type: success, failure - when: - - wn22_au_000230 - tags: - - WN22-AU-000230 - - CAT2 - - CCI-000172 - - SRG-OS-000470-GPOS-00214 - SV-254316r848764_rule - V-254316 + - V-254315 - name: "MEDIUM | WN22-AU-000240 | PATCH | Windows Server 2022 must be configured to audit Object Access | Removable Storage successes." block: @@ -2690,14 +2680,42 @@ - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." block: - - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | EnableVirtualizationBasedSecurity Registry Add" + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ + state: present + value: EnableVirtualizationBasedSecurity + data: 1 + datatype: dword + + - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | RequirePlatformSecurityFeatures Registry Add" + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ + state: present + value: RequirePlatformSecurityFeatures + data: "{{ wn22stig_dma_protection }}" + datatype: dword + + - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | Get Status Of Device Guard Virtualization." + ansible.windows.win_shell: Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Select-Object VirtualizationBasedSecurityStatus | ft -hidetableheaders + changed_when: false + failed_when: false + register: wn22_cc_000110_audit + + - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | Device Guard Virtualization based security Not Running Warning Message." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection." + msg: + - "Warning!! This is a manual task. Windows Server 2022 virtualization-based security must be enabled with the platform security" + - "level configured to Secure Boot or Secure Boot with DMA Protection. The policy settings referenced in the Fix section will" + - "configure the following registry values. However, due to hardware requirements, the registry values alone do not ensure proper" + - "function." + when: "'2' not in wn22_cc_000110_audit.stdout | trim" - - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | import reuseable task." + - name: "MEDIUM | WN22-CC-000110 | AUDIT | Windows Server 2022 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection. | Warn Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-CC-000110' + when: "'2' not in wn22_cc_000110_audit.stdout | trim" when: - wn22_cc_000110 - ansible_windows_domain_member @@ -2712,8 +2730,9 @@ - name: "MEDIUM | WN22-CC-000130 | PATCH | Windows Server 2022 early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch + state: present value: DriverLoadPolicy - data: 1 + data: "{{ wn22stig_driver_load_policy }}" datatype: dword when: - wn22_cc_000130 @@ -2855,22 +2874,27 @@ - name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2022 Application event log size must be configured to 32768 KB or greater." block: - - name: "MEDIUM | WN22-CC-000270 | AUDIT | Windows Server 2022 Application event log size must be configured to 32768 KB or greater." - ansible.windows.win_reg_stat: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application - name: MaxSize - register: wn22_cc_000270_audit + - name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2022 Application event log size must be configured to 32768 KB or greater. | Warning Message." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid file size set for wn22stig_application_event_log_max_size please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: wn22stig_application_event_log_max_size < 32768 + + - name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2022 Application event log size must be configured to 32768 KB or greater. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-CC-000270' + when: wn22stig_application_event_log_max_size < 32768 - - name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2022 Application event log size must be configured to 32768 KB or greater." + - name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2022 Application event log size must be configured to 32768 KB or greater. | Apply Log Size" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application + state: present value: MaxSize - data: "{{ wn22stig_app_maxsize }}" + data: "{{ wn22stig_application_event_log_max_size }}" datatype: dword - when: - - wn22_cc_000270_audit is defined - - not wn22_cc_000270_audit.exists or - wn22_cc_000270_audit.value < 32768 + when: wn22stig_application_event_log_max_size >= 32768 when: - wn22_cc_000270 tags: @@ -2883,22 +2907,27 @@ - name: "MEDIUM | WN22-CC-000280 | PATCH | Windows Server 2022 Security event log size must be configured to 196608 KB or greater." block: - - name: "MEDIUM | WN22-CC-000280 | AUDIT | Windows Server 2022 Security event log size must be configured to 196608 KB or greater." - ansible.windows.win_reg_stat: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security - name: MaxSize - register: wn22_cc_000280_audit + - name: "MEDIUM | WN22-CC-000280 | AUDIT | Windows Server 2022 Security event log size must be configured to 196608 KB or greater. | Warning Message." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid file size set for wn22stig_security_event_log_max_size please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: wn22stig_security_event_log_max_size < 196608 + + - name: "MEDIUM | WN22-CC-000280 | AUDIT | Windows Server 2022 Security event log size must be configured to 196608 KB or greater. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-CC-000280' + when: wn22stig_security_event_log_max_size < 196608 - - name: "MEDIUM | WN22-CC-000280 | PATCH | Windows Server 2022 Security event log size must be configured to 196608 KB or greater." + - name: "MEDIUM | WN22-CC-000280 | PATCH | Windows Server 2022 Security event log size must be configured to 196608 KB or greater. |Apply Log Size" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security + state: present value: MaxSize - data: "{{ wn22stig_sec_maxsize }}" + data: "{{ wn22stig_security_event_log_max_size }}" datatype: dword - when: - - wn22_cc_000280_audit is defined - - not wn22_cc_000280_audit.exists or - wn22_cc_000280_audit.value < 196608 + when: wn22stig_security_event_log_max_size >= 196608 when: - wn22_cc_000280 tags: @@ -2911,22 +2940,27 @@ - name: "MEDIUM | WN22-CC-000290 | PATCH | Windows Server 2022 System event log size must be configured to 32768 KB or greater." block: - - name: "MEDIUM | WN22-CC-000290 | AUDIT | Windows Server 2022 System event log size must be configured to 32768 KB or greater." - ansible.windows.win_reg_stat: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System - name: MaxSize - register: wn22_cc_000290_audit + - name: "MEDIUM | WN22-CC-000290 | AUDIT | Windows Server 2022 System event log size must be configured to 32768 KB or greater. | Warning Message." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid file size set for wn22stig_system_event_log_max_size please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: wn22stig_system_event_log_max_size < 32768 - - name: "MEDIUM | WN22-CC-000290 | PATCH | Windows Server 2022 System event log size must be configured to 32768 KB or greater." + - name: "MEDIUM | WN22-CC-000290 | AUDIT | Windows Server 2022 System event log size must be configured to 32768 KB or greater. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-CC-000290' + when: wn22stig_system_event_log_max_size < 32768 + + - name: "MEDIUM | WN22-CC-000290 | PATCH | Windows Server 2022 System event log size must be configured to 32768 KB or greater. | Apply Log Size" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\System + state: present value: MaxSize - data: "{{ wn22stig_sys_maxsize }}" + data: "{{ wn22stig_system_event_log_max_size }}" datatype: dword - when: - - wn22_cc_000290_audit is defined - - not wn22_cc_000290_audit.exists or - wn22_cc_000290_audit.value < 32768 + when: wn22stig_system_event_log_max_size >= 32768 when: - wn22_cc_000290 tags: @@ -3755,7 +3789,9 @@ block: - name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2022 domain controllers must have a PKI server certificate." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 domain controllers must have a PKI server certificate." + msg: + - "Warning!! This is a manual task. Domain controllers must have a PKI server certificate." + - "Please review the STIG documentation for proper direction on auditing this control." - name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2022 domain controllers must have a PKI server certificate. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml @@ -3774,11 +3810,24 @@ - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." block: - - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." - ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." + - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | Obtain Accounts" + ansible.windows.win_shell: Get-ADUser -Filter {(Enabled -eq $True) -and (SmartcardLogonRequired -eq $False)} | FT Name + changed_when: false + failed_when: false + register: wn22_dc_000310_audit - - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | import reuseable task." + - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | Warning Message." + ansible.builtin.debug: + msg: + - "Warning!! This is a manual task. Active Directory user accounts, including administrators," + - "must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification" + - "(PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication." + - "If any user accounts, including administrators, are listed below, this is a finding." + - "Configure all user accounts, including administrator accounts, in Active Directory to enable" + - "the option Smart card is required for interactive logon" + - "{{ wn22_dc_000310_audit.stdout_lines | trim }}" + + - name: "MEDIUM | WN22-DC-000310 | AUDIT | Windows Server 2022 Active Directory user accounts, including administrators, must be configured to require the use of a Common Access Card (CAC), Personal Identity Verification (PIV)-compliant hardware token, or Alternate Logon Token (ALT) for user authentication. | Warn Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000310' @@ -3840,10 +3889,7 @@ - name: "MEDIUM | WN22-DC-000340 | PATCH | Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators, Authenticated Users, and Enterprise Domain Controllers groups on domain controllers." ansible.windows.win_user_right: name: SeNetworkLogonRight - users: - - Administrators - - Authenticated Users - - Enterprise Domain Controllers + users: "{{ wn22stig_senetworklogonright_dc }}" action: set when: - wn22_dc_000340 @@ -3987,20 +4033,37 @@ - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." block: - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." - ansible.windows.win_shell: "Get-ADUser krbtgt -Property PasswordLastSet | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_krbtgt_pass_age }}))} | Select-Object -ExpandProperty PasswordLastSet" + ansible.windows.win_shell: "Get-ADUser krbtgt -Property PasswordLastSet | Where-Object {$_.PasswordLastSet -lt ((Get-Date).AddDays(-{{ wn22stig_krbtgt_account_pass_age }}))} | Select-Object -ExpandProperty PasswordLastSet" changed_when: false failed_when: false - check_mode: false register: wn22_dc_000430_audit + when: wn22stig_krbtgt_account_pass_age <= 180 - - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days." + - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | Warning Message Variable." + ansible.builtin.debug: + msg: + - "Warning!! You have a invalid number of days set for wn22stig_krbtgt_account_pass_age please read" + - "the notes for the variable and make the necessary change to the variable to be in compliance." + when: wn22stig_krbtgt_account_pass_age > 180 + + - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | Warning Message Account." ansible.builtin.debug: - msg: "Warning!! This is a manual task. The password for the krbtgt account on a domain must be reset at least every 180 days." + msg: + - "Warning!! The password for the krbtgt account on a domain must be reset at least every 180 days." + - "Your password is currently out of STIG compliance and has not been reset in the last 180 days." + - "{{ wn22_dc_000430_audit.stdout_lines | trim }}" + when: + - wn22stig_krbtgt_account_pass_age <= 180 + - wn22_dc_000430_audit.stdout | length > 0 - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | import reuseable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000430' + when: + - wn22stig_krbtgt_account_pass_age <= 180 + - wn22_dc_000430_audit.stdout | length > 0 or + wn22stig_krbtgt_account_pass_age > 180 when: - wn22_dc_000430 - ansible_windows_domain_role == "Primary domain controller" @@ -4101,9 +4164,7 @@ - name: "MEDIUM | WN22-MS-000070 | PATCH | Windows Server 2022 Access this computer from the network user right must only be assigned to the Administrators and Authenticated Users groups on domain-joined member servers and standalone systems." ansible.windows.win_user_right: name: SeNetworkLogonRight - users: - - Administrators - - Authenticated Users + users: "{{ wn22stig_senetworklogonright }}" action: set when: - wn22_ms_000070 @@ -4155,6 +4216,7 @@ users: - Enterprise Admins - Domain Admins + - Guests action: set when: ansible_windows_domain_role == "Member server" @@ -4176,26 +4238,15 @@ - V-254436 - name: "MEDIUM | WN22-MS-000100 | PATCH | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." - block: - - name: "MEDIUM | WN22-MS-000100 | PATCH | DOMAIN MEMBER | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." - ansible.windows.win_user_right: - name: SeDenyBatchLogonRight - users: - - Enterprise Admins - - Domain Admins - - Guests - action: set - when: ansible_windows_domain_role == "Member server" - - - name: "MEDIUM | WN22-MS-000100 | PATCH | STAND-ALONE | Windows Server 2022 Deny log on as a batch job user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." - ansible.windows.win_user_right: - name: SeDenyBatchLogonRight - users: - - Guests - action: set - when: not ansible_windows_domain_member + ansible.windows.win_user_right: + name: SeDenyServiceLogonRight + users: + - Enterprise Admins + - Domain Admins + action: set when: - wn22_ms_000100 + - ansible_windows_domain_role == "Member server" tags: - WN22-MS-000100 - CAT2 @@ -4280,20 +4331,56 @@ - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." block: - - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." - ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where Subject -Like "*DoD*" | FL Subject, Thumbprint, NotAfter + - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | Check For DOD Root CA 3." + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*DoD Root CA 3*" -and $_.Thumbprint -Like "D73CA91102A2204A36459ED32213B467D7CE97FB"} | FL Subject, Issuer, Thumbprint, NotAfter changed_when: false - check_mode: false - register: wn22_PK_000010_audit + failed_when: false + register: wn22_pk_000010_root_3_Check + + - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | Check For DOD Root CA 4." + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*DoD Root CA 4*" -and $_.Thumbprint -Like "B8269F25DBD937ECAFD4C35A9838571723F2D026"} | FL Subject, Issuer, Thumbprint, NotAfter + changed_when: false + failed_when: false + register: wn22_pk_000010_root_4_Check + + - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | Check For DOD Root CA 5." + ansible.windows.win_shell: Get-ChildItem -Path Cert:Localmachine\root | Where {$_.Subject -Like "*DoD Root CA 5*" -and $_.Thumbprint -Like "4ECB5CC3095670454DA1CBD410FC921F46B8564B"} | FL Subject, Issuer, Thumbprint, NotAfter + changed_when: false + failed_when: false + register: wn22_pk_000010_root_5_Check + + - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | Warning!! No DOD Root CA 3 Certificate Installed." + ansible.builtin.debug: + msg: + - "Warning!! The DOD Root CA 3 is not installed on the system or" + - "contains an incorrect Thumbprint for the Root CA Certificate." + - "Please refer to STIG documentation for proper cert to be installed." + when: wn22_pk_000010_root_3_Check.stdout == "" + + - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | Warning!! No DOD Root CA 4 Certificate Installed." + ansible.builtin.debug: + msg: + - "Warning!! The DOD Root CA 4 is not installed on the system or" + - "contains an incorrect Thumbprint for the Root CA Certificate." + - "Please refer to STIG documentation for proper cert to be installed." + when: wn22_pk_000010_root_4_Check.stdout == "" - - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." + - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | Warning!! No DOD Root CA 5 Certificate Installed." ansible.builtin.debug: - msg: "Warning!! This is a manual task. Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store." + msg: + - "Warning!! The DOD Root CA 5 is not installed on the system or" + - "contains an incorrect Thumbprint for the Root CA Certificate." + - "Please refer to STIG documentation for proper cert to be installed." + when: wn22_pk_000010_root_5_Check.stdout == "" - - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | import reuseable task." + - name: "MEDIUM | WN22-PK-000010 | AUDIT | Windows Server 2022 must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-PK-000010' + when: + - wn22_pk_000010_root_3_Check.stdout == "" or + wn22_pk_000010_root_4_Check.stdout == "" or + wn22_pk_000010_root_5_Check.stdout == "" when: - wn22_pk_000010 tags: @@ -4407,8 +4494,7 @@ section: System Access key: NewAdministratorName value: "{{ wn22stig_newadministratorname }}" - when: - - "'adminchangethis' not in wn22stig_newadministratorname" + when: "'adminchangethis' not in wn22stig_newadministratorname" when: - wn22_so_000030 tags: From 3d7f0d5ff92acfab53f6e3d2e7074e68b1509610 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 16 Aug 2023 16:34:53 -0400 Subject: [PATCH 78/95] Update manual tasks with new audit -9 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 7a62f6f..f8d2976 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1205,7 +1205,7 @@ - name: set_fact ansible.builtin.set_fact: - wn22_00_000420_audit: "{{ wn22_00_000420_audit.stdout_lines | regex_search('Installed') }}" + wn22_00_000420__ftp_audit: "{{ wn22_00_000420_audit.stdout_lines | regex_search('Installed') }}" - name: "MEDIUM | WN22-00-000420 | AUDIT | FTP servers must be configured to prevent anonymous logons. | Warning Message" ansible.builtin.debug: From 806a8d8486bca7bc361c72b2724cbba1e11f2675 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 16 Aug 2023 16:55:50 -0400 Subject: [PATCH 79/95] Update manual tasks with new audit -10 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index f8d2976..c3c9579 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1218,7 +1218,7 @@ ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000420' - when: "'Installed' in wn22_00_000420_ftp__audit" + when: "'Installed' in wn22_00_000420_ftp_audit" when: - wn22_00_000420 tags: From 13ae03f1f62d30aba4f33fa9175a81210d51336f Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 17 Aug 2023 10:39:12 -0400 Subject: [PATCH 80/95] Update manual tasks with new audit -11 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index c3c9579..6c74e24 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -1205,7 +1205,7 @@ - name: set_fact ansible.builtin.set_fact: - wn22_00_000420__ftp_audit: "{{ wn22_00_000420_audit.stdout_lines | regex_search('Installed') }}" + wn22_00_000420_ftp_audit: "{{ wn22_00_000420_audit.stdout_lines | regex_search('Installed') }}" - name: "MEDIUM | WN22-00-000420 | AUDIT | FTP servers must be configured to prevent anonymous logons. | Warning Message" ansible.builtin.debug: From be585dc68523582d2203cdeb276fff0f2b479279 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 17 Aug 2023 13:28:13 -0400 Subject: [PATCH 81/95] Update manual tasks with new audit -12 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 153 +++++++++++++++++++++++++++++++++---------------- 1 file changed, 103 insertions(+), 50 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 6c74e24..82d8e5c 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -4270,8 +4270,7 @@ - name: "MEDIUM | WN22-MS-000110 | PATCH | STAND-ALONE | Windows Server 2022 Deny log on locally user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyInteractiveLogonRight - users: - - Guests + users: Guests action: set when: not ansible_windows_domain_member when: @@ -4300,8 +4299,7 @@ - name: "MEDIUM | WN22-MS-000120 | PATCH | STAND-ALONE | Windows Server 2022 Deny log on through Remote Desktop Services user right on domain-joined member servers must be configured to prevent access from highly privileged domain accounts and all local accounts and from unauthenticated access on all systems." ansible.windows.win_user_right: name: SeDenyRemoteInteractiveLogonRight - users: - - Guests + users: Guests action: set when: not ansible_windows_domain_member when: @@ -4479,15 +4477,13 @@ msg: - "Warning!! You have not changed the default name for wn22stig_newadministratorname, please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." - when: - - "'adminchangethis' in wn22stig_newadministratorname" + when: "'adminchangethis' in wn22stig_newadministratorname" - name: "MEDIUM | WN22-SO-000030 | AUDIT | Windows Server 2022 built-in administrator account must be renamed. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-SO-000030' - when: - - "'adminchangethis' in wn22stig_newadministratorname" + when: "'adminchangethis' in wn22stig_newadministratorname" - name: "MEDIUM | WN22-SO-000030 | PATCH | Windows Server 2022 built-in administrator account must be renamed. | Set Variable." community.windows.win_security_policy: @@ -4519,16 +4515,14 @@ ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-SO-000040' - when: - - "'guestchangethis' in wn22stig_newguestname" + when: "'guestchangethis' in wn22stig_newguestname" - name: "MEDIUM | WN22-SO-000040 | PATCH | Windows Server 2022 built-in guest account must be renamed. | Set Variable." community.windows.win_security_policy: section: System Access key: NewGuestName value: "{{ wn22stig_newguestname }}" - when: - - "'guestchangethis' not in wn22stig_newguestname" + when: "'guestchangethis' not in wn22stig_newguestname" when: - wn22_so_000040 tags: @@ -4620,7 +4614,6 @@ datatype: dword when: - wn22_so_000090 - - ansible_windows_domain_role == "Member server" tags: - WN22-SO-000090 - CAT2 @@ -4630,11 +4623,34 @@ - V-254453 - name: "MEDIUM | WN22-SO-000100 | PATCH | Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less." - ansible.windows.win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters - value: MaximumPasswordAge - data: 30 - datatype: dword + block: + - name: "MEDIUM | WN22-SO-000100 | AUDIT | Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less. | Number Of Days Check." + ansible.builtin.debug: + msg: + - "Warning!! You have not set the right number of days for wn22stig_machineaccountpsswd_max_age" + - "Please read the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn22stig_machineaccountpsswd_max_age > 30 or + wn22stig_machineaccountpsswd_max_age == 0 + + - name: "MEDIUM | WN22-SO-000100 | AUDIT | Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-SO-000100' + when: + - wn22stig_machineaccountpsswd_max_age > 30 or + wn22stig_machineaccountpsswd_max_age == 0 + + - name: "MEDIUM | WN22-SO-000100 | PATCH | Windows Server 2022 maximum age for machine account passwords must be configured to 30 days or less. | Apply Variable." + ansible.windows.win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters + state: present + value: MaximumPasswordAge + data: "{{ wn22stig_machineaccountpsswd_max_age }}" + datatype: dword + when: + - wn22stig_machineaccountpsswd_max_age <= 30 + - wn22stig_machineaccountpsswd_max_age != 0 when: - wn22_so_000100 tags: @@ -4663,11 +4679,34 @@ - V-254455 - name: "MEDIUM | WN22-SO-000120 | PATCH | Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver." - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - value: InactivityTimeoutSecs - data: 900 - datatype: dword + block: + - name: "MEDIUM | WN22-SO-000120 | AUDIT | Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver. | Number Of Seconds Check." + ansible.builtin.debug: + msg: + - "Warning!! You have not set the right number of seconds for wn22stig_inactivitytimeoutsecs" + - "Please read the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn22stig_inactivitytimeoutsecs > 900 or + wn22stig_inactivitytimeoutsecs == 0 + + - name: "MEDIUM | WN22-SO-000120 | AUDIT | Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-SO-000120' + when: + - wn22stig_inactivitytimeoutsecs > 900 or + wn22stig_inactivitytimeoutsecs == 0 + + - name: "MEDIUM | WN22-SO-000120 | PATCH | Windows Server 2022 machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver. | Apply Variable." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: InactivityTimeoutSecs + data: "{{ wn22stig_inactivitytimeoutsecs }}" + datatype: dword + when: + - wn22stig_inactivitytimeoutsecs <= 900 + - wn22stig_inactivitytimeoutsecs != 0 when: - wn22_so_000120 tags: @@ -4950,8 +4989,9 @@ - name: "MEDIUM | WN22-SO-000360 | PATCH | Windows Server 2022 must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing." ansible.windows.win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager - value: ProtectionMode + path: HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy + state: present + value: Enabled data: 1 datatype: dword when: @@ -4997,11 +5037,34 @@ - V-254483 - name: "MEDIUM | WN22-SO-000400 | PATCH | Windows Server 2022 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop." - ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - value: ConsentPromptBehaviorAdmin - data: 2 - datatype: dword + block: + - name: "MEDIUM | WN22-SO-000400 | PATCH | Windows Server 2022 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. | Variable Check." + ansible.builtin.debug: + msg: + - "Warning!! You have have not choosen a correct setting for wn22stig_consentprompt" + - "Please read the notes for the variable and make the necessary change to the variable to be in compliance." + when: + - wn22stig_consentprompt < 1 or + wn22stig_consentprompt > 2 + + - name: "MEDIUM | WN22-SO-000400 | PATCH | Windows Server 2022 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. | Warn Count." + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: 'WN22-SO-000400' + when: + - wn22stig_consentprompt < 1 or + wn22stig_consentprompt > 2 + + - name: "MEDIUM | WN22-SO-000400 | PATCH | Windows Server 2022 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. | Apply Variable." + ansible.windows.win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + state: present + value: ConsentPromptBehaviorAdmin + data: "{{ wn22stig_consentprompt }}" + datatype: dword + when: + - wn22stig_consentprompt == 1 or + wn22stig_consentprompt == 2 when: - wn22_so_000400 tags: @@ -5130,7 +5193,7 @@ - name: "MEDIUM | WN22-UR-000030 | PATCH | Windows Server 2022 Allow log on locally user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeInteractiveLogonRight - users: Administrators + users: "{{ wn22stig_seinteractivelogonright }}" action: set when: - wn22_ur_000030 @@ -5145,7 +5208,7 @@ - name: "MEDIUM | WN22-UR-000040 | PATCH | Windows Server 2022 Back up files and directories user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeBackupPrivilege - users: Administrators + users: "{{ wn22stig_sebackuprivilege }}" action: set when: - wn22_ur_000040 @@ -5175,11 +5238,7 @@ - name: "MEDIUM | WN22-UR-000070 | PATCH | Windows Server 2022 Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service." ansible.windows.win_user_right: name: SeCreateGlobalPrivilege - users: - - Administrators - - Service - - "Local Service" - - Network Service + users: "{{ wn22stig_secreateglobalprivilege }}" action: set when: - wn22_ur_000070 @@ -5239,9 +5298,7 @@ - name: "MEDIUM | WN22-UR-000120 | PATCH | Windows Server 2022 Generate security audits user right must only be assigned to Local Service and Network Service." ansible.windows.win_user_right: name: SeAuditPrivilege - users: - - Local Service - - Network Service + users: "{{ wn22stig_seauditprivilege }}" action: set when: - wn22_ur_000120 @@ -5256,11 +5313,7 @@ - name: "MEDIUM | WN22-UR-000130 | PATCH | Windows Server 2022 Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service." ansible.windows.win_user_right: name: SeImpersonatePrivilege - users: - - Administrators - - Service - - Local Service - - Network Service + users: "{{ wn22stig_seimpersonateprivilege }}" action: set when: - wn22_ur_000130 @@ -5275,7 +5328,7 @@ - name: "MEDIUM | WN22-UR-000140 | PATCH | Windows Server 2022 Increase scheduling priority: user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeIncreaseBasePriorityPrivilege - users: Administrators + users: "{{ wn22stig_seincreasebasepriorityprivilege }}" action: set when: - wn22_ur_000140 @@ -5306,7 +5359,7 @@ community.windows.win_security_policy: section: Privilege Rights key: SeLockMemoryPrivilege - value: "" + value: "{{ wn22stig_selockmemorprivilege }}" when: - wn22_ur_000160 tags: @@ -5321,7 +5374,7 @@ - name: "MEDIUM | WN22-UR-000170 | PATCH | Windows Server 2022 Manage auditing and security log user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeSecurityPrivilege - users: Administrators + users: "{{ wn22stig_sesecurityprivilege }}" action: set when: - wn22_ur_000170 @@ -5385,7 +5438,7 @@ - name: "MEDIUM | WN22-UR-000210 | PATCH | Windows Server 2022 Restore files and directories user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeRestorePrivilege - users: Administrators + users: "{{ wn22stig_serestoreprivilege }}" action: set when: - wn22_ur_000210 @@ -5400,7 +5453,7 @@ - name: "MEDIUM | WN22-UR-000220 | PATCH | Windows Server 2022 Take ownership of files or other objects user right must only be assigned to the Administrators group." ansible.windows.win_user_right: name: SeTakeOwnershipPrivilege - users: Administrators + users: "{{ wn22stig_setakeownershipprivilege }}" action: set when: - wn22_ur_000220 From caaee376849a5819bb5cce01832b7f79ddecfd0b Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 17 Aug 2023 14:08:58 -0400 Subject: [PATCH 82/95] Update manual tasks with new audit -13 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 82d8e5c..efa4b2c 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -370,14 +370,14 @@ ansible.windows.win_shell: icacls "c:\windows" changed_when: false failed_when: false - register: wn16_00_000160_windows_dir_audit + register: wn22_00_000160_windows_dir_audit - name: "MEDIUM | WN22-00-000160 | AUDIT | Permissions for the Windows installation directory must conform to minimum requirements. | Warning Message." ansible.builtin.debug: msg: - "Warning!! This is a manual task to audit. Windows Server 2022 permissions for the Windows installation directory needs to meet" - "the STIG requirements. Please check the report below and compare the the STIG requirements." - - "{{ wn16_00_000160_windows_dir_audit.stdout_lines }}" + - "{{ wn22_00_000160_windows_dir_audit.stdout_lines }}" - name: "MEDIUM | WN22-00-000160 | AUDIT | Permissions for the Windows installation directory must conform to minimum requirements. | Warn Count." ansible.builtin.import_tasks: warning_facts.yml From 3b68efd92b488a81c2e05808aee06f281779d3f4 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Thu, 17 Aug 2023 14:22:04 -0400 Subject: [PATCH 83/95] Update manual tasks with new audit -14 Signed-off-by: Frederick Witty --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 0076bd3..fa41d4d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -344,7 +344,7 @@ wn22stig_pass_age_administrator: 60 # WN22-AC-000010 # Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. # Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding. -# Valid Variables are 15 or more or 0. +# Valid Variables are equal to greater than 15 or 0. wn22stig_lockoutduration: 15 # WN22-AC-000020 @@ -361,7 +361,7 @@ wn22stig_resetlockoutcount: 15 # Windows Server 2022 password history must be configured to 24 passwords remembered. # wn22stig_passwordhistorysize is the number of passwords windows will remember before you may # be able to reuse that same password. The default value is "24" for Windows domain systems. -# DoD has decided this is the appropriate value for all Windows systems. +# DoD determined appropriate the value for all Windows systems. wn22stig_passwordhistorysize: 24 # WN22-AC-000050 From 2e8d51638479f6def6328489dcccc93032462f40 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Fri, 18 Aug 2023 12:25:00 -0400 Subject: [PATCH 84/95] Typo updates and removed pre-commit Config File Signed-off-by: Frederick Witty --- .pre-commit-config.yaml | 59 ----------------------------------------- README.md | 14 +++++----- defaults/main.yml | 10 +++---- 3 files changed, 13 insertions(+), 70 deletions(-) delete mode 100644 .pre-commit-config.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index 85562e0..0000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,59 +0,0 @@ ---- -##### CI for use by github no need for action to be added -##### Inherited -ci: - autofix_prs: false - skip: [detect-aws-credentials, ansible-lint ] - -repos: -- repo: https://github.com/pre-commit/pre-commit-hooks - rev: v3.2.0 - hooks: - # Safety - - id: detect-aws-credentials - - id: detect-private-key - - # git checks - - id: check-merge-conflict - - id: check-added-large-files - - id: check-case-conflict - - # General checks - - id: trailing-whitespace - name: Trim Trailing Whitespace - description: This hook trims trailing whitespace. - entry: trailing-whitespace-fixer - language: python - types: [text] - args: [--markdown-linebreak-ext=md] - - id: end-of-file-fixer - -# Scan for passwords -- repo: https://github.com/gitleaks/gitleaks - rev: v8.16.1 - hooks: - - id: gitleaks - -- repo: https://github.com/ansible-community/ansible-lint - rev: v6.17.2 - hooks: - - id: ansible-lint - name: Ansible-lint - description: This hook runs ansible-lint. - entry: python3 -m ansiblelint --force-color site.yml -c .ansible-lint - language: python - # do not pass files to ansible-lint, see: - # https://github.com/ansible/ansible-lint/issues/611 - pass_filenames: false - always_run: true - additional_dependencies: - # https://github.com/pre-commit/pre-commit/issues/1526 - # If you want to use specific version of ansible-core or ansible, feel - # free to override `additional_dependencies` in your own hook config - # file. - - ansible-core>=2.10.1 - -- repo: https://github.com/adrienverge/yamllint.git - rev: v1.32.0 # or higher tag - hooks: - - id: yamllint diff --git a/README.md b/README.md index 2518306..f178bf1 100644 --- a/README.md +++ b/README.md @@ -11,18 +11,20 @@ ![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social) ![Stars](https://img.shields.io/github/stars/ansible-lockdown/Windows-2022-STIG?label=Repo%20Stars&style=social) ![Forks](https://img.shields.io/github/forks/ansible-lockdown/Windows-2022-STIG?style=social) -![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) +![Followers](https://img.shields.io/github/followers/ansible-lockdown?style=social) [![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown) +![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/61461?label=Quality&&logo=ansible) ![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord) -![Devel Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/Windows-2022-STIG/windows_benchmark_testing_to_devel.yml?label=Devel%20Build%20Status) -![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/Windows-2022-STIG/devel?color=dark%20green&label=Devel%20Branch%20commits) - ![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen) -![Main Build Status](https://img.shields.io/github/actions/workflow/status/ansible-lockdown/Windows-2022-STIG/windows_benchmark_testing_to_main.yml?label=Build%20Status) -![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/Windows-2022-STIG?label=Release%20Date) ![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/Windows-2022-STIG?label=Release%20Tag&&color=success) +![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/Windows-2022-STIG?label=Release%20Date) + +[![Main Pipeline Validation](https://github.com/ansible-lockdown/Windows-2022-STIG/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-2022-STIG/actions/workflows/main_pipeline_validation.yml) + +[![Devel Pipeline Validation](https://github.com/ansible-lockdown/Windows-2022-STIG/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-2022-STIG/actions/workflows/devel_pipeline_validation.yml) +![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/Windows-2022-STIG/devel?color=dark%20green&label=Devel%20Branch%20Commits) ![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/Windows-2022-STIG?label=Open%20Issues) ![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/Windows-2022-STIG?label=Closed%20Issues&&color=success) diff --git a/defaults/main.yml b/defaults/main.yml index fa41d4d..d0cb683 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -7,7 +7,7 @@ win2022stig_cat3_patch: true win2022stig_min_ansible_version: "2.10.1" -# We've defined complexity-high to mean that we cannot automatically remediate +# We've defined complexity-high as cannot automatically remediate # the rule in question. In the future this might mean that the remediation # may fail in some cases. win2022stig_complexity_high: false @@ -37,7 +37,7 @@ win22stig_lengthy_search: false # win22stig_cloud_based_system is a setting built into the playbook for testing locally vs azure. # We have found certain controls need to be set in a different order when being applied in the -# different enviroments. By Default This is set to false. +# different environments. By Default This is set to false. win22stig_cloud_based_system: false # win2022stig_skip_secure_winrm is used in the playbook to skip over WINRM based controls that @@ -344,7 +344,7 @@ wn22stig_pass_age_administrator: 60 # WN22-AC-000010 # Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. # Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding. -# Valid Variables are equal to greater than 15 or 0. +# Valid Variables are equal to 0 or greater than or equal to 15. wn22stig_lockoutduration: 15 # WN22-AC-000020 @@ -380,7 +380,7 @@ wn22stig_minimumpasswordage: 1 wn22stig_minimumpasswordlength: 14 # WN22-CC-000110 -# Windows Server 20122virtualization-based security must be enabled with the platform security +# Windows Server 2022 virtualization-based security must be enabled with the platform security # level configured to Secure Boot or Secure Boot with DMA Protection. # wn22stig_dma_protection is the level that they would like to setup. # Valid settings are as follows. @@ -548,7 +548,7 @@ wn22stig_secreateglobalprivilege: Administrators,Service,Local Service,Network S wn22stig_seauditprivilege: Local Service,Network Service # WN22-UR-000130 -# The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. +# The "Impersonate a client after authentication" user right must only be assigned to Administrators, Service, Local Service, and Network Service. # If any SIDs other than the following are granted the "SeImpersonatePrivilege" user right, this is a finding. # If an application requires this user right, this would not be a finding. Vendor documentation must support the # requirement for having the user right. The requirement must be documented with the ISSO. From 5995ac33dba3d97411d3eaa5a464014c4fde61cd Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Aug 2023 12:07:42 -0400 Subject: [PATCH 85/95] Workflow and Readme update -1 Signed-off-by: Frederick Witty --- .github/ISSUE_TEMPLATE/bug_report.md | 40 ---- .../feature-request-or-enhancement.md | 25 --- .github/ISSUE_TEMPLATE/question.md | 19 -- .github/pull_request_template.md | 15 -- .github/workflows/OS.tfvars | 9 - .github/workflows/main.tf | 193 ------------------ .github/workflows/update_galaxy.yml | 13 +- .github/workflows/vars.tf | 35 ---- .../windows_benchmark_testing_to_devel.yml | 98 --------- .../windows_benchmark_testing_to_main.yml | 101 --------- README.md | 28 ++- meta/main.yml | 2 +- 12 files changed, 22 insertions(+), 556 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE/bug_report.md delete mode 100644 .github/ISSUE_TEMPLATE/feature-request-or-enhancement.md delete mode 100644 .github/ISSUE_TEMPLATE/question.md delete mode 100644 .github/pull_request_template.md delete mode 100644 .github/workflows/OS.tfvars delete mode 100644 .github/workflows/main.tf delete mode 100644 .github/workflows/vars.tf delete mode 100644 .github/workflows/windows_benchmark_testing_to_devel.yml delete mode 100644 .github/workflows/windows_benchmark_testing_to_main.yml diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md deleted file mode 100644 index 1c05e6c..0000000 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -name: Report Issue -about: Create a bug issue ticket to help us improve -title: '' -labels: bug -assignees: '' - ---- - -# Describe the Issue - -A clear and concise description of what the bug is. - -## Expected Behavior - -A clear and concise description of what you expected to happen. - -## Actual Behavior** - -A clear and concise description of what's happening. - -## Control(s) Affected - -What controls are being affected by the issue - -## Environment (please complete the following information) - -- Ansible Version: [e.g. 2.10] -- Host Python Version: [e.g. Python 3.7.6] -- Ansible Server Python Version: [e.g. Python 3.7.6] -- Target server details: [e.g. Windows2016 datacenter] -- Additional Details: - -## Additional Notes - -Anything additional goes here - -## Possible Solution - -Enter a suggested fix here diff --git a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md b/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md deleted file mode 100644 index 58542d9..0000000 --- a/.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -name: Feature Request or Enhancement -about: Suggest an idea for this project -title: '' -labels: enhancement -assignees: '' - ---- - -# Feature Request or Enhancement - -- Feature [] -- Enhancement [] - -## Summary of Request - -A clear and concise description of what you want to happen. - -## Describe alternatives you've considered - -A clear and concise description of any alternative solutions or features you've considered. - -## Suggested Code - -Please provide any code you have in mind to fulfill the request diff --git a/.github/ISSUE_TEMPLATE/question.md b/.github/ISSUE_TEMPLATE/question.md deleted file mode 100644 index 9465964..0000000 --- a/.github/ISSUE_TEMPLATE/question.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -name: Question -about: Ask away....... -title: '' -labels: question -assignees: '' - ---- - -# Question - -Pose question here. - -## Environment (please complete the following information) - -- Ansible Version: [e.g. 2.10] -- Host Python Version: [e.g. Python 3.7.6] -- Ansible Server Python Version: [e.g. Python 3.7.6] -- Additional Details: diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md deleted file mode 100644 index 66d2eae..0000000 --- a/.github/pull_request_template.md +++ /dev/null @@ -1,15 +0,0 @@ -# Overall Review of Changes - -A general description of the changes made that are being requested for merge - -## Issue Fixes - -Please list (using linking) any open issues this PR addresses - -## Enhancements - -Please list any enhancements/features that are not open issue tickets - -## How has this been tested? - -Please give an overview of how these changes were tested. If they were not please use N/A diff --git a/.github/workflows/OS.tfvars b/.github/workflows/OS.tfvars deleted file mode 100644 index e3ee66b..0000000 --- a/.github/workflows/OS.tfvars +++ /dev/null @@ -1,9 +0,0 @@ -prefix = "Lockdown_Github_Repo_Workflow_Win_STIG" -location = "eastus2" -tagname = "ansible_lockdown_actions" -system_size = "Standard_D4s_v3" -OS_publisher = "MicrosoftWindowsServer" -OS_version = "2022" -system_release = "datacenter-gensecond" -hostname = "LE2022" -product_id = "WindowsServer" diff --git a/.github/workflows/main.tf b/.github/workflows/main.tf deleted file mode 100644 index a1a1832..0000000 --- a/.github/workflows/main.tf +++ /dev/null @@ -1,193 +0,0 @@ -# Configure the Azure provider -terraform { - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "~> 2.65" - } - random = { - source = "hashicorp/random" - version = "~>3.5" - } - tls = { - source = "hashicorp/tls" - version = "~>4.0" - } - } - required_version = ">= 1.1.0" -} - -provider "azurerm" { - features {} -} - -#Read Username and password from file -data "external" "win_account" { - program = ["cat", "./sensitive_info.json"] -} - -resource "azurerm_resource_group" "main" { - name = "${var.prefix}-${var.OS_version}-RG" - location = var.location - tags = { - environment = var.tagname - } -} - -resource "azurerm_virtual_network" "main" { - name = "${var.prefix}-${var.OS_version}-network" - address_space = ["172.16.0.0/16"] - location = azurerm_resource_group.main.location - resource_group_name = azurerm_resource_group.main.name - tags = { - environment = var.tagname - } -} - -resource "azurerm_subnet" "internal" { - name = "${var.prefix}-${var.OS_version}-intip" - resource_group_name = azurerm_resource_group.main.name - virtual_network_name = azurerm_virtual_network.main.name - address_prefixes = ["172.16.101.0/24"] -} - -resource "azurerm_public_ip" "main" { - name = "${var.prefix}-${var.OS_version}-pubip" - location = var.location - resource_group_name = azurerm_resource_group.main.name - allocation_method = "Static" - tags = { - environment = var.tagname - } -} - -resource "azurerm_network_interface" "main" { - name = "${var.prefix}-${var.OS_version}-nic" - resource_group_name = azurerm_resource_group.main.name - location = azurerm_resource_group.main.location - - ip_configuration { - name = "internal" - subnet_id = azurerm_subnet.internal.id - private_ip_address_allocation = "Dynamic" - public_ip_address_id = azurerm_public_ip.main.id - } - - tags = { - environment = var.tagname - } - -} - -resource "azurerm_network_security_group" "secgroup" { - name = "${var.prefix}-${var.OS_version}-secgroup" - resource_group_name = azurerm_resource_group.main.name - location = azurerm_resource_group.main.location - security_rule { - name = "default-allow-3389" - priority = 1000 - access = "Allow" - direction = "Inbound" - destination_port_range = 3389 - protocol = "*" # rdp uses both - source_port_range = "*" - source_address_prefix = "Internet" - destination_address_prefix = "*" - } - security_rule { - name = "default-allow-winrm" - priority = 1001 - access = "Allow" - direction = "Inbound" - destination_port_range = "5985-5986" - protocol = "*" # rdp uses both - source_port_range = "*" - source_address_prefix = "Internet" - destination_address_prefix = "*" - } - tags = { - environment = var.tagname - } -} - -# Associate subnet and network security group -resource "azurerm_subnet_network_security_group_association" "secgroup-assoc" { - subnet_id = azurerm_subnet.internal.id - network_security_group_id = azurerm_network_security_group.secgroup.id -} - -resource "azurerm_windows_virtual_machine" "main" { - name = "${var.hostname}-${var.OS_version}" - resource_group_name = azurerm_resource_group.main.name - location = azurerm_resource_group.main.location - size = var.system_size - admin_username = data.external.win_account.result.username - admin_password = data.external.win_account.result.password - network_interface_ids = [ - azurerm_network_interface.main.id, - ] - - source_image_reference { - publisher = var.OS_publisher - offer = var.product_id - sku = "${var.OS_version}-${var.system_release}" - version = "latest" - } - - os_disk { - storage_account_type = "Standard_LRS" - caching = "ReadWrite" - } - - tags = { - environment = var.tagname - } -} - -## Install the custom script VM extension to each VM. When the VM comes up, -## the extension will download the ConfigureRemotingForAnsible.ps1 script from GitHub -## and execute it to open up WinRM for Ansible to connect to it from Azure Cloud Shell. -## exit code has to be 0 -resource "azurerm_virtual_machine_extension" "enablewinrm" { - name = "enablewinrm" - virtual_machine_id = azurerm_windows_virtual_machine.main.id - publisher = "Microsoft.Compute" ## az vm extension image list --location eastus Do not use Microsoft.Azure.Extensions here - type = "CustomScriptExtension" ## az vm extension image list --location eastus Only use CustomScriptExtension here - type_handler_version = "1.10" ## az vm extension image list --location eastus - auto_upgrade_minor_version = true - settings = <> sensitive_info.json - - # Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - run: terraform apply -var-file "OS.tfvars" --auto-approve - - # Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - - # Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - - - name: Terraform_Destroy - if: always() && env.ENABLE_DEBUG == 'false' - working-directory: .github/workflows - run: terraform destroy -var-file "OS.tfvars" --auto-approve diff --git a/.github/workflows/windows_benchmark_testing_to_main.yml b/.github/workflows/windows_benchmark_testing_to_main.yml deleted file mode 100644 index 5f197f8..0000000 --- a/.github/workflows/windows_benchmark_testing_to_main.yml +++ /dev/null @@ -1,101 +0,0 @@ -# This is a basic workflow to help you get started with Actions - -name: windows_testing_pipeline_to_main - -# Controls when the action will run. -# Triggers the workflow on push or pull request -# events but only for the devel branch -on: # yamllint disable-line rule:truthy - pull_request_target: - types: [opened, reopened, synchronize] - branches: - - main - paths: - - '**.yml' - - '**.sh' - - '**.j2' - - '**.ps1' - - '**.cfg' - -# A workflow run is made up of one or more jobs -# that can run sequentially or in parallel -jobs: - # This will create messages for first time contributers and direct them to the Discord server - welcome: - runs-on: ubuntu-latest - - steps: - - uses: actions/first-interaction@main - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - pr-message: |- - Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! - Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. - - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - env: - ENABLE_DEBUG: false - ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }} - WIN_USERNAME: ${{ secrets.WIN_USERNAME }} - WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, - # so your job can access it - - uses: actions/checkout@v3 - with: - ref: ${{ github.event.pull_request.head.sha }} - - # Sensitive data stored and passed to terraform - - name: user details - working-directory: .github/workflows - run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json - - # Build out the server - - name: Terraform_Init - working-directory: .github/workflows - run: terraform init - - - name: Terraform_Validate - working-directory: .github/workflows - run: terraform validate - - - name: Terraform_Apply - working-directory: .github/workflows - run: terraform apply -var-file "OS.tfvars" --auto-approve - - # Debug Section - - name: DEBUG - Show Ansible hostfile - if: env.ENABLE_DEBUG == 'true' - working-directory: .github/workflows - run: cat hosts.yml - - # Run the ansible playbook - - name: Run_Ansible_Playbook - uses: arillso/action.playbook@master - with: - playbook: site.yml - inventory: .github/workflows/hosts.yml - galaxy_file: collections/requirements.yml - # verbose: 3 - env: - ANSIBLE_HOST_KEY_CHECKING: "false" - ANSIBLE_DEPRECATION_WARNINGS: "false" - - # Remove test system - - - name: Terraform_Destroy - working-directory: .github/workflows - if: always() && env.ENABLE_DEBUG == 'false' - env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - run: terraform destroy -var-file "OS.tfvars" --auto-approve diff --git a/README.md b/README.md index f178bf1..ba781b5 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,6 @@ ### Based on [Windows DISA STIG Version 1, Rel 3 released on May 17, 2023](https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_MS_Windows_Server_2022_V1R3_STIG.zip) -![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2022-STIG?style=plastic) - --- ![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social) @@ -48,37 +46,37 @@ Join us on our [Discord Server](https://discord.io/ansible-lockdown) to ask ques ## Caution(s) -This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. +This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but a remediation tool to be used after an audit. Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. -This role was developed against a clean install of the Windows 2022 operating system. If you are implementing to an existing system please review this role for any site specific changes that are needed. +This role was developed against a clean install of the Windows 2022 operating system. If you are implementing an existing system please review this role for any site-specific changes that are needed. -To use release version please point to main branch and relevant release for the STIG benchmark you wish to work with. +To use the release version please point to the main branch and relevant release for the STIG benchmark you wish to work with. --- ## Matching a security Level for STIG -It is possible to to only run controls that are based on a particular for security level for STIG. +It is possible to only run controls that are based on a particular security level for STIG. This is managed using tags: - CAT1 - CAT2 - CAT3 -The control found in defaults main also need to reflect true so as this will allow the controls to run when the playbook is launched. +The control found in the defaults main also needs to reflect true so as this will allow the controls to run when the playbook is launched. ## Coming from a previous release -STIG releases always contain changes, it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown. -This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly. +STIG releases always contain changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown. +This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly. Further details can be seen in the [Changelog](./ChangeLog.md) ## Auditing (new) -Currently this release does not have a auditing tool. +Currently, this release does not have an auditing tool. ## Documentation @@ -99,7 +97,7 @@ Currently this release does not have a auditing tool. - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. -- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also, familiarize yourself with the variables in the defaults/main.yml file. **Technical Dependencies:** @@ -116,11 +114,11 @@ Package 'python-xmltodict' is required if you enable the OpenSCAP tool installat ## Role Variables -This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `win22stig_disruption_high` to `yes`. +This role is designed so that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `win22stig_disruption_high` to `yes`. ## Tags -Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag CCI-000366, this task will be skipped. The opposite can also happen where you run only controls tagged with CCI-000366. +Below is an example of the tag section from control within this role. Using this example if you set your run to skip all controls with the tag CCI-000366, this task will be skipped. The opposite can also happen where you run only controls tagged with CCI-000366. ```sh tags: @@ -136,7 +134,7 @@ tags: We encourage you (the community) to contribute to this role. Please read the rules below. -- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. +- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you to intend to merge. - All community Pull Requests are pulled into the devel branch. - Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved. - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release. @@ -146,6 +144,6 @@ We encourage you (the community) to contribute to this role. Please read the rul uses: - ansible-core 2.12 -- ansible collections - pulls in the latest version based on requirements file +- ansible collections - pulls in the latest version based on the requirements file - runs the audit using the devel branch - This is an automated test that occurs on pull requests into devel diff --git a/meta/main.yml b/meta/main.yml index a026b88..524e9f3 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: - author: "George Nalen" + author: "Frederick Witty, George Nalen, Stephen Williams, Mark 'Bolly' Bolwell" description: "Ansible Role to Apply the DISA Windows Server 2022 STIG" company: "MindPoint Group" license: MIT From d440954de83ee4bf4fada8993cfec3a455ae23c0 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Aug 2023 14:19:53 -0400 Subject: [PATCH 86/95] Defaults+Main Typo fixes1 Signed-off-by: Frederick Witty --- defaults/main.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index d0cb683..dceb568 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -8,7 +8,7 @@ win2022stig_cat3_patch: true win2022stig_min_ansible_version: "2.10.1" # We've defined complexity-high as cannot automatically remediate -# the rule in question. In the future this might mean that the remediation +# the rule in question. In the future, this might mean that the remediation # may fail in some cases. win2022stig_complexity_high: false @@ -29,13 +29,13 @@ win2022stig_audit_disruptive: true # tweak role to run in a non-privileged container win2022stig_system_is_container: false -# This parameter disables controls that could have a very lengthy find. For example +# This parameter disables controls that could have a very lengthy find. For example, # removing all files of a specific file type that search the entire drive. # If there is an action tied to the lengthy search the action task will be disabled as well. # WN22-00-000240 - CAT2 win22stig_lengthy_search: false -# win22stig_cloud_based_system is a setting built into the playbook for testing locally vs azure. +# win22stig_cloud_based_system is a setting built into the playbook for testing locally vs Azure. # We have found certain controls need to be set in a different order when being applied in the # different environments. By Default This is set to false. win22stig_cloud_based_system: false @@ -354,12 +354,12 @@ wn22stig_lockoutbadcount: 3 # WN22-AC-000030 # Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater. -# wn22stig_resetlockoutcount is the Reset account lockout counter after value in mintues. +# wn22stig_resetlockoutcount is the Reset account lockout counter after value in minutes. wn22stig_resetlockoutcount: 15 # WN22-AC-000040 # Windows Server 2022 password history must be configured to 24 passwords remembered. -# wn22stig_passwordhistorysize is the number of passwords windows will remember before you may +# wn22stig_passwordhistorysize is the number of passwords Windows will remember before you may # be able to reuse that same password. The default value is "24" for Windows domain systems. # DoD determined appropriate the value for all Windows systems. wn22stig_passwordhistorysize: 24 @@ -382,7 +382,7 @@ wn22stig_minimumpasswordlength: 14 # WN22-CC-000110 # Windows Server 2022 virtualization-based security must be enabled with the platform security # level configured to Secure Boot or Secure Boot with DMA Protection. -# wn22stig_dma_protection is the level that they would like to setup. +# wn22stig_dma_protection is the level that they would like to set up. # Valid settings are as follows. # 1 (Secure Boot only) # 3 (Secure Boot and DMA Protection) @@ -396,7 +396,7 @@ wn22stig_dma_protection: 3 # Approved values are below: # 8 - Good only # 1 - Good and unknown -# 3 - Good, unknown and bad but critical +# 3 - Good, unknown, and bad but critical wn22stig_driver_load_policy: 1 # WN22-CC-000270 @@ -427,7 +427,7 @@ wn22stig_senetworklogonright_dc: Administrators,Authenticated Users,Enterprise D # WN22-DC-000430 # The password for the krbtgt account on a domain must be reset at least every 180 days. # The default setting here matches the STIG requirements. If you would like to -# enforce a more strcit policy you may do so for auditing purposes. +# enforce a more strict policy you may do so for auditing purposes. # NOTE: Valid Days are 180 or less. wn22stig_krbtgt_account_pass_age: 180 @@ -443,7 +443,7 @@ wn22stig_senetworklogonright: Administrators,Authenticated Users # WN22-SO-000030 # Windows Server 2022 built-in administrator account must be renamed. -# wn22stig_newadministratorname is the non-default name for the Administror Account. +# wn22stig_newadministratorname is the non-default name for the Administrator Account. wn22stig_newadministratorname: adminchangethis # WN22-SO-000040 @@ -454,7 +454,7 @@ wn22stig_newguestname: guestchangethis # WN22-SO-000100 # The maximum age for machine account passwords must be configured to 30 days or less. # wn22stig_machineaccountpsswd_max_age is the setting for the Computer account passwords -# are changed automatically on a regular basis. This setting controls the maximum password +# that are changed automatically on a regular basis. This setting controls the maximum password # age that a machine account may have. This must be set to no more than 30 days, ensuring # the machine changes its password monthly. wn22stig_machineaccountpsswd_max_age: 30 @@ -462,7 +462,7 @@ wn22stig_machineaccountpsswd_max_age: 30 # WN22-SO-000120 # The machine inactivity limit must be set to 15 minutes, locking the system with the screen saver. # wn22stig_inactivitytimeoutsecs is the time in seconds that will be set in the registry that -# enagages the screen saver. Default setting is "900" seconds or less excluding "0" +# enagages the screen saver. The default setting is "900" seconds or less excluding "0" wn22stig_inactivitytimeoutsecs: 900 # WN22-SO-000130 @@ -500,7 +500,7 @@ wn22stig_sys_maxsize: 32768 # WN22-SO-000400 # User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. -# The more secure option for this setting, "Prompt for credenti +# The more secure option for this setting, "Prompt for credentials on the secure desktop" # Default setting is 2 # 2 -(Prompt for consent on the secure desktop) # 1 -(Prompt for credentials on the secure desktop) @@ -521,7 +521,7 @@ wn22stig_krbtgt_pass_age: 180 wn22stig_seinteractivelogonright: Administrators # WN22-UR-000040 -# The Back up files and directories user right must only be assigned to the Administrators group. +# The Backup files and directories user right must only be assigned to the Administrators group. # If any SIDs other than the following are granted the "SeBackupPrivilege" user right, this is a finding. # If an application requires this user right, this would not be a finding. Vendor documentation must support the # requirement for having the user right. The requirement must be documented with the ISSO. From cdd9fa44622a9cfbba2a67390b182526abb6dc45 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Aug 2023 14:22:30 -0400 Subject: [PATCH 87/95] Meta+Main Update-1 Signed-off-by: Frederick Witty --- meta/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/main.yml b/meta/main.yml index 524e9f3..b4f6213 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: - author: "Frederick Witty, George Nalen, Stephen Williams, Mark 'Bolly' Bolwell" + author: "Frederick Witty Jr., George Nalen, Stephen Williams, Mark 'Bolly' Bolwell" description: "Ansible Role to Apply the DISA Windows Server 2022 STIG" company: "MindPoint Group" license: MIT From c52bee4373bac861d5e19d83d4d3c12055290461 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Aug 2023 14:47:21 -0400 Subject: [PATCH 88/95] Typo Fixes -1 Signed-off-by: Frederick Witty --- CONTRIBUTING.rst | 12 ++++++------ README.md | 2 +- tasks/cat2.yml | 8 ++++---- tasks/cat2_cloud_lockout_order.yml | 6 +++--- tasks/cat3.yml | 2 +- tasks/prelim.yml | 2 +- tasks/warning_facts.yml | 2 +- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index dda5127..ccd3b84 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -6,13 +6,13 @@ Rules 1) All commits must be GPG signed (details in Signing section) 2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) 3) All work is done in your own branch -4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) +4) All pull requests go to the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing) 5) Be open and nice to each other Workflow -------- -- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge -- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. +- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge +- All community Pull Requests are to the devel branch. There are automated checks for GPG signed, Signed-off in the commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. - Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release Signing your contribution @@ -30,19 +30,19 @@ The process is to certify the below DCO 1.1 text By making a contribution to this project, I certify that: (a) The contribution was created in whole or in part by me and I - have the right to submit it under the open source license + have the right to submit it under the open-source license indicated in the file; or (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part - by me, under the same open source license (unless I am + by me, under the same open-source license (unless I am permitted to submit under a different license), as indicated in the file; or (c) The contribution was provided directly to me by some other - person who certified (a), (b) or (c) and I have not modified + person who certified (a), (b), or (c) and I have not modified it. (d) I understand and agree that this project and the contribution diff --git a/README.md b/README.md index ba781b5..e45a5c8 100644 --- a/README.md +++ b/README.md @@ -114,7 +114,7 @@ Package 'python-xmltodict' is required if you enable the OpenSCAP tool installat ## Role Variables -This role is designed so that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `win22stig_disruption_high` to `yes`. +This role is designed so that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. Non-disruptive CAT I, CAT II, and CAT III findings will be corrected by default. Disruptive finding remediation can be enabled by setting `win22stig_disruption_high` to `true`. ## Tags diff --git a/tasks/cat2.yml b/tasks/cat2.yml index efa4b2c..a08a906 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -2877,7 +2877,7 @@ - name: "MEDIUM | WN22-CC-000270 | PATCH | Windows Server 2022 Application event log size must be configured to 32768 KB or greater. | Warning Message." ansible.builtin.debug: msg: - - "Warning!! You have a invalid file size set for wn22stig_application_event_log_max_size please read" + - "Warning!! You have an invalid file size set for wn22stig_application_event_log_max_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: wn22stig_application_event_log_max_size < 32768 @@ -2910,7 +2910,7 @@ - name: "MEDIUM | WN22-CC-000280 | AUDIT | Windows Server 2022 Security event log size must be configured to 196608 KB or greater. | Warning Message." ansible.builtin.debug: msg: - - "Warning!! You have a invalid file size set for wn22stig_security_event_log_max_size please read" + - "Warning!! You have an invalid file size set for wn22stig_security_event_log_max_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: wn22stig_security_event_log_max_size < 196608 @@ -2943,7 +2943,7 @@ - name: "MEDIUM | WN22-CC-000290 | AUDIT | Windows Server 2022 System event log size must be configured to 32768 KB or greater. | Warning Message." ansible.builtin.debug: msg: - - "Warning!! You have a invalid file size set for wn22stig_system_event_log_max_size please read" + - "Warning!! You have an invalid file size set for wn22stig_system_event_log_max_size please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: wn22stig_system_event_log_max_size < 32768 @@ -4042,7 +4042,7 @@ - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | Warning Message Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn22stig_krbtgt_account_pass_age please read" + - "Warning!! You have an invalid number of days set for wn22stig_krbtgt_account_pass_age please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: wn22stig_krbtgt_account_pass_age > 180 diff --git a/tasks/cat2_cloud_lockout_order.yml b/tasks/cat2_cloud_lockout_order.yml index 5931a68..ed6d318 100644 --- a/tasks/cat2_cloud_lockout_order.yml +++ b/tasks/cat2_cloud_lockout_order.yml @@ -7,7 +7,7 @@ - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn22stig_lockoutbadcount please read" + - "Warning!! You have an invalid number of days set for wn22stig_lockoutbadcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn22stig_lockoutbadcount == 0 or @@ -45,7 +45,7 @@ - name: "MEDIUM | WN22-AC-000010 | AUDIT | Windows Server 2022 account lockout duration must be configured to 15 minutes or greater. | Warning For Bad Variable." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of minutes set for wn22stig_lockoutduration please read" + - "Warning!! You have an invalid number of minutes set for wn22stig_lockoutduration please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn22stig_lockoutduration < 15 @@ -84,7 +84,7 @@ - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." ansible.builtin.debug: msg: - - "Warning!! You have a invalid number of days set for wn22stig_resetlockoutcount please read" + - "Warning!! You have an invalid number of days set for wn22stig_resetlockoutcount please read" - "the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn22stig_resetlockoutcount > wn22stig_lockoutduration or diff --git a/tasks/cat3.yml b/tasks/cat3.yml index 5ee2c7e..9849c20 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -51,7 +51,7 @@ - SV-205800r859311_rule - V-205800 -- name: "LOW | WN22-CC-000030 | PATCH | Windows Server 2022 internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." +- name: "LOW | WN22-CC-000030 | PATCH | Windows Server 2022 Internet Protocol version 6 (IPv6) source routing must be configured to the highest protection level to prevent IP source routing." ansible.windows.win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters value: DisableIPSourceRouting diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 6341339..68b4327 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -10,7 +10,7 @@ # HVM is Amazon AMI's, Hyper-V is Azure's, KVM is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV') # Current list is elastic and will be updated as we test more cloud based services. -# Current testing is working in Azure using Hyper-V. We are curently using this for reference: +# Current testing is working in Azure using Hyper-V. We are currently using this for reference: # https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205 - name: Set Fact If Cloud Based System. ansible.builtin.set_fact: diff --git a/tasks/warning_facts.yml b/tasks/warning_facts.yml index f62133f..c2e16c7 100644 --- a/tasks/warning_facts.yml +++ b/tasks/warning_facts.yml @@ -12,7 +12,7 @@ # # warn_control_list is the main variable to be used and is a list made up of the warn_control_id's # -# warn_count the main variable for the number of warnings and each time a warn_control_id is added +# warn_count is the main variable for the number of warnings and each time a warn_control_id is added # the count increases by a value of 1 - name: "NO CONTROL ID | AUDIT | Set Fact for Manual Task Warning" From e5c570f3184705176f9ad70b5398aa76c018332a Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Aug 2023 14:49:00 -0400 Subject: [PATCH 89/95] Typo Fixes -2 Signed-off-by: Frederick Witty --- tasks/cat2_cloud_lockout_order.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/cat2_cloud_lockout_order.yml b/tasks/cat2_cloud_lockout_order.yml index ed6d318..7b3ce66 100644 --- a/tasks/cat2_cloud_lockout_order.yml +++ b/tasks/cat2_cloud_lockout_order.yml @@ -1,7 +1,6 @@ --- # THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR CLOUD BASED SYSTEMS -# The below task is dependent on WN22-AC-000020 and WN22-AC-000030, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'LockoutDuration' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000020 | PATCH | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less." block: - name: "MEDIUM | WN22-AC-000020 | AUDIT | Windows Server 2022 must have the number of allowed bad logon attempts configured to three or less. | Warning For Bad Variable." @@ -78,7 +77,6 @@ - CAT2 - lockout -# The below task is dependent on WN22-AC-000020, maybe custom fail when known error if WN22-AC-000020 not set? "The key 'ResetLockoutCount' in section 'System Access' is not a valid key, cannot set this value" - name: "MEDIUM | WN22-AC-000030 | PATCH | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." block: - name: MEDIUM | WN22-AC-000030 | AUDIT | Windows Server 2022 must have the period of time before the bad logon counter is reset configured to 15 minutes or greater." From 00b1737aa8a047f9c94fe5ad3d9f84c257253ffe Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Aug 2023 14:51:50 -0400 Subject: [PATCH 90/95] Typo Fixes -3 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index e7847bc..163b8f5 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -32,10 +32,10 @@ - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | Message out" ansible.builtin.debug: msg: - - "Warning!! This is a manual task. Windows Server 2022 local volumes must use a format" + - "Warning!! This is a manual task. Windows Server 2022 local volumes must use the format" - "that supports NTFS attributes. Please check to verify your system is in compliance." - "ReFS (resilient file system) is also acceptable and would not be a finding." - - "This does not apply to system partitions such the Recovery and EFI System Partition." + - "This does not apply to system partitions such as the Recovery and EFI System Partition." - "{{ wn22_00_000130_audit.stdout.split('\n') }}" - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | import reuseable task." From 6935797c9110a83bdf43a413e22509764662cc7f Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Tue, 22 Aug 2023 16:04:51 -0400 Subject: [PATCH 91/95] Typo Fixes -4 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 20 +++++------ tasks/cat2.yml | 92 +++++++++++++++++++++++++------------------------- tasks/cat3.yml | 4 +-- 3 files changed, 58 insertions(+), 58 deletions(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 163b8f5..c96684e 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -6,7 +6,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email." - - name: "HIGH | WN22-00-000030 | AUDIT | Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | import reuseable task." + - name: "HIGH | WN22-00-000030 | AUDIT | Windows Server 2022 administrative accounts must not be used with applications that access the Internet, such as web browsers, or with potential Internet sources, such as email. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000030' @@ -38,7 +38,7 @@ - "This does not apply to system partitions such as the Recovery and EFI System Partition." - "{{ wn22_00_000130_audit.stdout.split('\n') }}" - - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | import reuseable task." + - name: "HIGH | WN22-00-000130 | AUDIT | Windows Server 2022 local volumes must use a format that supports NTFS attributes. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000130' @@ -204,7 +204,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access." - - name: "WN22-DC-000070 | AUDIT | Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access. | import reuseable task." + - name: "WN22-DC-000070 | AUDIT | Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000070' @@ -225,7 +225,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions." - - name: "HIGH | WN22-DC-000080 | AUDIT | Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions. | import reuseable task." + - name: "HIGH | WN22-DC-000080 | AUDIT | Windows Server 2022 Active Directory SYSVOL directory must have the proper access control permissions. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000080' @@ -246,7 +246,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions." - - name: "HIGH | WN22-DC-000090 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. | import reuseable task." + - name: "HIGH | WN22-DC-000090 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000090' @@ -267,7 +267,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions." - - name: "HIGH | WN22-DC-000100 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. | import reuseable task." + - name: "HIGH | WN22-DC-000100 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000100' @@ -288,7 +288,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions." - - name: "HIGH | WN22-DC-000110 | AUDIT | Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. | import reuseable task." + - name: "HIGH | WN22-DC-000110 | AUDIT | Windows Server 2022 organization created Active Directory Organizational Unit (OU) objects must have proper access control permissions. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000110' @@ -309,7 +309,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access." - - name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access. | import reuseable task." + - name: "HIGH | WN22-DC-000150 | AUDIT | Windows Server 2022 directory data (outside the root DSE) of a nonpublic directory must be configured to prevent anonymous access. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000150' @@ -330,7 +330,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA)." - - name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | import reuseable task." + - name: "HIGH | WN22-DC-000290 | AUDIT | Windows Server 2022 domain Controller PKI certificates must be issued by the DoD PKI or an approved External Certificate Authority (ECA). | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000290' @@ -351,7 +351,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA)." - - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | import reuseable task." + - name: "HIGH | WN22-DC-000300 | AUDIT | Windows Server 2022 PKI certificates associated with user accounts must be issued by a DoD PKI or an approved External Certificate Authority (ECA). | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000300' diff --git a/tasks/cat2.yml b/tasks/cat2.yml index a08a906..d95808a 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -143,7 +143,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization." - - name: "MEDIUM | WN22-00-000060 | AUDIT | Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | import reuseable task." + - name: "MEDIUM | WN22-00-000060 | AUDIT | Windows Server 2022 manually managed application account passwords must be changed at least annually or when a system administrator with knowledge of the password leaves the organization. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000060' @@ -163,7 +163,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 shared user accounts must not be permitted." - - name: "MEDIUM | WN22-00-000070 | AUDIT | Windows Server 2022 shared user accounts must not be permitted. | import reuseable task." + - name: "MEDIUM | WN22-00-000070 | AUDIT | Windows Server 2022 shared user accounts must not be permitted. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000070' @@ -183,7 +183,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs." - - name: "MEDIUM | WN22-00-000080 | AUDIT | Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | import reuseable task." + - name: "MEDIUM | WN22-00-000080 | AUDIT | Windows Server 2022 must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000080' @@ -250,7 +250,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 must be maintained at a supported servicing level." - - name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level. | import reuseable task." + - name: "MEDIUM | WN22-00-000100 | AUDIT | Windows Server 2022 must be maintained at a supported servicing level. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000100' @@ -270,7 +270,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 must use an antivirus program." - - name: "MEDIUM | WN22-00-000110 | AUDIT | Windows Server 2022 must use an antivirus program. | import reuseable task." + - name: "MEDIUM | WN22-00-000110 | AUDIT | Windows Server 2022 must use an antivirus program. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000110' @@ -290,7 +290,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 must have a host-based intrusion detection or prevention system." - - name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2022 must have a host-based intrusion detection or prevention system. | import reuseable task." + - name: "MEDIUM | WN22-00-000120 | AUDIT | Windows Server 2022 must have a host-based intrusion detection or prevention system. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000120' @@ -310,7 +310,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 permissions for the system drive root directory usually C:\ must conform to minimum requirements." - - name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2022 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | import reuseable task." + - name: "MEDIUM | WN22-00-000140 | AUDIT | Windows Server 2022 permissions for the system drive root directory usually C:\ must conform to minimum requirements. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000140' @@ -336,7 +336,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task to audit. Windows Server 2022 icacls program needs to meet" - - "the STIG requirements. Please check the report below and compare the the STIG requirements." + - "the STIG requirements. Please check the report below and compare the STIG requirements." - "{{ wn22_00_000150_program_files_audit.stdout_lines }}" - name: "MEDIUM | WN22-00-000150 | AUDIT | Permissions for program file directories must conform to minimum requirements. | Obtain icacls for Program Files x86" @@ -349,7 +349,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task to audit. Windows Server 2022 icacls program files x86 needs to meet" - - "the STIG requirements. Please check the report below and compare the the STIG requirements." + - "the STIG requirements. Please check the report below and compare the STIG requirements." - "{{ wn22_00_000150_program_files_86_audit.stdout_lines }}" vars: warn_control_id: 'WN22-00-000150' @@ -376,7 +376,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task to audit. Windows Server 2022 permissions for the Windows installation directory needs to meet" - - "the STIG requirements. Please check the report below and compare the the STIG requirements." + - "the STIG requirements. Please check the report below and compare the STIG requirements." - "{{ wn22_00_000160_windows_dir_audit.stdout_lines }}" - name: "MEDIUM | WN22-00-000160 | AUDIT | Permissions for the Windows installation directory must conform to minimum requirements. | Warn Count." @@ -400,7 +400,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained." - - name: "MEDIUM | WN22-00-000170 | AUDIT | Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | import reuseable task." + - name: "MEDIUM | WN22-00-000170 | AUDIT | Windows Server 2022 default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000170' @@ -434,7 +434,7 @@ - "Built-in default account (Renamed, Disabled, SID ending in 503)" - "Application accounts" - "Below is the list of User accounts found on the system. Please check the report" - - "below and compare the the STIG requirements." + - "below and compare the STIG requirements." - "----------------------------------------------------------" - "{{ wn22_00_000190_account_audit_dc.stdout.split('\n') }}" - "----------------------------------------------------------" @@ -470,7 +470,7 @@ - "Built-in default account (Renamed, Disabled, SID ending in 503)" - "Application accounts" - "Below is the list of User accounts found on the system. Please check the report" - - "below and compare the the STIG requirements." + - "below and compare the STIG requirements." - "----------------------------------------------------------" - "{{ wn22_00_000190_account_audit_dm_sa.stdout.split('\n') }}" - "----------------------------------------------------------" @@ -510,7 +510,7 @@ - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN CONTROLLER | Windows Server 2022 accounts must require passwords." ansible.builtin.debug: msg: - - The accounts listed are do not require a password and are currently enabled + - The accounts listed do not require a password and are currently enabled - "{{ wn22_00_000200_audit_dc.stdout.split('\n') }}" when: - not wn22_00_000200_audit_dc is skipped @@ -527,7 +527,7 @@ - name: "MEDIUM | WN22-00-000200 | AUDIT - DOMAIN MEMBERS OR STANDALONE | Windows Server 2022 accounts must require passwords." ansible.builtin.debug: msg: - - The accounts listed are do not require a password and are currently enabled + - The accounts listed do not require a password and are currently enabled - "{{ wn22_00_000200_audit_dm_sa.stdout.split('\n') }}" when: - not wn22_00_000200_audit_dm_sa is skipped @@ -609,7 +609,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 system files must be monitored for unauthorized changes." - - name: "MEDIUM | WN22-00-000220 | AUDIT | Windows Server 2022 system files must be monitored for unauthorized changes. | import reuseable task." + - name: "MEDIUM | WN22-00-000220 | AUDIT | Windows Server 2022 system files must be monitored for unauthorized changes. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000220' @@ -716,7 +716,7 @@ - "Warning!! This is a manual task. Windows Server 2022 systems requiring data at rest protections" - "must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest." - - name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | import reuseable task." + - name: "MEDIUM | WN22-00-000250 | AUDIT | Windows Server 2022 systems requiring data at rest protections must employ cryptographic mechanisms to prevent unauthorized disclosure and modification of the information at rest. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000250' @@ -741,7 +741,7 @@ - "or IPsec if the data owner has a strict requirement for ensuring" - "data integrity and confidentiality is maintained at every step of the data transfer and handling process." - - name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | import reuseable task." + - name: "MEDIUM | WN22-00-000260 | AUDIT | Windows Server 2022 must implement protection methods such as TLS, encrypted VPNs, or IPsec if the data owner has a strict requirement for ensuring data integrity and confidentiality is maintained at every step of the data transfer and handling process. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000260' @@ -809,7 +809,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. Windows Server 2022 must have a host-based firewall installed and enabled." - - "Windows does not currently have its built in firewall enabled." + - "Windows does not currently have its built-in firewall enabled." - "Please check for 3rd party firewall and verify the configuration requirements conform to firewall STIG standards." - "{{ wn22_00_000280_firewall_audit.stdout_lines }}" when: @@ -821,7 +821,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. Windows Server 2022 must have a host-based firewall installed and enabled." - - "Windows host based firewall currently is enabled on Domain, Private, And Public Profiles." + - "Windows host-based firewall currently is enabled on Domain, Private, And Public Profiles." - "Please check the firewall and verify the configuration requirements conform to firewall STIG standards." - "{{ wn22_00_000280_firewall_audit.stdout_lines }}" when: @@ -841,7 +841,7 @@ 'Private profile is enabled' not in wn22_00_000280_firewall_audit.stdout_lines | string or 'Public profile is enabled' not in wn22_00_000280_firewall_audit.stdout_lines | string" - - name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2022 must have a host-based firewall installed and enabled. | import reuseable task." + - name: "MEDIUM | WN22-00-000280 | AUDIT | Windows Server 2022 must have a host-based firewall installed and enabled. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000280' @@ -894,7 +894,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. Please review all accounts to verify there are no temporary accounts" - - "listed where the expiration date is longer then 72 hours." + - "listed where the expiration date is longer than 72 hours." - "{{ wn22_00_000330_audit_dc.stdout.split('\n') }}" when: - wn22_00_000330_audit_dc is not skipped @@ -911,7 +911,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. Please review all accounts to verify there are no temporary accounts" - - "listed where the expiration date is longer then 72 hours." + - "listed where the expiration date is longer than 72 hours." - "{{ wn22_00_000330_audit_sa.stdout.split('\n') }}" when: - wn22_00_000330_audit_dc is not skipped @@ -1331,7 +1331,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS." - - name: "MEDIUM | WN22-00-000460 | AUDIT | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. | import reuseable task." + - name: "MEDIUM | WN22-00-000460 | AUDIT | Windows Server 2022 systems must have Unified Extensible Firmware Interface (UEFI) firmware and be configured to run in UEFI mode, not Legacy BIOS. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000460' @@ -1351,7 +1351,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 must have Secure Boot enabled. " - - name: "MEDIUM | WN22-00-000470 | AUDIT | Windows Server 2022 must have Secure Boot enabled. | import reuseable task." + - name: "MEDIUM | WN22-00-000470 | AUDIT | Windows Server 2022 must have Secure Boot enabled. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000470' @@ -1642,7 +1642,7 @@ - "different system or media than the system being audited. Establish and implement a process" - "for backing up log data to another system or media other than the system being audited." - - name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2022 audit records must be backed up to a different system or media than the system being audited. | import reuseable task." + - name: "MEDIUM | WN22-AU-000010 | AUDIT | Windows Server 2022 audit records must be backed up to a different system or media than the system being audited. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AU-000010' @@ -1664,7 +1664,7 @@ - "Warning!! This is a manual task. Windows Server 2022 must, at a minimum, offload audit" - "records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly." - - name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | import reuseable task." + - name: "MEDIUM | WN22-AU-000020 | AUDIT | Windows Server 2022 must, at a minimum, offload audit records of interconnected systems in real time and offload standalone or nondomain-joined systems weekly. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AU-000020' @@ -1744,7 +1744,7 @@ - "it must be entered as NT Service\\Eventlog" - "{{ wn22_au_000040_sec_log_permissions.stdout_lines | reject('match', '^$') | list }}" - - name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2022 permissions for the Security event log must prevent access by non-privileged accounts. | import reuseable task." + - name: "MEDIUM | WN22-AU-000040 | AUDIT | Windows Server 2022 permissions for the Security event log must prevent access by non-privileged accounts. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AU-000040' @@ -1786,7 +1786,7 @@ - "it must be entered as NT Service\\Eventlog" - "{{ wn22_au_000050_system_log_permissions.stdout_lines | reject('match', '^$') | list }}" - - name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2022 permissions for the System event log must prevent access by non-privileged accounts. | import reuseable task." + - name: "MEDIUM | WN22-AU-000050 | AUDIT | Windows Server 2022 permissions for the System event log must prevent access by non-privileged accounts. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AU-000050' @@ -1824,7 +1824,7 @@ - "The default location should be System32 folder." - "{{ wn22_au_000060_event_viewer_permissions.results[0].stdout_lines }}" - - name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion. | import reuseable task." + - name: "MEDIUM | WN22-AU-000060 | AUDIT | Windows Server 2022 Event Viewer must be protected from unauthorized modification and deletion. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-AU-000060' @@ -3312,7 +3312,7 @@ - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" - ">> Enforce user logon restrictions to Enabled" - - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2022 Kerberos user logon restrictions must be enforced. | import reuseable task." + - name: "MEDIUM | WN22-DC-000020 | AUDIT | Windows Server 2022 Kerberos user logon restrictions must be enforced. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000020' @@ -3339,7 +3339,7 @@ - ">> Maximum lifetime for service ticket to a maximum of 600 minutes, but not 0, which equates to" - "Ticket doesn't expire" - - name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | import reuseable task." + - name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000030' @@ -3365,7 +3365,7 @@ - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" - ">> Maximum lifetime for user ticket to a maximum of 10 hours but not 0, which equates to Ticket doesn't expire" - - name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less. | import reuseable task." + - name: "MEDIUM | WN22-DC-000040 | AUDIT | Windows Server 2022 Kerberos user ticket lifetime must be limited to 10 hours or less. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000040' @@ -3391,7 +3391,7 @@ - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" - ">> Maximum lifetime for user ticket renewal to a maximum of 7 days or less" - - name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.| import reuseable task." + - name: "MEDIUM | WN22-DC-000050 | AUDIT | Windows Server 2022 Kerberos policy user ticket renewal maximum lifetime must be limited to seven days or less.| import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000050' @@ -3417,7 +3417,7 @@ - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" - ">> Maximum tolerance for computer clock synchronization to a maximum of 5 minutes or less." - - name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2022 computer clock synchronization tolerance must be limited to 5 minutes or less. | import reuseable task." + - name: "MEDIUM | WN22-DC-000060 | AUDIT | Windows Server 2022 computer clock synchronization tolerance must be limited to 5 minutes or less. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000060' @@ -3459,7 +3459,7 @@ - "Note the logical drive(s) or file system partition for any organization-created data shares." - "{{ wn22_dc_000120_audit_shares.stdout_lines | trim }}" - - name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files. | import reuseable task." + - name: "MEDIUM | WN22-DC-000120 | AUDIT | Windows Server 2022 data files owned by users must be on a different logical partition from the directory server data files. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000120' @@ -3484,7 +3484,7 @@ - "Review installed applications. Remove additional roles or applications such as web, database," - "and email from the domain controller." - - name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2022 domain controllers must run on a machine dedicated to that function. | import reuseable task." + - name: "MEDIUM | WN22-DC-000130 | AUDIT | Windows Server 2022 domain controllers must run on a machine dedicated to that function. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000130' @@ -3510,7 +3510,7 @@ - "implementations at a classified confidentiality level that transfer replication data through a network cleared" - "to a lower level than the data." - - name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | import reuseable task." + - name: "MEDIUM | WN22-DC-000140 | AUDIT | Windows Server 2022 must use separate, NSA-approved (Type 1) cryptography to protect the directory data in transit for directory service implementations at a classified confidentiality level when replication data traverses a network cleared to a lower level than the data. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000140' @@ -3533,7 +3533,7 @@ - "Warning!! This is a manual task. Active Directory Group Policy objects must be configured with proper audit settings." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000170 | AUDIT | Windows Server 2022 Active Directory Group Policy objects must be configured with proper audit settings. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000170' @@ -3557,7 +3557,7 @@ - "Warning!! This is a manual task. The Active Directory Domain object must be configured with proper audit settings." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2022 Active Directory Domain object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000180 | AUDIT | Windows Server 2022 Active Directory Domain object must be configured with proper audit settings. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000180' @@ -3581,7 +3581,7 @@ - "Warning!! This is a manual task. The Active Directory Infrastructure object must be configured with proper audit settings." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000190 | AUDIT | Windows Server 2022 Active Directory Infrastructure object must be configured with proper audit settings. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000190' @@ -3606,7 +3606,7 @@ - "Unit (OU) object must be configured with proper audit settings." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000200 | AUDIT | Windows Server 2022 Active Directory Domain Controllers Organizational Unit (OU) object must be configured with proper audit settings. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000200' @@ -3630,7 +3630,7 @@ - "Warning!! This is a manual task. The Active Directory AdminSDHolder object must be configured with proper audit settings." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000210 | AUDIT | Windows Server 2022 Active Directory AdminSDHolder object must be configured with proper audit settings. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000210' @@ -3654,7 +3654,7 @@ - "Warning!! This is a manual task. The Active Directory RID Manager$ object must be configured with proper audit settings." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings. | import reuseable task." + - name: "MEDIUM | WN22-DC-000220 | AUDIT | Windows Server 2022 Active Directory RID Manager$ object must be configured with proper audit settings. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000220' @@ -3793,7 +3793,7 @@ - "Warning!! This is a manual task. Domain controllers must have a PKI server certificate." - "Please review the STIG documentation for proper direction on auditing this control." - - name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2022 domain controllers must have a PKI server certificate. | import reuseable task." + - name: "MEDIUM | WN22-DC-000280 | AUDIT | Windows Server 2022 domain controllers must have a PKI server certificate. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000280' @@ -4056,7 +4056,7 @@ - wn22stig_krbtgt_account_pass_age <= 180 - wn22_dc_000430_audit.stdout | length > 0 - - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | import reuseable task." + - name: "MEDIUM | WN22-DC-000430 | AUDIT | The password for the krbtgt account on a domain must be reset at least every 180 days. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000430' diff --git a/tasks/cat3.yml b/tasks/cat3.yml index 9849c20..941c630 100644 --- a/tasks/cat3.yml +++ b/tasks/cat3.yml @@ -38,7 +38,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. The Windows Server 2022 time service must synchronize with an appropriate DoD time source. " - - name: "LOW | WN22-00-000440 | AUDIT | The Windows Server 2022 time service must synchronize with an appropriate DoD time source. | import reuseable task." + - name: "LOW | WN22-00-000440 | AUDIT | The Windows Server 2022 time service must synchronize with an appropriate DoD time source. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000440' @@ -170,7 +170,7 @@ ansible.builtin.debug: msg: "Warning!! This is a manual task. Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity." - - name: "LOW | WN22-DC-000160 | AUDIT | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. | import reuseable task." + - name: "LOW | WN22-DC-000160 | AUDIT | Windows Server 2022 directory service must be configured to terminate LDAP-based network connections to the directory server after 5 minutes of inactivity. | import reusable task." ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-DC-000160' From d3cd669dee7fa857bc57d42b42fdbe86242407c3 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 23 Aug 2023 12:57:12 -0400 Subject: [PATCH 92/95] Typo Fixes -5 Signed-off-by: Frederick Witty --- tasks/cat2.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/tasks/cat2.yml b/tasks/cat2.yml index d95808a..74bb012 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -833,7 +833,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. Windows Server 2022 must have a host-based firewall installed and enabled." - - "Windows host based firewall currently is partially enabled on Domain, Private, And Public Profiles." + - "Windows host-based firewall currently is partially enabled on Domain, Private, And Public Profiles." - "Please check the firewall and verify the configuration requirements conform to firewall STIG standards." - "{{ wn22_00_000280_firewall_audit.stdout_lines }}" when: @@ -856,18 +856,18 @@ - SV-254265r848611_rule - V-254265 -- name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." +- name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where host-based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP)." block: - - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Warning Message" + - name: "MEDIUM | WN22-00-000290 | AUDIT | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where host-based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Warning Message" ansible.builtin.debug: msg: - "Warning!! This is a manual task. Windows Server 2022 must employ automated mechanisms to determine the state of system" - - "components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System" + - "components with regard to flaw remediation using the following frequency: continuously, where host-based Security System" - "(HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans" - "by Computer Network Defense Service Provider (CNDSP). Verify DoD-approved ESS software is installed and properly operating." - "Ask the site ISSM for documentation of the ESS software installation and configuration." - - name: "MEDIUM | WN22-00-000290 | PATCH | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where Host Based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Warn Count" + - name: "MEDIUM | WN22-00-000290 | PATCH | Windows Server 2022 must employ automated mechanisms to determine the state of system components with regard to flaw remediation using the following frequency: continuously, where host-based Security System (HBSS) is used; 30 days, for any additional internal network scans not covered by HBSS; and annually, for external scans by Computer Network Defense Service Provider (CNDSP). | Warn Count" ansible.builtin.import_tasks: warning_facts.yml vars: warn_control_id: 'WN22-00-000290' @@ -1211,7 +1211,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. Internet Information Services (IIS) Manager FTP is currently" - - "installed on the system. Anonymous Authentication must be set to diabled per STIG Requirements." + - "installed on the system. Anonymous Authentication must be set to disabled per STIG Requirements." when: "'Installed' in wn22_00_000420_ftp_audit" - name: "MEDIUM | WN22-00-000420 | AUDIT | FTP servers must be configured to prevent anonymous logons. | Warn Count" @@ -1255,7 +1255,7 @@ ansible.builtin.debug: msg: - "Warning!! This is a manual task. For any sites with a Binding that lists FTP, right-click the site and select Explore." - - "If the site includes any system areas such as root of the drive, Program Files, or Windows directories, this is a finding" + - "If the site includes any system areas such as the root of the drive, Program Files, or Windows directories, this is a finding" - "Configure the FTP sites to allow access only to specific FTP shared resources. Do not allow access to other areas of the system." - "{{ wn22_00_000430_isssite_audit.stdout.split('\n') }}" when: "'Installed' in wn22_00_000430_ftp_audit" @@ -1293,7 +1293,7 @@ - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warning Message User Accounts" ansible.builtin.debug: msg: - - "Warning!! Please review the User Rights listed for each of any unresolved SID to determine whether they are valid." + - "Warning!! Please review the User Rights listed for each of any unresolved SIDs to determine whether they are valid." - "User Accounts" - "----------------------------------------------------------------------" - "{{ wn22_00_000450_orphaned_user_accounts.stdout_lines }}" @@ -1302,7 +1302,7 @@ - name: "MEDIUM | WN22-00-000450 | AUDIT | Windows Server 2022 must have orphaned security identifiers (SIDs) must be removed from user rights. | Warning Message Group Accounts." ansible.builtin.debug: msg: - - "Warning!! Please review the Group Rights listed for each of any unresolved SID to determine whether they are valid." + - "Warning!! Please review the Group Rights listed for each of any unresolved SIDs to determine whether they are valid." - "Group Accounts" - "----------------------------------------------------------------------" - "{{ wn22_00_000450_orphaned_group_accounts.stdout_lines }}" @@ -3336,7 +3336,7 @@ - "Warning!! The Kerberos service ticket maximum lifetime must be limited to 600 minutes or less." - "Configure the policy value in the Default Domain Policy for Computer Configuration" - ">> Policies >> Windows Settings >> Security Settings >> Account Policies >> Kerberos Policy" - - ">> Maximum lifetime for service ticket to a maximum of 600 minutes, but not 0, which equates to" + - ">> Maximum lifetime for a service ticket to a maximum of 600 minutes, but not 0, which equates to" - "Ticket doesn't expire" - name: "MEDIUM | WN22-DC-000030 | AUDIT | Windows Server 2022 Kerberos service ticket maximum lifetime must be limited to 600 minutes or less. | import reusable task." @@ -3454,7 +3454,7 @@ - "from the directory server data files. Ignore system shares (e.g., NETLOGON, SYSVOL, and administrative" - "shares ending in $). User shares that are hidden (ending with $) should not be ignored." - "If user shares are located on the same logical partition as the directory server data files, this is a finding." - - "Note the directory locations in the values for DSA Database file" + - "Note the directory locations in the values for the DSA Database file" - "{{ wn22_dc_000120_audit_dirlocation.stdout_lines | trim }}" - "Note the logical drive(s) or file system partition for any organization-created data shares." - "{{ wn22_dc_000120_audit_shares.stdout_lines | trim }}" @@ -5041,7 +5041,7 @@ - name: "MEDIUM | WN22-SO-000400 | PATCH | Windows Server 2022 User Account Control must, at a minimum, prompt administrators for consent on the secure desktop. | Variable Check." ansible.builtin.debug: msg: - - "Warning!! You have have not choosen a correct setting for wn22stig_consentprompt" + - "Warning!! You have not chosen the correct setting for wn22stig_consentprompt" - "Please read the notes for the variable and make the necessary change to the variable to be in compliance." when: - wn22stig_consentprompt < 1 or From b924a337e3684c0be8ac564d4412549ae97fca06 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 23 Aug 2023 12:57:56 -0400 Subject: [PATCH 93/95] .github updates-1 Signed-off-by: Frederick Witty --- .../workflows/devel_pipeline_validation.yml | 143 ++++++++++++++++++ .../workflows/main_pipeline_validation.yml | 131 ++++++++++++++++ 2 files changed, 274 insertions(+) create mode 100644 .github/workflows/devel_pipeline_validation.yml create mode 100644 .github/workflows/main_pipeline_validation.yml diff --git a/.github/workflows/devel_pipeline_validation.yml b/.github/workflows/devel_pipeline_validation.yml new file mode 100644 index 0000000..0aae7a5 --- /dev/null +++ b/.github/workflows/devel_pipeline_validation.yml @@ -0,0 +1,143 @@ +--- + +# This is a basic workflow to help you get started with Actions + +name: Devel Pipeline Validation + +# Controls when the action will run. +# Triggers the workflow on push or pull request +# events but only for the devel branch +on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - devel + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +# This setion contains all the jobs below that are running in the workflow. +jobs: + # This will create messages for first time contributers and direct them to the Discord server + welcome: + # The type of runner that the job will run on. + runs-on: ubuntu-latest + steps: + - uses: actions/first-interaction@main + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + pr-message: |- + Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown! + Please join in the conversation happening on the [Discord Server](https://discord.io/ansible-lockdown) as well. + + # This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance. + playbook-test: + # The type of runner that the job will run on. + runs-on: ubuntu-latest + + env: + ENABLE_DEBUG: false + # Imported as a variable by terraform. + TF_VAR_repository: ${{ github.event.repository.name }} + ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }} + WIN_USERNAME: ${{ secrets.WIN_USERNAME }} + WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} + + defaults: + run: + shell: bash + working-directory: .github/workflows/github_windows_IaC + + # Steps represent a sequence of tasks that will be executed as part of the job. + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it. + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull In Terraform Code For Windows Azure + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_windows_IaC + path: .github/workflows/github_windows_IaC + + # Sensitive Data Stored And Passed To Terraform + # Default Working Dir Defined In Defaults Above. + - name: user details + run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json + + # Show the Os Var and Benchmark Type And Load + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + # Initialize The Terraform Working Directory + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + # Validate The Syntax Of Terraform Files + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + # Execute The Actions And Build Azure Server + - name: Terraform_Apply + id: apply + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + WIN_USERNAME: ${{ secrets.WIN_USERNAME }} + WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "${OSVAR}.tfvars" --auto-approve + + # Debug Section + - name: DEBUG - Show Ansible Hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Run the Ansible Playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_windows_IaC/hosts.yml + galaxy_file: collections/requirements.yml + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Destroy The Azure Test System + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "${OSVAR}.tfvars" --auto-approve diff --git a/.github/workflows/main_pipeline_validation.yml b/.github/workflows/main_pipeline_validation.yml new file mode 100644 index 0000000..438dd55 --- /dev/null +++ b/.github/workflows/main_pipeline_validation.yml @@ -0,0 +1,131 @@ +--- + +# This is a basic workflow to help you get started with Actions + +name: Main Pipeline Validation + +# Controls when the action will run. +# Triggers the workflow on push or pull request +# events but only for the devel branch +on: # yamllint disable-line rule:truthy + pull_request_target: + types: [opened, reopened, synchronize] + branches: + - main + paths: + - '**.yml' + - '**.sh' + - '**.j2' + - '**.ps1' + - '**.cfg' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +# This setion contains all the jobs below that are running in the workflow. +jobs: + # This workflow will run terraform to load a instance in azure to test the playbook against a live cloud based instance. + playbook-test: + # The type of runner that the job will run on. + runs-on: ubuntu-latest + + env: + ENABLE_DEBUG: false + # Imported as a variable by terraform. + TF_VAR_repository: ${{ github.event.repository.name }} + ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }} + WIN_USERNAME: ${{ secrets.WIN_USERNAME }} + WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} + + defaults: + run: + shell: bash + working-directory: .github/workflows/github_windows_IaC + + # Steps represent a sequence of tasks that will be executed as part of the job. + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it. + - name: Clone ${{ github.event.repository.name }} + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.sha }} + + # Pull In Terraform Code For Windows Azure + - name: Clone github IaC plan + uses: actions/checkout@v3 + with: + repository: ansible-lockdown/github_windows_IaC + path: .github/workflows/github_windows_IaC + + # Sensitive Data Stored And Passed To Terraform + # Default Working Dir Defined In Defaults Above. + - name: user details + run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json + + # Show the Os Var and Benchmark Type And Load + - name: DEBUG - Show IaC files + if: env.ENABLE_DEBUG == 'true' + run: | + echo "OSVAR = $OSVAR" + echo "benchmark_type = $benchmark_type" + pwd + ls + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + # Initialize The Terraform Working Directory + - name: Terraform_Init + id: init + run: terraform init + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + # Validate The Syntax Of Terraform Files + - name: Terraform_Validate + id: validate + run: terraform validate + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + + # Execute The Actions And Build Azure Server + - name: Terraform_Apply + id: apply + env: + # Imported from github variables this is used to load the relvent OS.tfvars file + WIN_USERNAME: ${{ secrets.WIN_USERNAME }} + WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }} + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform apply -var-file "${OSVAR}.tfvars" --auto-approve + + # Debug Section + - name: DEBUG - Show Ansible Hostfile + if: env.ENABLE_DEBUG == 'true' + run: cat hosts.yml + + # Run the Ansible Playbook + - name: Run_Ansible_Playbook + uses: arillso/action.playbook@master + with: + playbook: site.yml + inventory: .github/workflows/github_windows_IaC/hosts.yml + galaxy_file: collections/requirements.yml + # verbose: 3 + env: + ANSIBLE_HOST_KEY_CHECKING: "false" + ANSIBLE_DEPRECATION_WARNINGS: "false" + + # Destroy The Azure Test System + - name: Terraform_Destroy + if: always() && env.ENABLE_DEBUG == 'false' + env: + OSVAR: ${{ vars.OSVAR }} + TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }} + run: terraform destroy -var-file "${OSVAR}.tfvars" --auto-approve From 36f4172b56b9589d935e820abf4e82f526502871 Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 23 Aug 2023 13:08:33 -0400 Subject: [PATCH 94/95] Typo Fixes -6 Signed-off-by: Frederick Witty --- tasks/cat1.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/cat1.yml b/tasks/cat1.yml index c96684e..8a89ab6 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -179,7 +179,7 @@ - name: "HIGH | WN22-DC-000010 | AUDIT | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system." ansible.builtin.debug: msg: - - "Alert! Below are the users in the administrators group. Please review and confirm all users should be in this group" + - "Alert! Below are the users in the Administrators group. Please review and confirm all users should be in this group" - "{{ wn22_dc_000010_admin_usrs.stdout_lines }}" - name: "HIGH | WN22-DC-000010 | AUDIT | Windows Server 2022 must only allow administrators responsible for the domain controller to have Administrator rights on the system. | Warn Count." From 29495e7c87c7378277b616db2cdba67e3316123a Mon Sep 17 00:00:00 2001 From: Frederick Witty Date: Wed, 23 Aug 2023 13:17:01 -0400 Subject: [PATCH 95/95] Set win_skip_for_test Var-1 Signed-off-by: Frederick Witty --- defaults/main.yml | 6 +++--- tasks/cat1.yml | 4 ++-- tasks/cat2.yml | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index dceb568..60a1488 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -40,16 +40,16 @@ win22stig_lengthy_search: false # different environments. By Default This is set to false. win22stig_cloud_based_system: false -# win2022stig_skip_secure_winrm is used in the playbook to skip over WINRM based controls that +# win_skip_for_test is used in the playbook to skip over WINRM based controls that # may cause WINRM Basic Connection Type to be disabled. -# Setting win2022stig_skip_secure_winrm to 'false' will enable Secure Connection types only. +# Setting win_skip_for_test to 'false' will enable Secure Connection types only. # WINRM Controls that will be skipped: # WN22-CC-000470 - CAT1 # WN22-CC-000500 - CAT1 # WN22-CC-000480 - CAT2 # WN22-CC-000510 - CAT2 # WN22-CC-000520 - CAT2 -win2022stig_skip_secure_winrm: false +win_skip_for_test: false # CAT 1 rules wn22_00_000030: true diff --git a/tasks/cat1.yml b/tasks/cat1.yml index 8a89ab6..637775e 100644 --- a/tasks/cat1.yml +++ b/tasks/cat1.yml @@ -140,7 +140,7 @@ datatype: dword when: - wn22_cc_000470 - - not win2022stig_skip_secure_winrm + - not win_skip_for_test tags: - WN22-CC-000470 - CAT1 @@ -158,7 +158,7 @@ datatype: dword when: - wn22_cc_000500 - - not win2022stig_skip_secure_winrm + - not win_skip_for_test tags: - WN22-CC-000500 - CAT1 diff --git a/tasks/cat2.yml b/tasks/cat2.yml index 74bb012..8366c2d 100644 --- a/tasks/cat2.yml +++ b/tasks/cat2.yml @@ -3222,7 +3222,7 @@ datatype: dword when: - wn22_cc_000480 - - not win2022stig_skip_secure_winrm + - not win_skip_for_test tags: - WN22-CC-000480 - CAT2 @@ -3257,7 +3257,7 @@ datatype: dword when: - wn22_cc_000510 - - not win2022stig_skip_secure_winrm + - not win_skip_for_test tags: - WN22-CC-000510 - CAT2 @@ -3276,7 +3276,7 @@ datatype: dword when: - wn22_cc_000520 - - not win2022stig_skip_secure_winrm + - not win_skip_for_test tags: - WN22-CC-000520 - CAT2