diff --git a/defaults/main.yml b/defaults/main.yml index ed17119..14a8194 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -439,6 +439,11 @@ rule_19_7_26_1: true rule_19_7_41_1: true rule_19_7_45_2_1: true +# Global Variables + +# is_hyperv_installed is a true/false for having hyper-visor installed +is_hyperv_installed: false + # Section 2 Variables # Control 2.3.1.5 # win16cis_admin_username is the name the administrator account will be renamed to @@ -461,6 +466,16 @@ maximumpasswordage: 60 minimumpasswordage: 1 minimumpasswordlength: 14 +# Control 18.2.5 +# laps_passwordlength is the LAPS tool password length. +# To conform to CIS standards please use a min value of 15 and max value of 127 +laps_passwordlength: 15 + +# Control 18.2.6 +# laps_passwordagedays is the LAPS tool password age in days +# To conform to CIS standards please use a max value of 30 +laps_passwordagedays: 30 + newadministratorname: renamedadmin newguestname: renamedguest @@ -515,3 +530,11 @@ public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' # public_firewall_log_size is the size of the log file # To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB public_firewall_log_size: 16,384 + + +# 18.9.102.2 +# win16cis_wupdate_options are described below +# value 2 - Notify for download and install, value 3 - Auto download and notify for install +# value 4 - Auto download and schedule install (recommended), value 5 - Allow local admin to choose setting +# value 7 - Auto download, notify to install, notify to restart +win16cis_wupdate_options: 4 \ No newline at end of file diff --git a/tasks/section02.yml b/tasks/section02.yml index 2b2eb8b..05c01e2 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -233,15 +233,26 @@ - patch - name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE/Virtual Machines' (MS only)" - win_user_right: - name: SeCreateSymbolicLinkPrivilege - users: - - Administrators - - NT VIRTUAL MACHINE\Virtual Machines - action: set + block: + - name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE/Virtual Machines' (MS only) | No Hyper-v" + win_user_right: + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + action: set + when: not is_hyperv_installed + + - name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE/Virtual Machines' (MS only) | With Hyper-v" + win_user_right: + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + - NT VIRTUAL MACHINE\Virtual Machines + action: set + when: is_hyperv_installed when: - rule_2_2_18 - - ansible_windows_domain_role == "Member server" + - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-memberserver - rule_2.2.18 @@ -285,7 +296,7 @@ action: set when: - rule_2_2_21 - - ansible_windows_domain_member + - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-memberserver - rule_2.2.21 @@ -442,7 +453,7 @@ action: set when: - rule_2_2_32 - - ansible_windows_domain_member + - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-memberserver - rule_2.2.32 @@ -654,6 +665,7 @@ when: - rule_2_3_1_1 - not ansible_windows_domain_role == "Primary domain controller" + - disruption_high tags: - level1-memberserver - rule_2.3.1.1 @@ -827,7 +839,7 @@ type: dword when: - rule_2_3_6_1 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-domaincontroller - level1-memberserver @@ -842,7 +854,7 @@ type: dword when: - rule_2_3_6_2 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-domaincontroller - level1-memberserver @@ -978,7 +990,7 @@ type: string when: - rule_2_3_7_6 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member server" tags: - level2-memberserver - rule_2.3.7.6 @@ -1123,7 +1135,7 @@ type: dword when: - rule_2_3_9_5 - - ansible_windows_domain_role == "Member server" + - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-memberserver - rule_2.3.9.5 @@ -1240,7 +1252,7 @@ win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths name: "Machine" - data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] + data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc', 'System\CurrentControlSet\Services\SysmonLog'] type: multistring when: rule_2_3_10_9 tags: @@ -1487,8 +1499,8 @@ - name: "SCORED | 2.3.17.2 | PATCH | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableUIADesktopToggle - data: 0 + name: ConsentPromptBehaviorAdmin + data: 2 type: dword when: rule_2_3_17_2 tags: diff --git a/tasks/section17.yml b/tasks/section17.yml index e9cc6b9..e9475dc 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -75,23 +75,22 @@ - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" block: - name: "SCORED | 17.2.1 | AUDIT | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + win_shell: AuditPol /get /subcategory:"Application Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_2_1_audit - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Success" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + win_shell: AuditPol /set /subcategory:"Application Group Management" /success:enable changed_when: "'Success' not in rule_17_2_1_audit.stdout" when: "'Success' not in rule_17_2_1_audit.stdout" - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Failure" - win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable + win_shell: AuditPol /set /subcategory:"Application Group Management" /failure:enable changed_when: "'Failure' not in rule_17_2_1_audit.stdout" when: "'Failure' not in rule_17_2_1_audit.stdout" when: - rule_17_2_1 - - ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller - level1-memberserver @@ -557,7 +556,7 @@ register: rule_17_7_5_audit - name: "SCORED | 17.7.5 | PATCH | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Set failure" - win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable + win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /failure:enable when: "'Failure' not in rule_17_7_5_audit.stdout" when: - rule_17_7_5 diff --git a/tasks/section18.yml b/tasks/section18.yml index f6d1f63..179d2fb 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -43,17 +43,12 @@ - patch - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" - block: - - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + name: AllowOnlineTips + data: 0 + type: dword when: - - is_implemented - rule_18_1_3 tags: - level2-domaincontroller @@ -62,131 +57,97 @@ - audit - name: "SCORED | 18.2.1 | AUDIT | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" - block: - - name: "SCORED | 18.2.1 | AUDIT | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.2.1 | PATCH | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} + name: DllName + data: C:\Program Files\LAPS\CSE\AdmPwd.dll + type: string when: - - is_implemented - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.1 - patch - name: "SCORED | 18.2.2 | AUDIT | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" - block: - - name: "SCORED | 18.2.2 | AUDIT | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.2.2 | PATCH | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PwdExpirationProtectionEnabled + data: 1 + type: dword when: - - is_implemented - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.2 - audit - name: "SCORED | 18.2.3 | AUDIT | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" - block: - - name: "SCORED | 18.2.3 | AUDIT | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.2.3 | PATCH | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: AdmPwdEnabled + data: 1 + type: dword when: - - is_implemented - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.3 - audit - name: "SCORED | 18.2.4 | AUDIT | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" - block: - - name: "SCORED | 18.2.4 | AUDIT | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.2.4 | PATCH | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordComplexity + data: 4 + type: dword when: - is_implemented - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.4 - audit - name: "SCORED | 18.2.5 | AUDIT | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - block: - - name: "SCORED | 18.2.5 | AUDIT | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.2.5 | PATCH | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordLength + data: "{{ laps_passwordlength }}" + type: dword when: - - is_implemented - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.5 - audit - name: "SCORED | 18.2.6 | AUDIT | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" - block: - - name: "SCORED | 18.2.6 | AUDIT | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.2.6 | PATCH | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordAgeDays + data: "{{ laps_passwordagedays }}" + type: dword when: - - is_implemented - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Memmber Server" tags: - level1-memberserver - rule_18.2.6 - audit - name: "SCORED | 18.3.1 | AUDIT | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" - block: - - name: "SCORED | 18.3.1 | AUDIT | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.3.1 | PATCH | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + name: LocalAccountTokenFilterPolicy + data: 0 + type: dword when: - - is_implemented - rule_18_3_1 - not ansible_windows_domain_role == "Primary domain controller" tags: @@ -195,17 +156,12 @@ - audit - name: "SCORED | 18.3.2 | AUDIT | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" - block: - - name: "SCORED | 18.3.2 | AUDIT | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" - command: "echo true" - changed_when: false - ignore_errors: true - register: result - - - name: "SCORED | 18.3.2 | PATCH | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" - command: "echo true" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 + name: Start + data: 4 + type: dword when: - - is_implemented - rule_18_3_2 tags: - level1-domaincontroller @@ -855,6 +811,7 @@ type: dword when: - rule_18_8_5_3 + - ansible_windows_domain_role == "Member server" tags: - nextgen-domaincontroller - nextgen-memberserver @@ -869,6 +826,7 @@ type: dword when: - rule_18_8_5_4 + - ansible_windows_domain_role == "Member server" tags: - nextgen-domaincontroller - nextgen-memberserver @@ -883,7 +841,7 @@ type: dword when: - rule_18_8_5_5 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member server" tags: - nextgen-memberserver - rule_18.8.5.5 @@ -975,9 +933,10 @@ - name: "SCORED | 18.8.21.5 | PATCH | (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy - state: absent - delete_key: yes + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableBkGndGroupPolicy + data: 0 + type: dword when: - rule_18_8_21_5 tags: @@ -1264,7 +1223,7 @@ type: dword when: - rule_18_8_28_4 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member server" tags: - level1-memberserver - rule_18.8.28.4 @@ -1678,9 +1637,9 @@ - name: "SCORED | 18.9.16.3 | PATCH | (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds - name: EnableConfigFlighting - data: 01 + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection + name: DoNotShowFeedbackNotifications + data: 1 type: dword when: - rule_18_9_16_3 @@ -2655,9 +2614,12 @@ - name: "SCORED | 18.9.102.2 | PATCH | (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoUpdate - data: 0 + name: "{{ item.name }}" + data: "{{ item.data }}" type: dword + with_items: + - { name: NoAutoUpdate, data: 0 } + - { name: AUOptions, data: "{{ win16cis_wupdate_options }}" } when: - rule_18_9_102_2 tags: