From 3803ca8f7a50dbe8e46c4d018ad7abd2717d072b Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 3 Jun 2021 14:17:55 -0400 Subject: [PATCH 01/22] added SysmonLog to 2.3.10.9 Signed-off-by: George Nalen --- tasks/section02.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section02.yml b/tasks/section02.yml index 2b2eb8b..ebe9124 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1240,7 +1240,7 @@ win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths name: "Machine" - data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] + data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc', 'System\CurrentControlSet\Services\SysmonLog'] type: multistring when: rule_2_3_10_9 tags: From 1e5d3c06bf6f4298595e585e4bbc4883d66ca4f9 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Thu, 3 Jun 2021 15:16:44 -0400 Subject: [PATCH 02/22] Fixed 2.3.17.2 reg key and value Signed-off-by: George Nalen --- tasks/section02.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section02.yml b/tasks/section02.yml index ebe9124..1f8d55e 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1487,8 +1487,8 @@ - name: "SCORED | 2.3.17.2 | PATCH | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableUIADesktopToggle - data: 0 + name: ConsentPromptBehaviorAdmin + data: 2 type: dword when: rule_2_3_17_2 tags: From 4cd6a7e436bfc54a6b277bfec4a649fa4035d7ff Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 4 Jun 2021 10:40:14 -0400 Subject: [PATCH 03/22] updated 17.7.5 for corrected failure enable Signed-off-by: George Nalen --- tasks/section17.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section17.yml b/tasks/section17.yml index e9cc6b9..cb5b86d 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -557,7 +557,7 @@ register: rule_17_7_5_audit - name: "SCORED | 17.7.5 | PATCH | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Set failure" - win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable + win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /failure:enable when: "'Failure' not in rule_17_7_5_audit.stdout" when: - rule_17_7_5 From 3707435b66d2c10d2fecc56bac4fbc753adb4e72 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 4 Jun 2021 13:08:45 -0400 Subject: [PATCH 04/22] updated 18.5.4.1 data value to be 1 from 0 Signed-off-by: George Nalen --- tasks/section18.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index f6d1f63..19f9335 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -470,7 +470,7 @@ win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast - data: 0 + data: 1 type: dword when: - rule_18_5_4_2 From 461b66607fe2a82856fc350dca5a582e142bbe9c Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 4 Jun 2021 14:45:21 -0400 Subject: [PATCH 05/22] reset 18.5.4.1 data setting back to 0 Signed-off-by: George Nalen --- tasks/section18.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 19f9335..f6d1f63 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -470,7 +470,7 @@ win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast - data: 1 + data: 0 type: dword when: - rule_18_5_4_2 From 3f8c60e4aa1c8df7b2db25a29939d92d1ad01662 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 7 Jun 2021 10:24:09 -0400 Subject: [PATCH 06/22] Updated 18.9.16.3 to be correct reg path and value Signed-off-by: George Nalen --- tasks/section18.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index f6d1f63..698e2e3 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1678,9 +1678,9 @@ - name: "SCORED | 18.9.16.3 | PATCH | (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds - name: EnableConfigFlighting - data: 01 + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + name: DoNotShowFeedbackNotifications + data: 1 type: dword when: - rule_18_9_16_3 From 23937158090349c5b1cdc81d72e12f61d29bbbbf Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 8 Jun 2021 10:19:49 -0400 Subject: [PATCH 07/22] Added disruption high on 2.3.1.1 Signed-off-by: George Nalen --- tasks/section02.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/section02.yml b/tasks/section02.yml index 1f8d55e..d4a7437 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -654,6 +654,7 @@ when: - rule_2_3_1_1 - not ansible_windows_domain_role == "Primary domain controller" + - disruption_high tags: - level1-memberserver - rule_2.3.1.1 From d8a06910d1d5c0a1c6b79be0ba23fd7eb9b9cecd Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 8 Jun 2021 14:45:55 -0400 Subject: [PATCH 08/22] Updated member server runs for 2.2.18, 2.3.1.1, 2.3.1.3, 2.3.7.8, 2.2.21, 2.2.32, adn 2.3.7.6 Signed-off-by: George Nalen --- tasks/section02.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tasks/section02.yml b/tasks/section02.yml index d4a7437..8ed77af 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -241,7 +241,7 @@ action: set when: - rule_2_2_18 - - ansible_windows_domain_role == "Member server" + - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-memberserver - rule_2.2.18 @@ -285,7 +285,7 @@ action: set when: - rule_2_2_21 - - ansible_windows_domain_member + - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-memberserver - rule_2.2.21 @@ -442,7 +442,7 @@ action: set when: - rule_2_2_32 - - ansible_windows_domain_member + - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-memberserver - rule_2.2.32 @@ -979,7 +979,7 @@ type: string when: - rule_2_3_7_6 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member server" tags: - level2-memberserver - rule_2.3.7.6 From b6476cd36a968ccfbc5d6f1d4db0ccb9b77c1a36 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 9 Jun 2021 15:01:50 -0400 Subject: [PATCH 09/22] implemented control 18.2.5 Signed-off-by: George Nalen --- defaults/main.yml | 5 +++++ tasks/section18.yml | 17 ++++++----------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ed17119..225edf3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -461,6 +461,11 @@ maximumpasswordage: 60 minimumpasswordage: 1 minimumpasswordlength: 14 +# Control 18.2.5 +# laps_passwordlength is the LAPS tool password length. +# To conform to CIS standards please use a min value of 15 and max value of 127 +laps_passwordlength: 15 + newadministratorname: renamedadmin newguestname: renamedguest diff --git a/tasks/section18.yml b/tasks/section18.yml index 698e2e3..eed8987 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -138,19 +138,14 @@ - audit - name: "SCORED | 18.2.5 | AUDIT | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - block: - - name: "SCORED | 18.2.5 | AUDIT | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.2.5 | PATCH | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordLength + data: "{{ laps_passwordlength }}" + type: dword when: - - is_implemented - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" + - not ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.5 From a954fab0155e4084bac3726c2034c02f56b489cd Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 9 Jun 2021 15:02:26 -0400 Subject: [PATCH 10/22] fixed 18.2.5 when to remove testing data Signed-off-by: George Nalen --- tasks/section18.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index eed8987..328a217 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -145,7 +145,7 @@ type: dword when: - rule_18_2_5 - - not ansible_windows_domain_role == "Member Server" + - nsible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.5 From 766b8a6dcb1c6798fc7dad7a5f561d7210a41d15 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 9 Jun 2021 15:11:58 -0400 Subject: [PATCH 11/22] implemented control 18.2.2 Signed-off-by: George Nalen --- tasks/section18.yml | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 328a217..d828d3f 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -81,19 +81,14 @@ - patch - name: "SCORED | 18.2.2 | AUDIT | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" - block: - - name: "SCORED | 18.2.2 | AUDIT | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.2.2 | PATCH | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PwdExpirationProtectionEnabled + data: 1 + type: dword when: - - is_implemented - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.2 @@ -145,7 +140,7 @@ type: dword when: - rule_18_2_5 - - nsible_windows_domain_role == "Member Server" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.5 From ab6e63bb2e4209d8a979c5bb59e1dc4b716e8377 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 9 Jun 2021 15:20:19 -0400 Subject: [PATCH 12/22] implemented 18.1.3 Signed-off-by: George Nalen --- tasks/section18.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index d828d3f..6012d12 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -43,17 +43,12 @@ - patch - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" - block: - - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + name: AllowOnlineTips + data: 0 + type: dword when: - - is_implemented - rule_18_1_3 tags: - level2-domaincontroller From 9da661386f19b9cddbabb5026edf1f0587bba08b Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 9 Jun 2021 15:27:36 -0400 Subject: [PATCH 13/22] implemented 18.2.4 Signed-off-by: George Nalen --- tasks/section18.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 6012d12..e23b26a 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -109,19 +109,14 @@ - audit - name: "SCORED | 18.2.4 | AUDIT | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" - block: - - name: "SCORED | 18.2.4 | AUDIT | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.2.4 | PATCH | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordComplexity + data: 4 + type: dword when: - - is_implemented - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.4 From 7ba5506f6685e418a71c037c32d2c01b073ef0ea Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 9 Jun 2021 15:56:43 -0400 Subject: [PATCH 14/22] implemented 18.2.3 Signed-off-by: George Nalen --- tasks/section18.yml | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index e23b26a..8ecb625 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -90,19 +90,14 @@ - audit - name: "SCORED | 18.2.3 | AUDIT | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" - block: - - name: "SCORED | 18.2.3 | AUDIT | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.2.3 | PATCH | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: AdmPwdEnabled + data: 1 + type: dword when: - - is_implemented - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.3 @@ -115,6 +110,7 @@ data: 4 type: dword when: + - is_implemented - rule_18_2_4 - ansible_windows_domain_role == "Member Server" tags: From 2dc45000e0e30810c14a0d5306992fe866905ccc Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 9 Jun 2021 16:03:25 -0400 Subject: [PATCH 15/22] implemeted 18.2.6 Signed-off-by: George Nalen --- defaults/main.yml | 5 +++++ tasks/section18.yml | 17 ++++++----------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 225edf3..a082491 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -466,6 +466,11 @@ minimumpasswordlength: 14 # To conform to CIS standards please use a min value of 15 and max value of 127 laps_passwordlength: 15 +# Control 18.2.6 +# laps_passwordagedays is the LAPS tool password age in days +# To conform to CIS standards please use a max value of 30 +laps_passwordagedays: 30 + newadministratorname: renamedadmin newguestname: renamedguest diff --git a/tasks/section18.yml b/tasks/section18.yml index 8ecb625..c076986 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -133,19 +133,14 @@ - audit - name: "SCORED | 18.2.6 | AUDIT | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" - block: - - name: "SCORED | 18.2.6 | AUDIT | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.2.6 | PATCH | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordAgeDays + data: "{{ laps_passwordagedays }}" + type: dword when: - - is_implemented - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" + - not ansible_windows_domain_role == "Memmber Server" tags: - level1-memberserver - rule_18.2.6 From ea92aab1c30a2b080acb9b6401e4189cd3b33bf3 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 9 Jun 2021 16:13:31 -0400 Subject: [PATCH 16/22] implemented 18.3.1 Signed-off-by: George Nalen --- tasks/section18.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index c076986..74822b9 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -140,24 +140,19 @@ type: dword when: - rule_18_2_6 - - not ansible_windows_domain_role == "Memmber Server" + - ansible_windows_domain_role == "Memmber Server" tags: - level1-memberserver - rule_18.2.6 - audit - name: "SCORED | 18.3.1 | AUDIT | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" - block: - - name: "SCORED | 18.3.1 | AUDIT | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.3.1 | PATCH | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + name: LocalAccountTokenFilterPolicy + data: 0 + type: dword when: - - is_implemented - rule_18_3_1 - not ansible_windows_domain_role == "Primary domain controller" tags: From bcd802c0d3308484a39a36587bbeffee1215680d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 9 Jun 2021 16:22:11 -0400 Subject: [PATCH 17/22] implemented 18.3.2 Signed-off-by: George Nalen --- tasks/section18.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 74822b9..55a20d6 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -161,17 +161,12 @@ - audit - name: "SCORED | 18.3.2 | AUDIT | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" - block: - - name: "SCORED | 18.3.2 | AUDIT | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.3.2 | PATCH | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" - command: "echo true" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 + name: Start + data: 4 + type: dword when: - - is_implemented - rule_18_3_2 tags: - level1-domaincontroller From 119636f231a0a1e1ebb0eea96d5eb79e8b909e0e Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 9 Jun 2021 16:56:31 -0400 Subject: [PATCH 18/22] implemented 18.2.1 Signed-off-by: George Nalen --- tasks/section18.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 55a20d6..d0b6522 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -57,19 +57,14 @@ - audit - name: "SCORED | 18.2.1 | AUDIT | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" - block: - - name: "SCORED | 18.2.1 | AUDIT | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.2.1 | PATCH | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} + name: DllName + data: C:\Program Files\LAPS\CSE\AdmPwd.dll + type: string when: - - is_implemented - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.1 From 7677fec5f13fa3f81e1bc44231b61a487caa678d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 11 Jun 2021 10:03:52 -0400 Subject: [PATCH 19/22] Updated standalone vs member server for non-DC tasks Signed-off-by: George Nalen --- tasks/section02.yml | 6 +++--- tasks/section18.yml | 6 ++++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/tasks/section02.yml b/tasks/section02.yml index 8ed77af..8204269 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -828,7 +828,7 @@ type: dword when: - rule_2_3_6_1 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-domaincontroller - level1-memberserver @@ -843,7 +843,7 @@ type: dword when: - rule_2_3_6_2 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-domaincontroller - level1-memberserver @@ -1124,7 +1124,7 @@ type: dword when: - rule_2_3_9_5 - - ansible_windows_domain_role == "Member server" + - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-memberserver - rule_2.3.9.5 diff --git a/tasks/section18.yml b/tasks/section18.yml index d0b6522..5139e4e 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -811,6 +811,7 @@ type: dword when: - rule_18_8_5_3 + - ansible_windows_domain_role == "Member server" tags: - nextgen-domaincontroller - nextgen-memberserver @@ -825,6 +826,7 @@ type: dword when: - rule_18_8_5_4 + - ansible_windows_domain_role == "Member server" tags: - nextgen-domaincontroller - nextgen-memberserver @@ -839,7 +841,7 @@ type: dword when: - rule_18_8_5_5 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member server" tags: - nextgen-memberserver - rule_18.8.5.5 @@ -1220,7 +1222,7 @@ type: dword when: - rule_18_8_28_4 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member server" tags: - level1-memberserver - rule_18.8.28.4 From 484a9039a6dfc2a5d2d63932d23b15df93d6879a Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 11 Jun 2021 14:34:16 -0400 Subject: [PATCH 20/22] Updated some section2 and section 17 tasks Signed-off-by: George Nalen --- defaults/main.yml | 5 +++++ tasks/section02.yml | 23 +++++++++++++++++------ tasks/section17.yml | 7 +++---- 3 files changed, 25 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index a082491..9fd768e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -439,6 +439,11 @@ rule_19_7_26_1: true rule_19_7_41_1: true rule_19_7_45_2_1: true +# Global Variables + +# is_hyperv_installed is a true/false for having hyper-visor installed +is_hyperv_installed: false + # Section 2 Variables # Control 2.3.1.5 # win16cis_admin_username is the name the administrator account will be renamed to diff --git a/tasks/section02.yml b/tasks/section02.yml index 8204269..05c01e2 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -233,12 +233,23 @@ - patch - name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE/Virtual Machines' (MS only)" - win_user_right: - name: SeCreateSymbolicLinkPrivilege - users: - - Administrators - - NT VIRTUAL MACHINE\Virtual Machines - action: set + block: + - name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE/Virtual Machines' (MS only) | No Hyper-v" + win_user_right: + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + action: set + when: not is_hyperv_installed + + - name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE/Virtual Machines' (MS only) | With Hyper-v" + win_user_right: + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + - NT VIRTUAL MACHINE\Virtual Machines + action: set + when: is_hyperv_installed when: - rule_2_2_18 - not ansible_windows_domain_role == "Primary domain controller" diff --git a/tasks/section17.yml b/tasks/section17.yml index cb5b86d..e9475dc 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -75,23 +75,22 @@ - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" block: - name: "SCORED | 17.2.1 | AUDIT | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + win_shell: AuditPol /get /subcategory:"Application Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_2_1_audit - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Success" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + win_shell: AuditPol /set /subcategory:"Application Group Management" /success:enable changed_when: "'Success' not in rule_17_2_1_audit.stdout" when: "'Success' not in rule_17_2_1_audit.stdout" - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Failure" - win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable + win_shell: AuditPol /set /subcategory:"Application Group Management" /failure:enable changed_when: "'Failure' not in rule_17_2_1_audit.stdout" when: "'Failure' not in rule_17_2_1_audit.stdout" when: - rule_17_2_1 - - ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - level1-memberserver From 3af00a8f47a109a5fa31da781b9d6c7b4e92c996 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 14 Jun 2021 11:40:20 -0400 Subject: [PATCH 21/22] Adjusted 18.8.21.5 to set as disable instead of remove Signed-off-by: George Nalen --- tasks/section18.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 5139e4e..523f3b8 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -933,9 +933,10 @@ - name: "SCORED | 18.8.21.5 | PATCH | (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy - state: absent - delete_key: yes + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableBkGndGroupPolicy + data: 0 + type: dword when: - rule_18_8_21_5 tags: From 04c9ec9213dc22c48c7ca69674f447efb7a56610 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 14 Jun 2021 13:42:50 -0400 Subject: [PATCH 22/22] Updated 18.9.102.2 to also add AUoptions values Signed-off-by: George Nalen --- defaults/main.yml | 8 ++++++++ tasks/section18.yml | 7 +++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 9fd768e..14a8194 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -530,3 +530,11 @@ public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' # public_firewall_log_size is the size of the log file # To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB public_firewall_log_size: 16,384 + + +# 18.9.102.2 +# win16cis_wupdate_options are described below +# value 2 - Notify for download and install, value 3 - Auto download and notify for install +# value 4 - Auto download and schedule install (recommended), value 5 - Allow local admin to choose setting +# value 7 - Auto download, notify to install, notify to restart +win16cis_wupdate_options: 4 \ No newline at end of file diff --git a/tasks/section18.yml b/tasks/section18.yml index 523f3b8..179d2fb 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -2614,9 +2614,12 @@ - name: "SCORED | 18.9.102.2 | PATCH | (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoUpdate - data: 0 + name: "{{ item.name }}" + data: "{{ item.data }}" type: dword + with_items: + - { name: NoAutoUpdate, data: 0 } + - { name: AUOptions, data: "{{ win16cis_wupdate_options }}" } when: - rule_18_9_102_2 tags: