From e712c89b41afff6715a985ceee7b5d729360e1a3 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 29 Jan 2021 08:30:32 -0500 Subject: [PATCH 01/12] adjusting section 1 commit 1 Signed-off-by: George Nalen --- tasks/section01.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index ea51705..2e5cabe 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -1,5 +1,5 @@ --- -- name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords" +- name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' assert: that: passwordhistorysize | int is version('24', '>=') fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" @@ -9,7 +9,6 @@ when: rule_1_1_1 tags: - level1 - - level2 - rule_1.1.1 - audit From 730c252c3c3b30cf48658daa513e1eb32a6e09c6 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 29 Jan 2021 08:58:40 -0500 Subject: [PATCH 02/12] updated section 1 to version 1.2.0 Signed-off-by: George Nalen --- tasks/old_section01.yml | 194 +++++++++++++++++++++++++++++++ tasks/section01.yml | 247 ++++++++++++++++++---------------------- 2 files changed, 306 insertions(+), 135 deletions(-) create mode 100644 tasks/old_section01.yml diff --git a/tasks/old_section01.yml b/tasks/old_section01.yml new file mode 100644 index 0000000..d39633a --- /dev/null +++ b/tasks/old_section01.yml @@ -0,0 +1,194 @@ +--- +# - name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' +# assert: +# that: passwordhistorysize | int is version('24', '>=') +# fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" +# register: result +# changed_when: no +# ignore_errors: yes +# when: rule_1_1_1 +# tags: +# - level1 +# - rule_1.1.1 +# - audit + +# - name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" +# win_security_policy: +# section: System Access +# key: PasswordHistorySize +# value: "{{ passwordhistorysize }}" +# when: rule_1_1_1 +# tags: +# - level1 +# - level2 +# - rule_1.1.1 +# - patch + +# - name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" +# assert: +# that: maximumpasswordage | int is version('60', '<=') +# fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" +# register: result +# changed_when: no +# ignore_errors: yes +# when: rule_1_1_2 +# tags: +# - level1 +# - level2 +# - rule_1.1.2 +# - audit + +# - name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" +# win_security_policy: +# section: System Access +# key: MaximumPasswordAge +# value: "{{ maximumpasswordage }}" +# when: rule_1_1_2 +# tags: +# - level1 +# - level2 +# - rule_1.1.2 +# - patch + +# - name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" +# assert: +# that: minimumpasswordage is version('1', '>=') +# fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" +# register: result +# changed_when: no +# ignore_errors: yes +# when: rule_1_1_3 +# tags: +# - level1 +# - level2 +# - rule_1.1.3 +# - audit + +# - name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" +# win_security_policy: +# section: System Access +# key: MinimumPasswordAge +# value: "{{ minimumpasswordage }}" +# when: rule_1_1_3 +# tags: +# - level1 +# - level2 +# - rule_1.1.3 +# - patch + +# - name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" +# assert: +# that: minimumpasswordlength is version('14', '>=') +# fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" +# register: result +# changed_when: no +# ignore_errors: yes +# when: rule_1_1_4 +# tags: +# - level1 +# - level2 +# - rule_1.1.4 +# - audit + +# - name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" +# win_security_policy: +# section: System Access +# key: MinimumPasswordLength +# value: "{{ minimumpasswordlength }}" +# when: rule_1_1_4 +# tags: +# - level1 +# - level2 +# - rule_1.1.4 +# - patch + +- name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled" + win_security_policy: + section: System Access + key: PasswordComplexity + value: 1 + when: rule_1_1_5 + tags: + - level1 + - level2 + - rule_1.1.5 + - patch + +- name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled" + win_security_policy: + section: System Access + key: ClearTextPassword + value: "0" + when: rule_1_1_6 + tags: + - level1 + - level2 + - rule_1.1.6 + - patch + +- name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" + assert: + that: lockoutduration | int is version('15', '<=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" + register: result + changed_when: no + ignore_errors: yes + when: rule_1_2_1 + tags: + - level1 + - level2 + - rule_1.2.1 + - audit + +- name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" + win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ lockoutduration }}" + when: + - rule_1_2_1 + - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp + tags: + - level1 + - level2 + - rule_1.2.1 + - patch + +#This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable +- name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" + win_security_policy: + section: System Access + key: LockoutBadCount + value: "{{ lockoutbadcount }}" + when: rule_1_2_2 + tags: + - level1 + - level2 + - rule_1.2.2 + - patch + +- name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" + assert: + that: resetlockoutcount | int is version('15', '>=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" + register: result + changed_when: no + ignore_errors: yes + when: rule_1_2_3 + tags: + - level1 + - level2 + - rule_1.2.3 + - audit + +- name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" + win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ resetlockoutcount }}" + when: rule_1_2_3 + tags: + - level1 + - level2 + - rule_1.2.3 + - patch diff --git a/tasks/section01.yml b/tasks/section01.yml index 2e5cabe..0aa261f 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -1,194 +1,171 @@ --- -- name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' - assert: - that: passwordhistorysize | int is version('24', '>=') - fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_1 - tags: - - level1 - - rule_1.1.1 - - audit +- name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + block: + - name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + assert: + that: passwordhistorysize | int is version('24', '>=') + fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" - win_security_policy: - section: System Access - key: PasswordHistorySize - value: "{{ passwordhistorysize }}" + - name: "SCORED | 1.1.1 | PATCH | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + win_security_policy: + section: System Access + key: PasswordHistorySize + value: "{{ passwordhistorysize }}" when: rule_1_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.1 - patch -- name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" - assert: - that: maximumpasswordage | int is version('60', '<=') - fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_2 - tags: - - level1 - - level2 - - rule_1.1.2 - - audit +- name: "SCORED | 1.1.2 | PATCH | (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" + block: + - name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" + assert: + that: maximumpasswordage | int is version('60', '<=') + fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" - win_security_policy: - section: System Access - key: MaximumPasswordAge - value: "{{ maximumpasswordage }}" + - name: "SCORED | 1.1.2 | PATCH | (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" + win_security_policy: + section: System Access + key: MaximumPasswordAge + value: "{{ maximumpasswordage }}" when: rule_1_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.2 - patch -- name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" - assert: - that: minimumpasswordage is version('1', '>=') - fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_3 - tags: - - level1 - - level2 - - rule_1.1.3 - - audit +- name: "SCORED | 1.1.3 | AUDIT | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + block: + - name: "SCORED | 1.1.3 | AUDIT | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + assert: + that: minimumpasswordage is version('1', '>=') + fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" - win_security_policy: - section: System Access - key: MinimumPasswordAge - value: "{{ minimumpasswordage }}" + - name: "SCORED | 1.1.3 | PATCH | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + win_security_policy: + section: System Access + key: MinimumPasswordAge + value: "{{ minimumpasswordage }}" when: rule_1_1_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.3 - patch -- name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" - assert: - that: minimumpasswordlength is version('14', '>=') - fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_4 - tags: - - level1 - - level2 - - rule_1.1.4 - - audit +- name: "SCORED | 1.1.4 | AUDIT | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + block: + - name: "SCORED | 1.1.4 | AUDIT | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + assert: + that: minimumpasswordlength is version('14', '>=') + fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" - win_security_policy: - section: System Access - key: MinimumPasswordLength - value: "{{ minimumpasswordlength }}" + - name: "SCORED | 1.1.4 | PATCH | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + win_security_policy: + section: System Access + key: MinimumPasswordLength + value: "{{ minimumpasswordlength }}" when: rule_1_1_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.4 - patch -- name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled" +- name: "SCORED | 1.1.5 | PATCH | (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" win_security_policy: section: System Access key: PasswordComplexity value: 1 when: rule_1_1_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.5 - patch -- name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled" +- name: "SCORED | 1.1.6 | PATCH | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" win_security_policy: section: System Access key: ClearTextPassword value: "0" when: rule_1_1_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.6 - patch -- name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" - assert: - that: lockoutduration | int is version('15', '<=') - fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_2_1 - tags: - - level1 - - level2 - - rule_1.2.1 - - audit - -- name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" - win_security_policy: - section: System Access - key: LockoutDuration - value: "{{ lockoutduration }}" - when: - - rule_1_2_1 - - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp - tags: - - level1 - - level2 - - rule_1.2.1 - - patch - #This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable -- name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" +- name: "SCORED | 1.2.2 | PATCH | (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'" win_security_policy: section: System Access key: LockoutBadCount value: "{{ lockoutbadcount }}" when: rule_1_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.2.2 - patch -- name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" - assert: - that: resetlockoutcount | int is version('15', '>=') - fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_2_3 +- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + block: + - name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + assert: + that: lockoutduration | int is version('15', '<=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ lockoutduration }}" + when: + - rule_1_2_1 + - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp tags: - - level1 - - level2 - - rule_1.2.3 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_1.2.1 + - patch -- name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" - win_security_policy: - section: System Access - key: ResetLockoutCount - value: "{{ resetlockoutcount }}" +- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + block: + - name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + assert: + that: resetlockoutcount | int is version('15', '>=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 1.2.3 | PATCH | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ resetlockoutcount }}" when: rule_1_2_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.2.3 - patch From 24e1ee37fd5f592a2588392252139c05107650b6 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 29 Jan 2021 15:25:39 -0500 Subject: [PATCH 03/12] updated section 2.2.x to version 1.2.0 Signed-off-by: George Nalen --- tasks/old_section01.yml | 168 ++--- tasks/old_section02.yml | 1551 +++++++++++++++++++++++++++++++++++++++ tasks/section02.yml | 1213 ++++-------------------------- 3 files changed, 1789 insertions(+), 1143 deletions(-) create mode 100644 tasks/old_section02.yml diff --git a/tasks/old_section01.yml b/tasks/old_section01.yml index d39633a..214e782 100644 --- a/tasks/old_section01.yml +++ b/tasks/old_section01.yml @@ -102,93 +102,93 @@ # - rule_1.1.4 # - patch -- name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled" - win_security_policy: - section: System Access - key: PasswordComplexity - value: 1 - when: rule_1_1_5 - tags: - - level1 - - level2 - - rule_1.1.5 - - patch +# - name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled" +# win_security_policy: +# section: System Access +# key: PasswordComplexity +# value: 1 +# when: rule_1_1_5 +# tags: +# - level1 +# - level2 +# - rule_1.1.5 +# - patch -- name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled" - win_security_policy: - section: System Access - key: ClearTextPassword - value: "0" - when: rule_1_1_6 - tags: - - level1 - - level2 - - rule_1.1.6 - - patch +# - name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled" +# win_security_policy: +# section: System Access +# key: ClearTextPassword +# value: "0" +# when: rule_1_1_6 +# tags: +# - level1 +# - level2 +# - rule_1.1.6 +# - patch -- name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" - assert: - that: lockoutduration | int is version('15', '<=') - fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_2_1 - tags: - - level1 - - level2 - - rule_1.2.1 - - audit +# - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" +# assert: +# that: lockoutduration | int is version('15', '<=') +# fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" +# register: result +# changed_when: no +# ignore_errors: yes +# when: rule_1_2_1 +# tags: +# - level1 +# - level2 +# - rule_1.2.1 +# - audit -- name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" - win_security_policy: - section: System Access - key: LockoutDuration - value: "{{ lockoutduration }}" - when: - - rule_1_2_1 - - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp - tags: - - level1 - - level2 - - rule_1.2.1 - - patch +# - name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" +# win_security_policy: +# section: System Access +# key: LockoutDuration +# value: "{{ lockoutduration }}" +# when: +# - rule_1_2_1 +# - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp +# tags: +# - level1 +# - level2 +# - rule_1.2.1 +# - patch -#This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable -- name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" - win_security_policy: - section: System Access - key: LockoutBadCount - value: "{{ lockoutbadcount }}" - when: rule_1_2_2 - tags: - - level1 - - level2 - - rule_1.2.2 - - patch +# #This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable +# - name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" +# win_security_policy: +# section: System Access +# key: LockoutBadCount +# value: "{{ lockoutbadcount }}" +# when: rule_1_2_2 +# tags: +# - level1 +# - level2 +# - rule_1.2.2 +# - patch -- name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" - assert: - that: resetlockoutcount | int is version('15', '>=') - fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_2_3 - tags: - - level1 - - level2 - - rule_1.2.3 - - audit +# - name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" +# assert: +# that: resetlockoutcount | int is version('15', '>=') +# fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" +# register: result +# changed_when: no +# ignore_errors: yes +# when: rule_1_2_3 +# tags: +# - level1 +# - level2 +# - rule_1.2.3 +# - audit -- name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" - win_security_policy: - section: System Access - key: ResetLockoutCount - value: "{{ resetlockoutcount }}" - when: rule_1_2_3 - tags: - - level1 - - level2 - - rule_1.2.3 - - patch +# - name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" +# win_security_policy: +# section: System Access +# key: ResetLockoutCount +# value: "{{ resetlockoutcount }}" +# when: rule_1_2_3 +# tags: +# - level1 +# - level2 +# - rule_1.2.3 +# - patch diff --git a/tasks/old_section02.yml b/tasks/old_section02.yml new file mode 100644 index 0000000..e34d9d0 --- /dev/null +++ b/tasks/old_section02.yml @@ -0,0 +1,1551 @@ +--- +# - name: "SCORED | 2.2.1 | PATCH | L1 Ensure Access Credential Manager as a trusted caller is set to No One" +# win_user_right: +# name: SeTrustedCredManAccessPrivilege +# users: +# action: set +# when: rule_2_2_1 +# tags: +# - level1 +# - level2 +# - rule_2.2.1 +# - patch + +# - name: "SCORED | 2.2.2 & 2.2.3 | PATCH | L1 Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" +# win_user_right: +# name: SeNetworkLogonRight +# users: +# - Administrators +# - Authenticated Users +# action: set +# when: +# - rule_2_2_2 or rule_2_2_3 +# tags: +# - rule_2.2.2 +# - rule_2.2.3 +# - patch + +# - name: "SCORED | 2.2.4 | PATCH | L1 Ensure Act as part of the operating system is set to No One" +# win_user_right: +# name: SeTcbPrivilege +# users: +# action: set +# when: rule_2_2_4 +# tags: +# - level1 +# - level2 +# - rule_2.2.4 +# - patch + +# - name: "SCORED | 2.2.5 | PATCH | L1 Ensure Add workstations to domain is set to Administrators DC only" +# win_user_right: +# name: SeMachineAccountPrivilege +# users: Administrators +# action: set +# when: +# - rule_2_2_5 +# - ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_2.2.5 +# - patch + +# - name: "SCORED | 2.2.6 | PATCH | L1 Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" +# win_user_right: +# name: SeIncreaseQuotaPrivilege +# users: +# - Administrators +# - Local Service +# - Network Service +# action: set +# when: rule_2_2_6 +# tags: +# - level1 +# - level2 +# - rule_2.2.6 +# - patch + +# - name: "SCORED | 2.2.7 | PATCH | L1 Ensure Allow log on locally is set to Administrators" +# win_user_right: +# name: SeInteractiveLogonRight +# users: +# - Administrators +# action: set +# when: rule_2_2_7 +# tags: +# - level1 +# - level2 +# - rule_2.2.7 +# - patch + +# - name: "SCORED | 2.2.8 & 2.2.9 | PATCH | L1 Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" +# win_user_right: +# name: SeRemoteInteractiveLogonRight +# users: +# - Administrators +# - Remote Desktop Users +# action: set +# when: +# - rule_2_2_8 or rule_2_2_9 +# tags: +# - rule_2.2.8 +# - rule_2.2.9 +# - patch + +# - name: "SCORED | 2.2.10 | PATCH | L1 Ensure Back up files and directories is set to Administrators" +# win_user_right: +# name: SeBackupPrivilege +# users: +# - Administrators +# action: set +# when: rule_2_2_10 +# tags: +# - level1 +# - level2 +# - rule_2.2.10 +# - patch + +# - name: "SCORED | 2.2.11 | PATCH | L1 Ensure Change the system time is set to Administrators LOCAL SERVICE" +# win_user_right: +# name: SeSystemTimePrivilege +# users: +# - Administrators +# - Local Service +# action: set +# when: rule_2_2_11 +# tags: +# - level1 +# - level2 +# - rule_2.2.11 +# - patch + +# - name: "SCORED | 2.2.12 | PATCH | L1 Ensure Change the time zone is set to Administrators LOCAL SERVICE" +# win_user_right: +# name: SeTimeZonePrivilege +# users: +# - Administrators +# - Local Service +# action: set +# when: rule_2_2_12 +# tags: +# - level1 +# - level2 +# - rule_2.2.12 +# - patch + +# - name: "SCORED | 2.2.13 | PATCH | L1 Ensure Create a pagefile is set to Administrators" +# win_user_right: +# name: SeCreatePagefilePrivilege +# users: +# - Administrators +# action: set +# when: rule_2_2_13 +# tags: +# - level1 +# - level2 +# - rule_2.2.13 +# - patch + +# - name: "SCORED | 2.2.14 | PATCH | L1 Ensure Create a token object is set to No One" +# win_user_right: +# name: SeCreateTokenPrivilege +# users: +# action: set +# when: rule_2_2_14 +# tags: +# - level1 +# - level2 +# - rule_2.2.14 +# - patch + +# - name: "SCORED | 2.2.15 | PATCH | L1 Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" +# win_user_right: +# name: SeCreateGlobalPrivilege +# users: +# - Administrators +# - Local Service +# - Network Service +# - Service +# action: set +# when: rule_2_2_15 +# tags: +# - level1 +# - level2 +# - rule_2.2.15 +# - patch + +# - name: "SCORED | 2.2.16 | PATCH | L1 Ensure Create permanent shared objects is set to No One" +# win_user_right: +# name: SeCreatePermanentPrivilege +# users: +# action: set +# when: rule_2_2_16 +# tags: +# - level1 +# - level2 +# - rule_2.2.16 +# - patch + +# - name: "SCORED | 2.2.17 | PATCH | L1 Ensure Create symbolic links is set to Administrators DC only" +# win_user_right: +# name: SeCreateSymbolicLinkPrivilege +# users: +# - Administrators +# action: set +# when: +# - rule_2_2_17 +# - ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_2.2.17 +# - patch + +# - name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" +# win_user_right: +# name: SeCreateSymbolicLinkPrivilege +# users: +# - Administrators +# - NT VIRTUAL MACHINE\Virtual Machines +# action: set +# when: +# - rule_2_2_18 +# - ansible_windows_domain_role == "Member server" +# tags: +# - level1 +# - level2 +# - rule_2.2.18 +# - patch + +# - name: "SCORED | 2.2.19 | PATCH | L1 Ensure Debug programs is set to Administrators" +# win_user_right: +# name: SeDebugPrivilege +# users: +# - Administrators +# action: set +# when: rule_2_2_19 +# tags: +# - level1 +# - level2 +# - rule_2.2.19 +# - patch + +# #Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes +# - name: "SCORED | 2.2.20 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests DC only" +# win_user_right: +# name: SeDenyNetworkLogonRight +# users: +# - Guests +# action: set +# when: +# - rule_2_2_20 +# - ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_2.2.20 +# - patch + +# - name: "SCORED | 2.2.21 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" +# win_user_right: +# name: SeDenyNetworkLogonRight +# users: +# - Guests +# #- Local Account +# #- Administrators +# action: set +# when: +# - rule_2_2_21 +# - ansible_windows_domain_member +# tags: +# - level1 +# - level2 +# - rule_2.2.21 +# - patch + +# - name: "SCORED | 2.2.22 | PATCH | L1 Ensure Deny log on as a batch job to include Guests" +# win_user_right: +# name: SeDenyBatchLogonRight +# users: +# - Guests +# action: set +# when: rule_2_2_22 +# tags: +# - level1 +# - level2 +# - rule_2.2.22 +# - patch + +# - name: "SCORED | 2.2.23 | PATCH | L1 Ensure Deny log on as a service to include Guests" +# win_user_right: +# name: SeDenyServiceLogonRight +# users: +# - Guests +# action: set +# when: rule_2_2_23 +# tags: +# - level1 +# - level2 +# - rule_2.2.23 +# - patch + +# - name: "SCORED | 2.2.24 | PATCH | L1 Ensure Deny log on locally to include Guests" +# win_user_right: +# name: SeDenyInteractiveLogonRight +# users: +# - Guests +# action: set +# when: rule_2_2_24 +# tags: +# - level1 +# - level2 +# - rule_2.2.24 +# - patch + +# - name: "SCORED | 2.2.25 | PATCH | L1 Ensure Deny log on through Remote Desktop Services to include Guests DC only" +# win_user_right: +# name: SeDenyRemoteInteractiveLogonRight +# users: +# - Guests +# #- Local Account +# action: set +# when: +# - rule_2_2_25 +# - ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_2.2.25 +# - patch + +# - name: "SCORED | 2.2.26 | PATCH | L1 Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" +# win_user_right: +# name: SeDenyRemoteInteractiveLogonRight +# users: +# - Guests +# #- Local Account +# action: set +# when: +# - rule_2_2_26 +# - ansible_windows_domain_member +# tags: +# - level1 +# - level2 +# - rule_2.2.26 +# - patch + +# - name: "SCORED | 2.2.27 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" +# win_user_right: +# name: SeEnableDelegationPrivilege +# users: Administrators +# action: set +# when: +# - rule_2_2_27 +# - ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_2.2.27 +# - patch + +# - name: "SCORED | 2.2.28 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" +# win_user_right: +# name: SeEnableDelegationPrivilege +# users: +# action: set +# when: +# - rule_2_2_28 +# - ansible_windows_domain_member +# tags: +# - level1 +# - level2 +# - rule_2.2.28 +# - patch + +# - name: "SCORED | 2.2.29 | PATCH | L1 Ensure Force shutdown from a remote system is set to Administrators" +# win_user_right: +# name: SeRemoteShutdownPrivilege +# users: +# - Administrators +# action: set +# when: rule_2_2_29 +# tags: +# - level1 +# - level2 +# - rule_2.2.29 +# - patch + +# - name: "SCORED | 2.2.30 | PATCH | L1 Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" +# win_user_right: +# name: SeAuditPrivilege +# users: +# - Local Service +# - Network Service +# action: set +# when: rule_2_2_30 +# tags: +# - level1 +# - level2 +# - rule_2.2.30 +# - patch + +# - name: "SCORED | 2.2.31 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" +# win_user_right: +# name: SeImpersonatePrivilege +# users: +# - Administrators +# - Local Service +# - Network Service +# - Service +# action: set +# when: +# - rule_2_2_31 +# - ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_2.2.31 +# - patch + +# - name: "SCORED | 2.2.32 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" +# win_user_right: +# name: SeImpersonatePrivilege +# users: +# - Administrators +# - IIS_IUSRS +# - Local Service +# - Network Service +# - Service +# action: set +# when: +# - rule_2_2_32 +# - ansible_windows_domain_member +# tags: +# - level1 +# - level2 +# - rule_2.2.32 +# - patch + +# - name: "SCORED | 2.2.33 | PATCH | L1 Ensure Increase scheduling priority is set to Administrators" +# win_user_right: +# name: SeIncreaseBasePriorityPrivilege +# users: +# - Administrators +# action: set +# when: rule_2_2_33 +# tags: +# - level1 +# - level2 +# - rule_2.2.33 +# - patch + +- name: "SCORED | 2.2.34 | PATCH | L1 Ensure Load and unload device drivers is set to Administrators" + win_user_right: + name: SeLoadDriverPrivilege + users: + - Administrators + action: set + when: rule_2_2_34 + tags: + - level1 + - level2 + - rule_2.2.34 + - patch + +- name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" + win_user_right: + name: SeLockMemoryPrivilege + users: + action: set + when: rule_2_2_35 + tags: + - level1 + - level2 + - rule_2.2.35 + - patch + +- name: "SCORED | 2.2.36 | PATCH | L2 Ensure Log on as a batch job is set to Administrators DC Only" + win_user_right: + name: SeBatchLogonRight + users: Administrators + action: set + when: + - rule_2_2_36 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.2.36 + - patch + +- name: "SCORED | 2.2.37 & 2.2.38 | PATCH | L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" + win_user_right: + name: SeSecurityPrivilege + users: + - Administrators + action: set + when: + - rule_2_2_37 or rule_2_2_38 + tags: + - rule_2.2.37 + - rule_2.2.38 + - patch + +- name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" + win_user_right: + name: SeReLabelPrivilege + users: + action: set + when: rule_2_2_39 + tags: + - level1 + - level2 + - rule_2.2.39 + - patch + +- name: "SCORED | 2.2.40 | PATCH | L1 Ensure Modify firmware environment values is set to Administrators" + win_user_right: + name: SeSystemEnvironmentPrivilege + users: + - Administrators + action: set + when: rule_2_2_40 + tags: + - level1 + - level2 + - rule_2.2.40 + - patch + +- name: "SCORED | 2.2.41 | PATCH | L1 Ensure Perform volume maintenance tasks is set to Administrators" + win_user_right: + name: SeManageVolumePrivilege + users: + - Administrators + action: set + when: rule_2_2_41 + tags: + - level1 + - level2 + - rule_2.2.41 + - patch + +- name: "SCORED | 2.2.42 | PATCH | L1 Ensure Profile single process is set to Administrators" + win_user_right: + name: SeProfileSingleProcessPrivilege + users: + - Administrators + action: set + when: rule_2_2_42 + tags: + - level1 + - level2 + - rule_2.2.42 + - patch + +- name: "SCORED | 2.2.43 | PATCH | L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" + win_user_right: + name: SeSystemProfilePrivilege + users: + - Administrators + - NT SERVICE\WdiServiceHost + action: set + when: rule_2_2_43 + tags: + - level1 + - level2 + - rule_2.2.43 + - patch + +- name: "SCORED | 2.2.44 | PATCH | L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" + win_user_right: + name: SeAssignPrimaryTokenPrivilege + users: + - LOCAL SERVICE + - NETWORK SERVICE + action: set + when: rule_2_2_44 + tags: + - level1 + - level2 + - rule_2.2.44 + - patch + +- name: "SCORED | 2.2.45 | PATCH | L1 Ensure Restore files and directories is set to Administrators" + win_user_right: + name: SeRestorePrivilege + users: + - Administrators + action: set + when: rule_2_2_45 + tags: + - level1 + - level2 + - rule_2.2.45 + - patch + +- name: "SCORED | 2.2.46 | PATCH | L1 Ensure Shut down the system is set to Administrators" + win_user_right: + name: SeShutdownPrivilege + users: + - Administrators + action: set + when: rule_2_2_46 + tags: + - level1 + - level2 + - rule_2.2.46 + - patch + +- name: "SCORED | 2.2.47 | PATCH | L1 Ensure Synchronize directory service data is set to No One DC only" + win_user_right: + name: SeSyncAgentPrivilege + users: + action: set + when: + - rule_2_2_47 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.2.47 + - patch + +- name: "SCORED | 2.2.48 | PATCH | L1 Ensure Take ownership of files or other objects is set to Administrators" + win_user_right: + name: SeTakeOwnershipPrivilege + users: + - Administrators + action: set + when: rule_2_2_48 + tags: + - level1 + - level2 + - rule_2.2.48 + - patch + +- name: "SCORED | 2.3.1.1 | PATCH | L1 Ensure Accounts Administrator account status is set to Disabled MS only" + win_security_policy: + section: System Access + key: EnableAdminAccount + value: 0 + when: + - rule_2_3_1_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.1.1 + - patch + +- name: "SCORED | 2.3.1.2 | PATCH | L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: NoConnectedUser + data: 3 + type: dword + when: rule_2_3_1_2 + tags: + - level1 + - level2 + - rule_2.3.1.2 + - patch + +- name: "SCORED | 2.3.1.3 | PATCH | L1 Ensure Accounts Guest account status is set to Disabled MS only" + win_security_policy: + section: System Access + key: EnableGuestAccount + value: 0 + when: rule_2_3_1_3 + tags: + - level1 + - level2 + - rule_2.3.1.3 + - patch + +- name: "SCORED | 2.3.1.4 | PATCH | L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: LimitBlankPasswordUse + data: 1 + type: dword + when: rule_2_3_1_4 + tags: + - level1 + - level2 + - rule_2.3.1.4 + - patch + +- name: "SCORED | 2.3.1.5 | PATCH | L1 Configure Accounts Rename administrator account" + win_security_policy: + section: System Access + key: newadministratorname + value: GeorgeSharp + when: rule_2_3_1_5 + tags: + - level1 + - level2 + - rule_2.3.1.5 + - patch + +- name: "SCORED | 2.3.1.6 | PATCH | L1 Configure Accounts Rename guest account" + win_security_policy: + section: System Access + key: NewGuestName + value: BobCooper + when: rule_2_3_1_6 + tags: + - level1 + - level2 + - rule_2.3.1.6 + - patch + +- name: "SCORED | 2.3.2.1 | PATCH | L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: SCENoApplyLegacyAuditPolicy + data: 1 + type: dword + when: rule_2_3_2_1 + tags: + - level1 + - level2 + - rule_2.3.2.1 + - patch + +- name: "SCORED | 2.3.2.2 | PATCH | L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: CrashOnAuditFail + data: 0 + type: dword + when: rule_2_3_2_2 + tags: + - level1 + - level2 + - rule_2.3.2.2 + - patch + +- name: "SCORED | 2.3.4.1 | PATCH | L1 Ensure Devices Allowed to format and eject removable media is set to Administrators" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: AllocateDASD + data: 0 + type: string + when: rule_2_3_4_1 + tags: + - level1 + - level2 + - rule_2.3.4.1 + - patch + +- name: "SCORED | 2.3.4.2 | PATCH | L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers + name: AddPrinterDrivers + data: 1 + type: dword + when: rule_2_3_4_2 + tags: + - level1 + - level2 + - rule_2.3.4.2 + - patch + +- name: "SCORED | 2.3.5.1 | PATCH | L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" + win_regedit: + path: HKLM:\System\CurrentControlSet\Control\Lsa + name: SubmitControl + data: 0 + type: dword + when: + - rule_2_3_5_1 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.3.5.1 + - patch + +- name: "SCORED | 2.3.5.2 | PATCH | L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters + name: LDAPServerIntegrity + data: 2 + type: dword + when: + - rule_2_3_5_2 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.3.5.2 + - patch + +- name: "SCORED | 2.3.5.3 | PATCH | L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters + name: RefusePasswordChange + data: 0 + type: dword + when: + - rule_2_3_5_3 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.3.5.3 + - patch + +- name: "SCORED | 2.3.6.1 | PATCH | L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: RequireSignOrSeal + data: 1 + type: dword + when: + - rule_2_3_6_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.6.1 + - patch + +- name: "SCORED | 2.3.6.2 | PATCH | L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: sealsecurechannel + data: 1 + type: dword + when: + - rule_2_3_6_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.6.2 + - patch + +- name: "SCORED | 2.3.6.3 | PATCH | L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: signsecurechannel + data: 1 + type: dword + when: + - rule_2_3_6_3 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.6.3 + - patch + +- name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: disablepasswordchange + data: 1 + type: dword + when: + - rule_2_3_6_4 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.6.4 + - patch + +- name: "SCORED | 2.3.6.5 | PATCH | L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: MaximumPasswordAge + data: 30 + type: dword + when: + - rule_2_3_6_5 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.6.5 + - patch + +- name: "SCORED | 2.3.6.6 | PATCH | L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: RequireStrongKey + data: 1 + type: dword + when: + - rule_2_3_6_6 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.6.6 + - patch + +- name: "SCORED | 2.3.7.1 | PATCH | L1 Ensure Interactive logon Dont display last signed-in is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DontDisplayLastUserName + data: 1 + type: dword + when: rule_2_3_7_1 + tags: + - level1 + - level2 + - rule_2.3.7.1 + - patch + +- name: "SCORED | 2.3.7.2 | PATCH | L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableCAD + data: 0 + type: dword + when: rule_2_3_7_2 + tags: + - level1 + - level2 + - rule_2.3.7.2 + - patch + +- name: "SCORED | 2.3.7.3 | PATCH | L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: InactivityTimeoutSecs + data: 900 + type: dword + when: rule_2_3_7_3 + tags: + - level1 + - level2 + - rule_2.3.7.3 + - patch + +- name: "SCORED | 2.3.7.4 | PATCH | L1 Configure Interactive logon Message text for users attempting to log on" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LegalNoticeText + data: "{{ legalnoticetext }}" + type: string + when: rule_2_3_7_4 + tags: + - level1 + - level2 + - rule_2.3.7.4 + - patch + +- name: "SCORED | 2.3.7.5 | PATCH | L1 Configure Interactive logon Message title for users attempting to log on" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LegalNoticeCaption + data: "{{ legalnoticecaption }}" + type: string + when: rule_2_3_7_5 + tags: + - level1 + - level2 + - rule_2.3.7.5 + - patch + +- name: "SCORED | 2.3.7.6 | PATCH | L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: cachedlogonscount + data: 1 + type: string + when: rule_2_3_7_6 + tags: + - level2 + - rule_2.3.7.6 + - patch + +- name: "SCORED | 2.3.7.7 | PATCH | L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: PasswordExpiryWarning + data: 14 + type: dword + when: rule_2_3_7_7 + tags: + - level1 + - level2 + - rule_2.3.7.7 + - patch + +- name: "SCORED | 2.3.7.8 | PATCH | L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ForceUnlockLogon + data: 1 + type: dword + when: + - rule_2_3_7_8 + - ansible_windows_domain_role == "Member server" + tags: + - level1 + - level2 + - rule_2.3.7.8 + - patch + +- name: "SCORED | 2.3.7.9 | PATCH | L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: scremoveoption + data: 1 + type: string + when: rule_2_3_7_9 + tags: + - level1 + - level2 + - rule_2.3.7.9 + - patch + +- name: "SCORED | 2.3.8.1 | PATCH | L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: RequireSecuritySignature + data: 1 + type: dword + when: rule_2_3_8_1 + tags: + - level1 + - level2 + - rule_2.3.8.1 + - patch + +- name: "SCORED | 2.3.8.2 | PATCH | L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: EnableSecuritySignature + data: 1 + type: dword + when: rule_2_3_8_2 + tags: + - level1 + - level2 + - rule_2.3.8.2 + - patch + +- name: "SCORED | 2.3.8.3 | PATCH | L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: EnablePlainTextPassword + data: 0 + type: dword + when: rule_2_3_8_3 + tags: + - level1 + - level2 + - rule_2.3.8.3 + - patch + +- name: "SCORED | 2.3.9.1 | PATCH | L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: autodisconnect + data: 15 + type: dword + when: rule_2_3_9_1 + tags: + - level1 + - level2 + - rule_2.3.9.1 + - patch + +- name: "SCORED | 2.3.9.2 | PATCH | L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: requiresecuritysignature + data: 1 + type: dword + when: rule_2_3_9_2 + tags: + - level1 + - level2 + - rule_2.3.9.2 + - patch + +- name: "SCORED | 2.3.9.3 | PATCH | L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: enablesecuritysignature + data: 1 + type: dword + when: rule_2_3_9_3 + tags: + - level1 + - level2 + - rule_2.3.9.3 + - patch + +- name: "SCORED | 2.3.9.4 | PATCH | L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: enableforcedlogoff + data: 1 + type: dword + when: rule_2_3_9_4 + tags: + - level1 + - level2 + - rule_2.3.9.4 + - patch + +- name: "SCORED | 2.3.9.5 | PATCH | L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: SMBServerNameHardeningLevel + data: 1 + type: dword + when: + - rule_2_3_9_5 + - ansible_windows_domain_role == "Member server" + tags: + - level1 + - level2 + - rule_2.3.9.5 + - patch + +- name: "SCORED | 2.3.10.1 | PATCH | L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled" + win_security_policy: + section: System Access + key: LSAAnonymousNameLookup + value: 0 + when: rule_2_3_10_1 + tags: + - level1 + - level2 + - rule_2.3.10.1 + - patch + +- name: "SCORED | 2.3.10.2 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: RestrictAnonymousSAM + data: 1 + type: dword + when: + - rule_2_3_10_2 + - ansible_windows_domain_role == "Member server" + tags: + - level1 + - level2 + - rule_2.3.10.2 + - patch + +- name: "SCORED | 2.3.10.3 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: RestrictAnonymous + data: 1 + type: dword + when: + - rule_2_3_10_3 + - ansible_windows_domain_role == "Member server" + tags: + - level1 + - level2 + - rule_2.3.10.3 + - patch + +- name: "SCORED | 2.3.10.4 | PATCH | L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: DisableDomainCreds + data: 1 + type: dword + when: rule_2_3_10_4 + tags: + - level2 + - rule_2.3.10.4 + - patch + +- name: "SCORED | 2.3.10.5 | PATCH | L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: EveryoneIncludesAnonymous + data: 0 + type: dword + when: rule_2_3_10_5 + tags: + - level1 + - level2 + - rule_2.3.10.5 + - patch + +- name: "SCORED | 2.3.10.6 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously DC only" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionPipes + data: "" + type: multistring + when: + - rule_2_3_10_6 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.3.10.6 + - patch + +- name: "SCORED | 2.3.10.7 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously MS only" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionPipes + data: "" + type: multistring + when: + - rule_2_3_10_7 + - ansible_windows_domain_role == "Member server" + tags: + - level1 + - level2 + - rule_2.3.10.7 + - patch + +- name: "SCORED | 2.3.10.8 | PATCH | L1 Configure Network access Remotely accessible registry paths" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths + name: "Machine" + data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] + type: multistring + when: rule_2_3_10_8 + tags: + - level1 + - level2 + - rule_2.3.10.8 + - patch + +- name: "SCORED | 2.3.10.9 | PATCH | L1 Configure Network access Remotely accessible registry paths and sub-paths" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths + name: "Machine" + data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] + type: multistring + when: rule_2_3_10_9 + tags: + - level1 + - level2 + - rule_2.3.10.9 + - patch + +- name: "SCORED | 2.3.10.10 | PATCH | L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: RestrictNullSessAccess + data: 1 + type: dword + when: rule_2_3_10_10 + tags: + - level1 + - level2 + - rule_2.3.10.10 + - patch + +- name: "SCORED | 2.3.10.11 | PATCH | L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" + win_regedit: + path: HKLM:\System\CurrentControlSet\Control\Lsa + name: RestrictRemoteSAM + data: "O:BAG:BAD:(A;;RC;;;BA)" + type: string + when: rule_2_3_10_11 + tags: + - level1 + - level2 + - rule_2.3.10.11 + - patch + +- name: "SCORED | 2.3.10.12 | PATCH | L1 Ensure Network access Shares that can be accessed anonymously is set to None" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionShares + data: "" + type: multistring + when: rule_2_3_10_12 + tags: + - level1 + - level2 + - rule_2.3.10.12 + - patch + +- name: "SCORED | 2.3.10.13 | PATCH | L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: ForceGuest + data: 0 + type: dword + when: rule_2_3_10_13 + tags: + - level1 + - level2 + - rule_2.3.10.13 + - patch + +- name: "SCORED | 2.3.11.1 | PATCH | L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: UseMachineId + data: 1 + type: dword + when: rule_2_3_11_1 + tags: + - level1 + - level2 + - rule_2.3.11.1 + - patch + +- name: "SCORED | 2.3.11.2 | PATCH | L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: allownullsessionfallback + data: 0 + type: dword + when: rule_2_3_11_2 + tags: + - level1 + - level2 + - rule_2.3.11.2 + - patch + +- name: "SCORED | 2.3.11.3 | PATCH | L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U + name: AllowOnlineID + data: 0 + type: dword + when: rule_2_3_11_3 + tags: + - level1 + - level2 + - rule_2.3.11.3 + - patch + +- name: "SCORED | 2.3.11.4 | PATCH | L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters + name: SupportedEncryptionTypes + data: 2147483644 + type: dword + when: rule_2_3_11_4 + tags: + - level1 + - level2 + - rule_2.3.11.4 + - patch + +- name: "SCORED | 2.3.11.5 | PATCH | L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: NoLMHash + data: 1 + type: dword + when: rule_2_3_11_5 + tags: + - level1 + - level2 + - rule_2.3.11.5 + - patch + +- name: "SCORED | 2.3.11.6 | PATCH | L1 Ensure Network security Force logoff when logon hours expire is set to Enabled" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters + name: EnableForcedLogOff + data: 1 + type: dword + when: rule_2_3_11_6 + tags: + - level1 + - level2 + - rule_2.3.11.6 + - patch + +- name: "SCORED | 2.3.11.7 | PATCH | L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: LMCompatibilityLevel + data: 5 + type: dword + when: rule_2_3_11_7 + tags: + - level1 + - level2 + - rule_2.3.11.7 + - patch + +- name: "SCORED | 2.3.11.8 | PATCH | L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Ldap + name: LDAPClientIntegrity + data: 1 + type: dword + when: rule_2_3_11_8 + tags: + - level1 + - level2 + - rule_2.3.11.8 + - patch + +- name: "SCORED | 2.3.11.9 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: NTLMMinClientSec + data: 537395200 + type: dword + when: rule_2_3_11_9 + tags: + - level1 + - level2 + - rule_2.3.11.9 + - patch + +- name: "SCORED | 2.3.11.10 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: NTLMMinServerSec + data: 537395200 + type: dword + when: rule_2_3_11_10 + tags: + - level1 + - level2 + - rule_2.3.11.10 + - patch + +- name: "SCORED | 2.3.13.1 | PATCH | L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ShutdownWithoutLogon + data: 0 + type: dword + when: rule_2_3_13_1 + tags: + - level1 + - level2 + - rule_2.3.13.1 + - patch + +- name: "SCORED | 2.3.15.1 | PATCH | L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel + name: ObCaseInsensitive + data: 1 + type: dword + when: rule_2_3_15_1 + tags: + - level1 + - level2 + - rule_2.3.15.1 + - patch + +- name: "SCORED | 2.3.15.2 | PATCH | L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Session Manager + name: ProtectionMode + data: 1 + type: dword + when: rule_2_3_15_2 + tags: + - level1 + - level2 + - rule_2.3.15.2 + - patch + +- name: "SCORED | 2.3.17.1 | PATCH | L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: FilterAdministratorToken + data: 1 + type: dword + when: rule_2_3_17_1 + tags: + - level1 + - level2 + - rule_2.3.17.1 + - patch + +- name: "SCORED | 2.3.17.2 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableUIADesktopToggle + data: 0 + type: dword + when: rule_2_3_17_2 + tags: + - level1 + - level2 + - rule_2.3.17.2 + - patch + +- name: "SCORED | 2.3.17.3 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ConsentPromptBehaviorAdmin + data: 2 + type: dword + when: rule_2_3_17_3 + tags: + - level1 + - level2 + - rule_2.3.17.3 + - patch + +- name: "SCORED | 2.3.17.4 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ConsentPromptBehaviorUser + data: 0 + type: dword + when: rule_2_3_17_4 + tags: + - level1 + - level2 + - rule_2.3.17.4 + - patch + +- name: "SCORED | 2.3.17.5 | PATCH | L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableInstallerDetection + data: 1 + type: dword + when: rule_2_3_17_5 + tags: + - level1 + - level2 + - rule_2.3.17.5 + - patch + +- name: "SCORED | 2.3.17.6 | PATCH | L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableSecureUIAPaths + data: 1 + type: dword + when: rule_2_3_17_6 + tags: + - level1 + - level2 + - rule_2.3.17.6 + - patch + +- name: "SCORED | 2.3.17.7 | PATCH | L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableLUA + data: 1 + type: dword + when: rule_2_3_17_7 + tags: + - level1 + - level2 + - rule_2.3.17.7 + - patch + +- name: "SCORED | 2.3.17.8 | PATCH | L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: PromptOnSecureDesktop + data: 1 + type: dword + when: rule_2_3_17_8 + tags: + - level1 + - level2 + - rule_2.3.17.8 + - patch + +- name: "SCORED | 2.3.17.9 | PATCH | L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableVirtualization + data: 1 + type: dword + when: rule_2_3_17_9 + tags: + - level1 + - level2 + - rule_2.3.17.9 + - patch + + diff --git a/tasks/section02.yml b/tasks/section02.yml index e605865..f3f9ffe 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1,43 +1,60 @@ --- -- name: "SCORED | 2.2.1 | PATCH | L1 Ensure Access Credential Manager as a trusted caller is set to No One" +- name: "SCORED | 2.2.1 | PATCH | (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" win_user_right: name: SeTrustedCredManAccessPrivilege users: action: set when: rule_2_2_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.1 - patch -- name: "SCORED | 2.2.2 & 2.2.3 | PATCH | L1 Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" +- name: "SCORED | 2.2.2 | PATCH | (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" win_user_right: name: SeNetworkLogonRight users: - Administrators - Authenticated Users + - ENTERPRISE DOMAIN CONTROLLERS action: set when: - - rule_2_2_2 or rule_2_2_3 + - rule_2_2_2 + - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller1 - rule_2.2.2 + - patch + +- name: "SCORED | 2.2.3 | PATCH | (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)" + win_user_right: + name: SeNetworkLogonRight + users: + - Administrators + - Authenticated Users + action: set + when: + - rule_2_2_3 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-memberserver - rule_2.2.3 - patch -- name: "SCORED | 2.2.4 | PATCH | L1 Ensure Act as part of the operating system is set to No One" +- name: "SCORED | 2.2.4 | PATCH | (L1) Ensure 'Act as part of the operating system' is set to 'No One'" win_user_right: name: SeTcbPrivilege users: action: set when: rule_2_2_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.4 - patch -- name: "SCORED | 2.2.5 | PATCH | L1 Ensure Add workstations to domain is set to Administrators DC only" +- name: "SCORED | 2.2.5 | PATCH | (L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)" win_user_right: name: SeMachineAccountPrivilege users: Administrators @@ -46,10 +63,11 @@ - rule_2_2_5 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.5 - patch -- name: "SCORED | 2.2.6 | PATCH | L1 Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" +- name: "SCORED | 2.2.6 | PATCH | (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" win_user_right: name: SeIncreaseQuotaPrivilege users: @@ -59,12 +77,12 @@ action: set when: rule_2_2_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.6 - patch -- name: "SCORED | 2.2.7 | PATCH | L1 Ensure Allow log on locally is set to Administrators" +- name: "SCORED | 2.2.7 | PATCH | (L1) Ensure 'Allow log on locally' is set to 'Administrators'" win_user_right: name: SeInteractiveLogonRight users: @@ -72,26 +90,41 @@ action: set when: rule_2_2_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.7 - patch -- name: "SCORED | 2.2.8 & 2.2.9 | PATCH | L1 Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" +- name: "SCORED | 2.2.8 | PATCH | (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)" win_user_right: name: SeRemoteInteractiveLogonRight users: - Administrators - - Remote Desktop Users action: set when: - - rule_2_2_8 or rule_2_2_9 + - rule_2_2_8 + - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.8 + - patch + +- name: "SCORED | 2.2.9 | PATCH | (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)" + win_user_right: + name: SeRemoteInteractiveLogonRight + users: + - Administrators + - Remote Desktop Users + action: set + when: + - rule_2_2_9 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-memberserver - rule_2.2.9 - patch -- name: "SCORED | 2.2.10 | PATCH | L1 Ensure Back up files and directories is set to Administrators" +- name: "SCORED | 2.2.10 | PATCH | (L1) Ensure 'Back up files and directories' is set to 'Administrators'" win_user_right: name: SeBackupPrivilege users: @@ -99,12 +132,12 @@ action: set when: rule_2_2_10 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.10 - patch -- name: "SCORED | 2.2.11 | PATCH | L1 Ensure Change the system time is set to Administrators LOCAL SERVICE" +- name: "SCORED | 2.2.11 | PATCH | (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" win_user_right: name: SeSystemTimePrivilege users: @@ -113,12 +146,12 @@ action: set when: rule_2_2_11 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.11 - patch -- name: "SCORED | 2.2.12 | PATCH | L1 Ensure Change the time zone is set to Administrators LOCAL SERVICE" +- name: "SCORED | 2.2.12 | PATCH | (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'" win_user_right: name: SeTimeZonePrivilege users: @@ -127,12 +160,12 @@ action: set when: rule_2_2_12 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.12 - patch -- name: "SCORED | 2.2.13 | PATCH | L1 Ensure Create a pagefile is set to Administrators" +- name: "SCORED | 2.2.13 | PATCH | (L1) Ensure 'Create a pagefile' is set to 'Administrators'" win_user_right: name: SeCreatePagefilePrivilege users: @@ -140,24 +173,24 @@ action: set when: rule_2_2_13 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.13 - patch -- name: "SCORED | 2.2.14 | PATCH | L1 Ensure Create a token object is set to No One" +- name: "SCORED | 2.2.14 | PATCH | (L1) Ensure 'Create a token object' is set to 'No One'" win_user_right: name: SeCreateTokenPrivilege users: action: set when: rule_2_2_14 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.14 - patch -- name: "SCORED | 2.2.15 | PATCH | L1 Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" +- name: "SCORED | 2.2.15 | PATCH | (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" win_user_right: name: SeCreateGlobalPrivilege users: @@ -168,24 +201,24 @@ action: set when: rule_2_2_15 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.15 - patch -- name: "SCORED | 2.2.16 | PATCH | L1 Ensure Create permanent shared objects is set to No One" +- name: "SCORED | 2.2.16 | PATCH | (L1) Ensure 'Create permanent shared objects' is set to 'No One'" win_user_right: name: SeCreatePermanentPrivilege users: action: set when: rule_2_2_16 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.16 - patch -- name: "SCORED | 2.2.17 | PATCH | L1 Ensure Create symbolic links is set to Administrators DC only" +- name: "SCORED | 2.2.17 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only)" win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -195,10 +228,11 @@ - rule_2_2_17 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.17 - patch -- name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" +- name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)" win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -209,12 +243,11 @@ - rule_2_2_18 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.18 - patch -- name: "SCORED | 2.2.19 | PATCH | L1 Ensure Debug programs is set to Administrators" +- name: "SCORED | 2.2.19 | PATCH | (L1) Ensure 'Debug programs' is set to 'Administrators'" win_user_right: name: SeDebugPrivilege users: @@ -222,13 +255,13 @@ action: set when: rule_2_2_19 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.19 - patch #Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes -- name: "SCORED | 2.2.20 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests DC only" +- name: "SCORED | 2.2.20 | PATCH | (L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)" win_user_right: name: SeDenyNetworkLogonRight users: @@ -238,10 +271,11 @@ - rule_2_2_20 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.20 - patch -- name: "SCORED | 2.2.21 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" +- name: "SCORED | 2.2.21 | PATCH | (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)" win_user_right: name: SeDenyNetworkLogonRight users: @@ -253,12 +287,11 @@ - rule_2_2_21 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.21 - patch -- name: "SCORED | 2.2.22 | PATCH | L1 Ensure Deny log on as a batch job to include Guests" +- name: "SCORED | 2.2.22 | PATCH | (L1) Ensure 'Deny log on as a batch job' to include 'Guests'" win_user_right: name: SeDenyBatchLogonRight users: @@ -266,12 +299,12 @@ action: set when: rule_2_2_22 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.22 - patch -- name: "SCORED | 2.2.23 | PATCH | L1 Ensure Deny log on as a service to include Guests" +- name: "SCORED | 2.2.23 | PATCH | (L1) Ensure 'Deny log on as a service' to include 'Guests'" win_user_right: name: SeDenyServiceLogonRight users: @@ -279,12 +312,12 @@ action: set when: rule_2_2_23 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.23 - patch -- name: "SCORED | 2.2.24 | PATCH | L1 Ensure Deny log on locally to include Guests" +- name: "SCORED | 2.2.24 | PATCH | (L1) Ensure 'Deny log on locally' to include 'Guests'" win_user_right: name: SeDenyInteractiveLogonRight users: @@ -292,12 +325,12 @@ action: set when: rule_2_2_24 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.24 - patch -- name: "SCORED | 2.2.25 | PATCH | L1 Ensure Deny log on through Remote Desktop Services to include Guests DC only" +- name: "SCORED | 2.2.25 | PATCH | (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)" win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -308,10 +341,11 @@ - rule_2_2_25 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.25 - patch -- name: "SCORED | 2.2.26 | PATCH | L1 Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" +- name: "SCORED | 2.2.26 | PATCH | (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)" win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -322,12 +356,11 @@ - rule_2_2_26 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.26 - patch -- name: "SCORED | 2.2.27 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" +- name: "SCORED | 2.2.27 | PATCH | (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)" win_user_right: name: SeEnableDelegationPrivilege users: Administrators @@ -336,10 +369,11 @@ - rule_2_2_27 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.27 - patch -- name: "SCORED | 2.2.28 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" +- name: "SCORED | 2.2.28 | PATCH | (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)" win_user_right: name: SeEnableDelegationPrivilege users: @@ -348,12 +382,11 @@ - rule_2_2_28 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.28 - patch -- name: "SCORED | 2.2.29 | PATCH | L1 Ensure Force shutdown from a remote system is set to Administrators" +- name: "SCORED | 2.2.29 | PATCH | (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" win_user_right: name: SeRemoteShutdownPrivilege users: @@ -361,12 +394,12 @@ action: set when: rule_2_2_29 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.29 - patch -- name: "SCORED | 2.2.30 | PATCH | L1 Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" +- name: "SCORED | 2.2.30 | PATCH | (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'" win_user_right: name: SeAuditPrivilege users: @@ -375,12 +408,12 @@ action: set when: rule_2_2_30 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.30 - patch -- name: "SCORED | 2.2.31 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" +- name: "SCORED | 2.2.31 | PATCH | (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)" win_user_right: name: SeImpersonatePrivilege users: @@ -393,10 +426,11 @@ - rule_2_2_31 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.31 - patch -- name: "SCORED | 2.2.32 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" +- name: "SCORED | 2.2.32 | PATCH | (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)" win_user_right: name: SeImpersonatePrivilege users: @@ -410,12 +444,11 @@ - rule_2_2_32 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.32 - patch -- name: "SCORED | 2.2.33 | PATCH | L1 Ensure Increase scheduling priority is set to Administrators" +- name: "SCORED | 2.2.33 | PATCH | (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'" win_user_right: name: SeIncreaseBasePriorityPrivilege users: @@ -423,12 +456,12 @@ action: set when: rule_2_2_33 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.33 - patch -- name: "SCORED | 2.2.34 | PATCH | L1 Ensure Load and unload device drivers is set to Administrators" +- name: "SCORED | 2.2.34 | PATCH | (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" win_user_right: name: SeLoadDriverPrivilege users: @@ -436,24 +469,24 @@ action: set when: rule_2_2_34 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.34 - patch -- name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" +- name: "SCORED | 2.2.35 | PATCH | (L1) Ensure 'Lock pages in memory' is set to 'No One'" win_user_right: name: SeLockMemoryPrivilege users: action: set when: rule_2_2_35 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.35 - patch -- name: "SCORED | 2.2.36 | PATCH | L2 Ensure Log on as a batch job is set to Administrators DC Only" +- name: "SCORED | 2.2.36 | PATCH | (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)" win_user_right: name: SeBatchLogonRight users: Administrators @@ -462,10 +495,11 @@ - rule_2_2_36 - ansible_windows_domain_role == "Primary domain controller" tags: + - level2-domaincontroller - rule_2.2.36 - patch -- name: "SCORED | 2.2.37 & 2.2.38 | PATCH | L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" +- name: "SCORED | 2.2.37 (DC) & 2.2.38 (MS) | PATCH | (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers'" win_user_right: name: SeSecurityPrivilege users: @@ -474,23 +508,25 @@ when: - rule_2_2_37 or rule_2_2_38 tags: + - level1-domaincontroller + - level1-memberserver - rule_2.2.37 - rule_2.2.38 - patch -- name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" +- name: "SCORED | 2.2.39 | PATCH | (L1) Ensure 'Modify an object label' is set to 'No One'" win_user_right: name: SeReLabelPrivilege users: action: set when: rule_2_2_39 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.39 - patch -- name: "SCORED | 2.2.40 | PATCH | L1 Ensure Modify firmware environment values is set to Administrators" +- name: "SCORED | 2.2.40 | PATCH | (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" win_user_right: name: SeSystemEnvironmentPrivilege users: @@ -498,12 +534,12 @@ action: set when: rule_2_2_40 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.40 - patch -- name: "SCORED | 2.2.41 | PATCH | L1 Ensure Perform volume maintenance tasks is set to Administrators" +- name: "SCORED | 2.2.41 | PATCH | (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" win_user_right: name: SeManageVolumePrivilege users: @@ -511,12 +547,12 @@ action: set when: rule_2_2_41 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.41 - patch -- name: "SCORED | 2.2.42 | PATCH | L1 Ensure Profile single process is set to Administrators" +- name: "SCORED | 2.2.42 | PATCH | (L1) Ensure 'Profile single process' is set to 'Administrators'" win_user_right: name: SeProfileSingleProcessPrivilege users: @@ -524,12 +560,12 @@ action: set when: rule_2_2_42 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.42 - patch -- name: "SCORED | 2.2.43 | PATCH | L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" +- name: "SCORED | 2.2.43 | PATCH | (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" win_user_right: name: SeSystemProfilePrivilege users: @@ -538,12 +574,12 @@ action: set when: rule_2_2_43 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.43 - patch -- name: "SCORED | 2.2.44 | PATCH | L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" +- name: "SCORED | 2.2.44 | PATCH | (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" win_user_right: name: SeAssignPrimaryTokenPrivilege users: @@ -552,12 +588,12 @@ action: set when: rule_2_2_44 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.44 - patch -- name: "SCORED | 2.2.45 | PATCH | L1 Ensure Restore files and directories is set to Administrators" +- name: "SCORED | 2.2.45 | PATCH | (L1) Ensure 'Restore files and directories' is set to 'Administrators'" win_user_right: name: SeRestorePrivilege users: @@ -565,12 +601,12 @@ action: set when: rule_2_2_45 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.45 - patch -- name: "SCORED | 2.2.46 | PATCH | L1 Ensure Shut down the system is set to Administrators" +- name: "SCORED | 2.2.46 | PATCH | (L1) Ensure 'Shut down the system' is set to 'Administrators'" win_user_right: name: SeShutdownPrivilege users: @@ -578,12 +614,12 @@ action: set when: rule_2_2_46 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.46 - patch -- name: "SCORED | 2.2.47 | PATCH | L1 Ensure Synchronize directory service data is set to No One DC only" +- name: "SCORED | 2.2.47 | PATCH | (L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only)" win_user_right: name: SeSyncAgentPrivilege users: @@ -592,10 +628,11 @@ - rule_2_2_47 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.47 - patch -- name: "SCORED | 2.2.48 | PATCH | L1 Ensure Take ownership of files or other objects is set to Administrators" +- name: "SCORED | 2.2.48 | PATCH | (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" win_user_right: name: SeTakeOwnershipPrivilege users: @@ -603,949 +640,7 @@ action: set when: rule_2_2_48 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.48 - - patch - -- name: "SCORED | 2.3.1.1 | PATCH | L1 Ensure Accounts Administrator account status is set to Disabled MS only" - win_security_policy: - section: System Access - key: EnableAdminAccount - value: 0 - when: - - rule_2_3_1_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.1.1 - - patch - -- name: "SCORED | 2.3.1.2 | PATCH | L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: NoConnectedUser - data: 3 - type: dword - when: rule_2_3_1_2 - tags: - - level1 - - level2 - - rule_2.3.1.2 - - patch - -- name: "SCORED | 2.3.1.3 | PATCH | L1 Ensure Accounts Guest account status is set to Disabled MS only" - win_security_policy: - section: System Access - key: EnableGuestAccount - value: 0 - when: rule_2_3_1_3 - tags: - - level1 - - level2 - - rule_2.3.1.3 - - patch - -- name: "SCORED | 2.3.1.4 | PATCH | L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: LimitBlankPasswordUse - data: 1 - type: dword - when: rule_2_3_1_4 - tags: - - level1 - - level2 - - rule_2.3.1.4 - - patch - -- name: "SCORED | 2.3.1.5 | PATCH | L1 Configure Accounts Rename administrator account" - win_security_policy: - section: System Access - key: newadministratorname - value: GeorgeSharp - when: rule_2_3_1_5 - tags: - - level1 - - level2 - - rule_2.3.1.5 - - patch - -- name: "SCORED | 2.3.1.6 | PATCH | L1 Configure Accounts Rename guest account" - win_security_policy: - section: System Access - key: NewGuestName - value: BobCooper - when: rule_2_3_1_6 - tags: - - level1 - - level2 - - rule_2.3.1.6 - - patch - -- name: "SCORED | 2.3.2.1 | PATCH | L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: SCENoApplyLegacyAuditPolicy - data: 1 - type: dword - when: rule_2_3_2_1 - tags: - - level1 - - level2 - - rule_2.3.2.1 - - patch - -- name: "SCORED | 2.3.2.2 | PATCH | L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: CrashOnAuditFail - data: 0 - type: dword - when: rule_2_3_2_2 - tags: - - level1 - - level2 - - rule_2.3.2.2 - - patch - -- name: "SCORED | 2.3.4.1 | PATCH | L1 Ensure Devices Allowed to format and eject removable media is set to Administrators" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: AllocateDASD - data: 0 - type: string - when: rule_2_3_4_1 - tags: - - level1 - - level2 - - rule_2.3.4.1 - - patch - -- name: "SCORED | 2.3.4.2 | PATCH | L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers - name: AddPrinterDrivers - data: 1 - type: dword - when: rule_2_3_4_2 - tags: - - level1 - - level2 - - rule_2.3.4.2 - - patch - -- name: "SCORED | 2.3.5.1 | PATCH | L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa - name: SubmitControl - data: 0 - type: dword - when: - - rule_2_3_5_1 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_2.3.5.1 - - patch - -- name: "SCORED | 2.3.5.2 | PATCH | L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters - name: LDAPServerIntegrity - data: 2 - type: dword - when: - - rule_2_3_5_2 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_2.3.5.2 - - patch - -- name: "SCORED | 2.3.5.3 | PATCH | L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters - name: RefusePasswordChange - data: 0 - type: dword - when: - - rule_2_3_5_3 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_2.3.5.3 - - patch - -- name: "SCORED | 2.3.6.1 | PATCH | L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: RequireSignOrSeal - data: 1 - type: dword - when: - - rule_2_3_6_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.6.1 - - patch - -- name: "SCORED | 2.3.6.2 | PATCH | L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: sealsecurechannel - data: 1 - type: dword - when: - - rule_2_3_6_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.6.2 - - patch - -- name: "SCORED | 2.3.6.3 | PATCH | L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: signsecurechannel - data: 1 - type: dword - when: - - rule_2_3_6_3 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.6.3 - - patch - -- name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: disablepasswordchange - data: 1 - type: dword - when: - - rule_2_3_6_4 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.6.4 - - patch - -- name: "SCORED | 2.3.6.5 | PATCH | L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: MaximumPasswordAge - data: 30 - type: dword - when: - - rule_2_3_6_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.6.5 - - patch - -- name: "SCORED | 2.3.6.6 | PATCH | L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: RequireStrongKey - data: 1 - type: dword - when: - - rule_2_3_6_6 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.6.6 - - patch - -- name: "SCORED | 2.3.7.1 | PATCH | L1 Ensure Interactive logon Dont display last signed-in is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DontDisplayLastUserName - data: 1 - type: dword - when: rule_2_3_7_1 - tags: - - level1 - - level2 - - rule_2.3.7.1 - - patch - -- name: "SCORED | 2.3.7.2 | PATCH | L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DisableCAD - data: 0 - type: dword - when: rule_2_3_7_2 - tags: - - level1 - - level2 - - rule_2.3.7.2 - - patch - -- name: "SCORED | 2.3.7.3 | PATCH | L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: InactivityTimeoutSecs - data: 900 - type: dword - when: rule_2_3_7_3 - tags: - - level1 - - level2 - - rule_2.3.7.3 - - patch - -- name: "SCORED | 2.3.7.4 | PATCH | L1 Configure Interactive logon Message text for users attempting to log on" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: LegalNoticeText - data: "{{ legalnoticetext }}" - type: string - when: rule_2_3_7_4 - tags: - - level1 - - level2 - - rule_2.3.7.4 - - patch - -- name: "SCORED | 2.3.7.5 | PATCH | L1 Configure Interactive logon Message title for users attempting to log on" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: LegalNoticeCaption - data: "{{ legalnoticecaption }}" - type: string - when: rule_2_3_7_5 - tags: - - level1 - - level2 - - rule_2.3.7.5 - - patch - -- name: "SCORED | 2.3.7.6 | PATCH | L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: cachedlogonscount - data: 1 - type: string - when: rule_2_3_7_6 - tags: - - level2 - - rule_2.3.7.6 - - patch - -- name: "SCORED | 2.3.7.7 | PATCH | L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: PasswordExpiryWarning - data: 14 - type: dword - when: rule_2_3_7_7 - tags: - - level1 - - level2 - - rule_2.3.7.7 - - patch - -- name: "SCORED | 2.3.7.8 | PATCH | L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ForceUnlockLogon - data: 1 - type: dword - when: - - rule_2_3_7_8 - - ansible_windows_domain_role == "Member server" - tags: - - level1 - - level2 - - rule_2.3.7.8 - - patch - -- name: "SCORED | 2.3.7.9 | PATCH | L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: scremoveoption - data: 1 - type: string - when: rule_2_3_7_9 - tags: - - level1 - - level2 - - rule_2.3.7.9 - - patch - -- name: "SCORED | 2.3.8.1 | PATCH | L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: RequireSecuritySignature - data: 1 - type: dword - when: rule_2_3_8_1 - tags: - - level1 - - level2 - - rule_2.3.8.1 - - patch - -- name: "SCORED | 2.3.8.2 | PATCH | L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: EnableSecuritySignature - data: 1 - type: dword - when: rule_2_3_8_2 - tags: - - level1 - - level2 - - rule_2.3.8.2 - - patch - -- name: "SCORED | 2.3.8.3 | PATCH | L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: EnablePlainTextPassword - data: 0 - type: dword - when: rule_2_3_8_3 - tags: - - level1 - - level2 - - rule_2.3.8.3 - - patch - -- name: "SCORED | 2.3.9.1 | PATCH | L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: autodisconnect - data: 15 - type: dword - when: rule_2_3_9_1 - tags: - - level1 - - level2 - - rule_2.3.9.1 - - patch - -- name: "SCORED | 2.3.9.2 | PATCH | L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: requiresecuritysignature - data: 1 - type: dword - when: rule_2_3_9_2 - tags: - - level1 - - level2 - - rule_2.3.9.2 - - patch - -- name: "SCORED | 2.3.9.3 | PATCH | L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: enablesecuritysignature - data: 1 - type: dword - when: rule_2_3_9_3 - tags: - - level1 - - level2 - - rule_2.3.9.3 - - patch - -- name: "SCORED | 2.3.9.4 | PATCH | L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: enableforcedlogoff - data: 1 - type: dword - when: rule_2_3_9_4 - tags: - - level1 - - level2 - - rule_2.3.9.4 - - patch - -- name: "SCORED | 2.3.9.5 | PATCH | L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: SMBServerNameHardeningLevel - data: 1 - type: dword - when: - - rule_2_3_9_5 - - ansible_windows_domain_role == "Member server" - tags: - - level1 - - level2 - - rule_2.3.9.5 - - patch - -- name: "SCORED | 2.3.10.1 | PATCH | L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled" - win_security_policy: - section: System Access - key: LSAAnonymousNameLookup - value: 0 - when: rule_2_3_10_1 - tags: - - level1 - - level2 - - rule_2.3.10.1 - - patch - -- name: "SCORED | 2.3.10.2 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: RestrictAnonymousSAM - data: 1 - type: dword - when: - - rule_2_3_10_2 - - ansible_windows_domain_role == "Member server" - tags: - - level1 - - level2 - - rule_2.3.10.2 - - patch - -- name: "SCORED | 2.3.10.3 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: RestrictAnonymous - data: 1 - type: dword - when: - - rule_2_3_10_3 - - ansible_windows_domain_role == "Member server" - tags: - - level1 - - level2 - - rule_2.3.10.3 - - patch - -- name: "SCORED | 2.3.10.4 | PATCH | L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: DisableDomainCreds - data: 1 - type: dword - when: rule_2_3_10_4 - tags: - - level2 - - rule_2.3.10.4 - - patch - -- name: "SCORED | 2.3.10.5 | PATCH | L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: EveryoneIncludesAnonymous - data: 0 - type: dword - when: rule_2_3_10_5 - tags: - - level1 - - level2 - - rule_2.3.10.5 - - patch - -- name: "SCORED | 2.3.10.6 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously DC only" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionPipes - data: "" - type: multistring - when: - - rule_2_3_10_6 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_2.3.10.6 - - patch - -- name: "SCORED | 2.3.10.7 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously MS only" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionPipes - data: "" - type: multistring - when: - - rule_2_3_10_7 - - ansible_windows_domain_role == "Member server" - tags: - - level1 - - level2 - - rule_2.3.10.7 - - patch - -- name: "SCORED | 2.3.10.8 | PATCH | L1 Configure Network access Remotely accessible registry paths" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] - type: multistring - when: rule_2_3_10_8 - tags: - - level1 - - level2 - - rule_2.3.10.8 - - patch - -- name: "SCORED | 2.3.10.9 | PATCH | L1 Configure Network access Remotely accessible registry paths and sub-paths" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] - type: multistring - when: rule_2_3_10_9 - tags: - - level1 - - level2 - - rule_2.3.10.9 - - patch - -- name: "SCORED | 2.3.10.10 | PATCH | L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: RestrictNullSessAccess - data: 1 - type: dword - when: rule_2_3_10_10 - tags: - - level1 - - level2 - - rule_2.3.10.10 - - patch - -- name: "SCORED | 2.3.10.11 | PATCH | L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa - name: RestrictRemoteSAM - data: "O:BAG:BAD:(A;;RC;;;BA)" - type: string - when: rule_2_3_10_11 - tags: - - level1 - - level2 - - rule_2.3.10.11 - - patch - -- name: "SCORED | 2.3.10.12 | PATCH | L1 Ensure Network access Shares that can be accessed anonymously is set to None" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionShares - data: "" - type: multistring - when: rule_2_3_10_12 - tags: - - level1 - - level2 - - rule_2.3.10.12 - - patch - -- name: "SCORED | 2.3.10.13 | PATCH | L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: ForceGuest - data: 0 - type: dword - when: rule_2_3_10_13 - tags: - - level1 - - level2 - - rule_2.3.10.13 - - patch - -- name: "SCORED | 2.3.11.1 | PATCH | L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: UseMachineId - data: 1 - type: dword - when: rule_2_3_11_1 - tags: - - level1 - - level2 - - rule_2.3.11.1 - - patch - -- name: "SCORED | 2.3.11.2 | PATCH | L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: allownullsessionfallback - data: 0 - type: dword - when: rule_2_3_11_2 - tags: - - level1 - - level2 - - rule_2.3.11.2 - - patch - -- name: "SCORED | 2.3.11.3 | PATCH | L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U - name: AllowOnlineID - data: 0 - type: dword - when: rule_2_3_11_3 - tags: - - level1 - - level2 - - rule_2.3.11.3 - - patch - -- name: "SCORED | 2.3.11.4 | PATCH | L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters - name: SupportedEncryptionTypes - data: 2147483644 - type: dword - when: rule_2_3_11_4 - tags: - - level1 - - level2 - - rule_2.3.11.4 - - patch - -- name: "SCORED | 2.3.11.5 | PATCH | L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: NoLMHash - data: 1 - type: dword - when: rule_2_3_11_5 - tags: - - level1 - - level2 - - rule_2.3.11.5 - - patch - -- name: "SCORED | 2.3.11.6 | PATCH | L1 Ensure Network security Force logoff when logon hours expire is set to Enabled" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters - name: EnableForcedLogOff - data: 1 - type: dword - when: rule_2_3_11_6 - tags: - - level1 - - level2 - - rule_2.3.11.6 - - patch - -- name: "SCORED | 2.3.11.7 | PATCH | L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: LMCompatibilityLevel - data: 5 - type: dword - when: rule_2_3_11_7 - tags: - - level1 - - level2 - - rule_2.3.11.7 - - patch - -- name: "SCORED | 2.3.11.8 | PATCH | L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Ldap - name: LDAPClientIntegrity - data: 1 - type: dword - when: rule_2_3_11_8 - tags: - - level1 - - level2 - - rule_2.3.11.8 - - patch - -- name: "SCORED | 2.3.11.9 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: NTLMMinClientSec - data: 537395200 - type: dword - when: rule_2_3_11_9 - tags: - - level1 - - level2 - - rule_2.3.11.9 - - patch - -- name: "SCORED | 2.3.11.10 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: NTLMMinServerSec - data: 537395200 - type: dword - when: rule_2_3_11_10 - tags: - - level1 - - level2 - - rule_2.3.11.10 - - patch - -- name: "SCORED | 2.3.13.1 | PATCH | L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ShutdownWithoutLogon - data: 0 - type: dword - when: rule_2_3_13_1 - tags: - - level1 - - level2 - - rule_2.3.13.1 - - patch - -- name: "SCORED | 2.3.15.1 | PATCH | L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel - name: ObCaseInsensitive - data: 1 - type: dword - when: rule_2_3_15_1 - tags: - - level1 - - level2 - - rule_2.3.15.1 - - patch - -- name: "SCORED | 2.3.15.2 | PATCH | L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager - name: ProtectionMode - data: 1 - type: dword - when: rule_2_3_15_2 - tags: - - level1 - - level2 - - rule_2.3.15.2 - - patch - -- name: "SCORED | 2.3.17.1 | PATCH | L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: FilterAdministratorToken - data: 1 - type: dword - when: rule_2_3_17_1 - tags: - - level1 - - level2 - - rule_2.3.17.1 - - patch - -- name: "SCORED | 2.3.17.2 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableUIADesktopToggle - data: 0 - type: dword - when: rule_2_3_17_2 - tags: - - level1 - - level2 - - rule_2.3.17.2 - - patch - -- name: "SCORED | 2.3.17.3 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ConsentPromptBehaviorAdmin - data: 2 - type: dword - when: rule_2_3_17_3 - tags: - - level1 - - level2 - - rule_2.3.17.3 - - patch - -- name: "SCORED | 2.3.17.4 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ConsentPromptBehaviorUser - data: 0 - type: dword - when: rule_2_3_17_4 - tags: - - level1 - - level2 - - rule_2.3.17.4 - - patch - -- name: "SCORED | 2.3.17.5 | PATCH | L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableInstallerDetection - data: 1 - type: dword - when: rule_2_3_17_5 - tags: - - level1 - - level2 - - rule_2.3.17.5 - - patch - -- name: "SCORED | 2.3.17.6 | PATCH | L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableSecureUIAPaths - data: 1 - type: dword - when: rule_2_3_17_6 - tags: - - level1 - - level2 - - rule_2.3.17.6 - - patch - -- name: "SCORED | 2.3.17.7 | PATCH | L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableLUA - data: 1 - type: dword - when: rule_2_3_17_7 - tags: - - level1 - - level2 - - rule_2.3.17.7 - - patch - -- name: "SCORED | 2.3.17.8 | PATCH | L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: PromptOnSecureDesktop - data: 1 - type: dword - when: rule_2_3_17_8 - tags: - - level1 - - level2 - - rule_2.3.17.8 - - patch - -- name: "SCORED | 2.3.17.9 | PATCH | L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableVirtualization - data: 1 - type: dword - when: rule_2_3_17_9 - tags: - - level1 - - level2 - - rule_2.3.17.9 - - patch - - + - patch \ No newline at end of file From a11165ccff84177c750494050d6516a97afed265 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 29 Jan 2021 16:50:46 -0500 Subject: [PATCH 04/12] updated all section 2 to version 1.2.0 Signed-off-by: George Nalen --- tasks/old_section02.yml | 1496 +++++++++++++++++++-------------------- tasks/section02.yml | 928 +++++++++++++++++++++++- 2 files changed, 1675 insertions(+), 749 deletions(-) diff --git a/tasks/old_section02.yml b/tasks/old_section02.yml index e34d9d0..41c700a 100644 --- a/tasks/old_section02.yml +++ b/tasks/old_section02.yml @@ -428,813 +428,813 @@ # - rule_2.2.33 # - patch -- name: "SCORED | 2.2.34 | PATCH | L1 Ensure Load and unload device drivers is set to Administrators" - win_user_right: - name: SeLoadDriverPrivilege - users: - - Administrators - action: set - when: rule_2_2_34 - tags: - - level1 - - level2 - - rule_2.2.34 - - patch - -- name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" - win_user_right: - name: SeLockMemoryPrivilege - users: - action: set - when: rule_2_2_35 - tags: - - level1 - - level2 - - rule_2.2.35 - - patch +# - name: "SCORED | 2.2.34 | PATCH | L1 Ensure Load and unload device drivers is set to Administrators" +# win_user_right: +# name: SeLoadDriverPrivilege +# users: +# - Administrators +# action: set +# when: rule_2_2_34 +# tags: +# - level1 +# - level2 +# - rule_2.2.34 +# - patch -- name: "SCORED | 2.2.36 | PATCH | L2 Ensure Log on as a batch job is set to Administrators DC Only" - win_user_right: - name: SeBatchLogonRight - users: Administrators - action: set - when: - - rule_2_2_36 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_2.2.36 - - patch +# - name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" +# win_user_right: +# name: SeLockMemoryPrivilege +# users: +# action: set +# when: rule_2_2_35 +# tags: +# - level1 +# - level2 +# - rule_2.2.35 +# - patch -- name: "SCORED | 2.2.37 & 2.2.38 | PATCH | L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" - win_user_right: - name: SeSecurityPrivilege - users: - - Administrators - action: set - when: - - rule_2_2_37 or rule_2_2_38 - tags: - - rule_2.2.37 - - rule_2.2.38 - - patch +# - name: "SCORED | 2.2.36 | PATCH | L2 Ensure Log on as a batch job is set to Administrators DC Only" +# win_user_right: +# name: SeBatchLogonRight +# users: Administrators +# action: set +# when: +# - rule_2_2_36 +# - ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_2.2.36 +# - patch -- name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" - win_user_right: - name: SeReLabelPrivilege - users: - action: set - when: rule_2_2_39 - tags: - - level1 - - level2 - - rule_2.2.39 - - patch +# - name: "SCORED | 2.2.37 & 2.2.38 | PATCH | L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" +# win_user_right: +# name: SeSecurityPrivilege +# users: +# - Administrators +# action: set +# when: +# - rule_2_2_37 or rule_2_2_38 +# tags: +# - rule_2.2.37 +# - rule_2.2.38 +# - patch -- name: "SCORED | 2.2.40 | PATCH | L1 Ensure Modify firmware environment values is set to Administrators" - win_user_right: - name: SeSystemEnvironmentPrivilege - users: - - Administrators - action: set - when: rule_2_2_40 - tags: - - level1 - - level2 - - rule_2.2.40 - - patch +# - name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" +# win_user_right: +# name: SeReLabelPrivilege +# users: +# action: set +# when: rule_2_2_39 +# tags: +# - level1 +# - level2 +# - rule_2.2.39 +# - patch -- name: "SCORED | 2.2.41 | PATCH | L1 Ensure Perform volume maintenance tasks is set to Administrators" - win_user_right: - name: SeManageVolumePrivilege - users: - - Administrators - action: set - when: rule_2_2_41 - tags: - - level1 - - level2 - - rule_2.2.41 - - patch +# - name: "SCORED | 2.2.40 | PATCH | L1 Ensure Modify firmware environment values is set to Administrators" +# win_user_right: +# name: SeSystemEnvironmentPrivilege +# users: +# - Administrators +# action: set +# when: rule_2_2_40 +# tags: +# - level1 +# - level2 +# - rule_2.2.40 +# - patch -- name: "SCORED | 2.2.42 | PATCH | L1 Ensure Profile single process is set to Administrators" - win_user_right: - name: SeProfileSingleProcessPrivilege - users: - - Administrators - action: set - when: rule_2_2_42 - tags: - - level1 - - level2 - - rule_2.2.42 - - patch +# - name: "SCORED | 2.2.41 | PATCH | L1 Ensure Perform volume maintenance tasks is set to Administrators" +# win_user_right: +# name: SeManageVolumePrivilege +# users: +# - Administrators +# action: set +# when: rule_2_2_41 +# tags: +# - level1 +# - level2 +# - rule_2.2.41 +# - patch -- name: "SCORED | 2.2.43 | PATCH | L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" - win_user_right: - name: SeSystemProfilePrivilege - users: - - Administrators - - NT SERVICE\WdiServiceHost - action: set - when: rule_2_2_43 - tags: - - level1 - - level2 - - rule_2.2.43 - - patch +# - name: "SCORED | 2.2.42 | PATCH | L1 Ensure Profile single process is set to Administrators" +# win_user_right: +# name: SeProfileSingleProcessPrivilege +# users: +# - Administrators +# action: set +# when: rule_2_2_42 +# tags: +# - level1 +# - level2 +# - rule_2.2.42 +# - patch -- name: "SCORED | 2.2.44 | PATCH | L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" - win_user_right: - name: SeAssignPrimaryTokenPrivilege - users: - - LOCAL SERVICE - - NETWORK SERVICE - action: set - when: rule_2_2_44 - tags: - - level1 - - level2 - - rule_2.2.44 - - patch +# - name: "SCORED | 2.2.43 | PATCH | L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" +# win_user_right: +# name: SeSystemProfilePrivilege +# users: +# - Administrators +# - NT SERVICE\WdiServiceHost +# action: set +# when: rule_2_2_43 +# tags: +# - level1 +# - level2 +# - rule_2.2.43 +# - patch -- name: "SCORED | 2.2.45 | PATCH | L1 Ensure Restore files and directories is set to Administrators" - win_user_right: - name: SeRestorePrivilege - users: - - Administrators - action: set - when: rule_2_2_45 - tags: - - level1 - - level2 - - rule_2.2.45 - - patch +# - name: "SCORED | 2.2.44 | PATCH | L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" +# win_user_right: +# name: SeAssignPrimaryTokenPrivilege +# users: +# - LOCAL SERVICE +# - NETWORK SERVICE +# action: set +# when: rule_2_2_44 +# tags: +# - level1 +# - level2 +# - rule_2.2.44 +# - patch -- name: "SCORED | 2.2.46 | PATCH | L1 Ensure Shut down the system is set to Administrators" - win_user_right: - name: SeShutdownPrivilege - users: - - Administrators - action: set - when: rule_2_2_46 - tags: - - level1 - - level2 - - rule_2.2.46 - - patch +# - name: "SCORED | 2.2.45 | PATCH | L1 Ensure Restore files and directories is set to Administrators" +# win_user_right: +# name: SeRestorePrivilege +# users: +# - Administrators +# action: set +# when: rule_2_2_45 +# tags: +# - level1 +# - level2 +# - rule_2.2.45 +# - patch -- name: "SCORED | 2.2.47 | PATCH | L1 Ensure Synchronize directory service data is set to No One DC only" - win_user_right: - name: SeSyncAgentPrivilege - users: - action: set - when: - - rule_2_2_47 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_2.2.47 - - patch +# - name: "SCORED | 2.2.46 | PATCH | L1 Ensure Shut down the system is set to Administrators" +# win_user_right: +# name: SeShutdownPrivilege +# users: +# - Administrators +# action: set +# when: rule_2_2_46 +# tags: +# - level1 +# - level2 +# - rule_2.2.46 +# - patch -- name: "SCORED | 2.2.48 | PATCH | L1 Ensure Take ownership of files or other objects is set to Administrators" - win_user_right: - name: SeTakeOwnershipPrivilege - users: - - Administrators - action: set - when: rule_2_2_48 - tags: - - level1 - - level2 - - rule_2.2.48 - - patch +# - name: "SCORED | 2.2.47 | PATCH | L1 Ensure Synchronize directory service data is set to No One DC only" +# win_user_right: +# name: SeSyncAgentPrivilege +# users: +# action: set +# when: +# - rule_2_2_47 +# - ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_2.2.47 +# - patch -- name: "SCORED | 2.3.1.1 | PATCH | L1 Ensure Accounts Administrator account status is set to Disabled MS only" - win_security_policy: - section: System Access - key: EnableAdminAccount - value: 0 - when: - - rule_2_3_1_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.1.1 - - patch +# - name: "SCORED | 2.2.48 | PATCH | L1 Ensure Take ownership of files or other objects is set to Administrators" +# win_user_right: +# name: SeTakeOwnershipPrivilege +# users: +# - Administrators +# action: set +# when: rule_2_2_48 +# tags: +# - level1 +# - level2 +# - rule_2.2.48 +# - patch -- name: "SCORED | 2.3.1.2 | PATCH | L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: NoConnectedUser - data: 3 - type: dword - when: rule_2_3_1_2 - tags: - - level1 - - level2 - - rule_2.3.1.2 - - patch +# - name: "SCORED | 2.3.1.1 | PATCH | L1 Ensure Accounts Administrator account status is set to Disabled MS only" +# win_security_policy: +# section: System Access +# key: EnableAdminAccount +# value: 0 +# when: +# - rule_2_3_1_1 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level1 +# - level2 +# - rule_2.3.1.1 +# - patch -- name: "SCORED | 2.3.1.3 | PATCH | L1 Ensure Accounts Guest account status is set to Disabled MS only" - win_security_policy: - section: System Access - key: EnableGuestAccount - value: 0 - when: rule_2_3_1_3 - tags: - - level1 - - level2 - - rule_2.3.1.3 - - patch +# - name: "SCORED | 2.3.1.2 | PATCH | L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: NoConnectedUser +# data: 3 +# type: dword +# when: rule_2_3_1_2 +# tags: +# - level1 +# - level2 +# - rule_2.3.1.2 +# - patch -- name: "SCORED | 2.3.1.4 | PATCH | L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: LimitBlankPasswordUse - data: 1 - type: dword - when: rule_2_3_1_4 - tags: - - level1 - - level2 - - rule_2.3.1.4 - - patch +# - name: "SCORED | 2.3.1.3 | PATCH | L1 Ensure Accounts Guest account status is set to Disabled MS only" +# win_security_policy: +# section: System Access +# key: EnableGuestAccount +# value: 0 +# when: rule_2_3_1_3 +# tags: +# - level1 +# - level2 +# - rule_2.3.1.3 +# - patch -- name: "SCORED | 2.3.1.5 | PATCH | L1 Configure Accounts Rename administrator account" - win_security_policy: - section: System Access - key: newadministratorname - value: GeorgeSharp - when: rule_2_3_1_5 - tags: - - level1 - - level2 - - rule_2.3.1.5 - - patch +# - name: "SCORED | 2.3.1.4 | PATCH | L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa +# name: LimitBlankPasswordUse +# data: 1 +# type: dword +# when: rule_2_3_1_4 +# tags: +# - level1 +# - level2 +# - rule_2.3.1.4 +# - patch -- name: "SCORED | 2.3.1.6 | PATCH | L1 Configure Accounts Rename guest account" - win_security_policy: - section: System Access - key: NewGuestName - value: BobCooper - when: rule_2_3_1_6 - tags: - - level1 - - level2 - - rule_2.3.1.6 - - patch +# - name: "SCORED | 2.3.1.5 | PATCH | L1 Configure Accounts Rename administrator account" +# win_security_policy: +# section: System Access +# key: newadministratorname +# value: GeorgeSharp +# when: rule_2_3_1_5 +# tags: +# - level1 +# - level2 +# - rule_2.3.1.5 +# - patch -- name: "SCORED | 2.3.2.1 | PATCH | L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: SCENoApplyLegacyAuditPolicy - data: 1 - type: dword - when: rule_2_3_2_1 - tags: - - level1 - - level2 - - rule_2.3.2.1 - - patch +# - name: "SCORED | 2.3.1.6 | PATCH | L1 Configure Accounts Rename guest account" +# win_security_policy: +# section: System Access +# key: NewGuestName +# value: BobCooper +# when: rule_2_3_1_6 +# tags: +# - level1 +# - level2 +# - rule_2.3.1.6 +# - patch -- name: "SCORED | 2.3.2.2 | PATCH | L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: CrashOnAuditFail - data: 0 - type: dword - when: rule_2_3_2_2 - tags: - - level1 - - level2 - - rule_2.3.2.2 - - patch +# - name: "SCORED | 2.3.2.1 | PATCH | L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa +# name: SCENoApplyLegacyAuditPolicy +# data: 1 +# type: dword +# when: rule_2_3_2_1 +# tags: +# - level1 +# - level2 +# - rule_2.3.2.1 +# - patch -- name: "SCORED | 2.3.4.1 | PATCH | L1 Ensure Devices Allowed to format and eject removable media is set to Administrators" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: AllocateDASD - data: 0 - type: string - when: rule_2_3_4_1 - tags: - - level1 - - level2 - - rule_2.3.4.1 - - patch +# - name: "SCORED | 2.3.2.2 | PATCH | L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa +# name: CrashOnAuditFail +# data: 0 +# type: dword +# when: rule_2_3_2_2 +# tags: +# - level1 +# - level2 +# - rule_2.3.2.2 +# - patch -- name: "SCORED | 2.3.4.2 | PATCH | L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers - name: AddPrinterDrivers - data: 1 - type: dword - when: rule_2_3_4_2 - tags: - - level1 - - level2 - - rule_2.3.4.2 - - patch +# - name: "SCORED | 2.3.4.1 | PATCH | L1 Ensure Devices Allowed to format and eject removable media is set to Administrators" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon +# name: AllocateDASD +# data: 0 +# type: string +# when: rule_2_3_4_1 +# tags: +# - level1 +# - level2 +# - rule_2.3.4.1 +# - patch -- name: "SCORED | 2.3.5.1 | PATCH | L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa - name: SubmitControl - data: 0 - type: dword - when: - - rule_2_3_5_1 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_2.3.5.1 - - patch +# - name: "SCORED | 2.3.4.2 | PATCH | L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers +# name: AddPrinterDrivers +# data: 1 +# type: dword +# when: rule_2_3_4_2 +# tags: +# - level1 +# - level2 +# - rule_2.3.4.2 +# - patch -- name: "SCORED | 2.3.5.2 | PATCH | L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters - name: LDAPServerIntegrity - data: 2 - type: dword - when: - - rule_2_3_5_2 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_2.3.5.2 - - patch +# - name: "SCORED | 2.3.5.1 | PATCH | L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" +# win_regedit: +# path: HKLM:\System\CurrentControlSet\Control\Lsa +# name: SubmitControl +# data: 0 +# type: dword +# when: +# - rule_2_3_5_1 +# - ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_2.3.5.1 +# - patch -- name: "SCORED | 2.3.5.3 | PATCH | L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters - name: RefusePasswordChange - data: 0 - type: dword - when: - - rule_2_3_5_3 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_2.3.5.3 - - patch +# - name: "SCORED | 2.3.5.2 | PATCH | L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" +# win_regedit: +# path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters +# name: LDAPServerIntegrity +# data: 2 +# type: dword +# when: +# - rule_2_3_5_2 +# - ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_2.3.5.2 +# - patch -- name: "SCORED | 2.3.6.1 | PATCH | L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: RequireSignOrSeal - data: 1 - type: dword - when: - - rule_2_3_6_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.6.1 - - patch +# - name: "SCORED | 2.3.5.3 | PATCH | L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" +# win_regedit: +# path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters +# name: RefusePasswordChange +# data: 0 +# type: dword +# when: +# - rule_2_3_5_3 +# - ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_2.3.5.3 +# - patch -- name: "SCORED | 2.3.6.2 | PATCH | L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: sealsecurechannel - data: 1 - type: dword - when: - - rule_2_3_6_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.6.2 - - patch +# - name: "SCORED | 2.3.6.1 | PATCH | L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters +# name: RequireSignOrSeal +# data: 1 +# type: dword +# when: +# - rule_2_3_6_1 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level1 +# - level2 +# - rule_2.3.6.1 +# - patch -- name: "SCORED | 2.3.6.3 | PATCH | L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: signsecurechannel - data: 1 - type: dword - when: - - rule_2_3_6_3 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.6.3 - - patch +# - name: "SCORED | 2.3.6.2 | PATCH | L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters +# name: sealsecurechannel +# data: 1 +# type: dword +# when: +# - rule_2_3_6_2 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level1 +# - level2 +# - rule_2.3.6.2 +# - patch -- name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: disablepasswordchange - data: 1 - type: dword - when: - - rule_2_3_6_4 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.6.4 - - patch +# - name: "SCORED | 2.3.6.3 | PATCH | L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters +# name: signsecurechannel +# data: 1 +# type: dword +# when: +# - rule_2_3_6_3 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level1 +# - level2 +# - rule_2.3.6.3 +# - patch -- name: "SCORED | 2.3.6.5 | PATCH | L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: MaximumPasswordAge - data: 30 - type: dword - when: - - rule_2_3_6_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.6.5 - - patch +# - name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters +# name: disablepasswordchange +# data: 1 +# type: dword +# when: +# - rule_2_3_6_4 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level1 +# - level2 +# - rule_2.3.6.4 +# - patch -- name: "SCORED | 2.3.6.6 | PATCH | L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: RequireStrongKey - data: 1 - type: dword - when: - - rule_2_3_6_6 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_2.3.6.6 - - patch +# - name: "SCORED | 2.3.6.5 | PATCH | L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters +# name: MaximumPasswordAge +# data: 30 +# type: dword +# when: +# - rule_2_3_6_5 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level1 +# - level2 +# - rule_2.3.6.5 +# - patch -- name: "SCORED | 2.3.7.1 | PATCH | L1 Ensure Interactive logon Dont display last signed-in is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DontDisplayLastUserName - data: 1 - type: dword - when: rule_2_3_7_1 - tags: - - level1 - - level2 - - rule_2.3.7.1 - - patch +# - name: "SCORED | 2.3.6.6 | PATCH | L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters +# name: RequireStrongKey +# data: 1 +# type: dword +# when: +# - rule_2_3_6_6 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level1 +# - level2 +# - rule_2.3.6.6 +# - patch -- name: "SCORED | 2.3.7.2 | PATCH | L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DisableCAD - data: 0 - type: dword - when: rule_2_3_7_2 - tags: - - level1 - - level2 - - rule_2.3.7.2 - - patch +# - name: "SCORED | 2.3.7.1 | PATCH | L1 Ensure Interactive logon Dont display last signed-in is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: DontDisplayLastUserName +# data: 1 +# type: dword +# when: rule_2_3_7_1 +# tags: +# - level1 +# - level2 +# - rule_2.3.7.1 +# - patch -- name: "SCORED | 2.3.7.3 | PATCH | L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: InactivityTimeoutSecs - data: 900 - type: dword - when: rule_2_3_7_3 - tags: - - level1 - - level2 - - rule_2.3.7.3 - - patch +# - name: "SCORED | 2.3.7.2 | PATCH | L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: DisableCAD +# data: 0 +# type: dword +# when: rule_2_3_7_2 +# tags: +# - level1 +# - level2 +# - rule_2.3.7.2 +# - patch -- name: "SCORED | 2.3.7.4 | PATCH | L1 Configure Interactive logon Message text for users attempting to log on" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: LegalNoticeText - data: "{{ legalnoticetext }}" - type: string - when: rule_2_3_7_4 - tags: - - level1 - - level2 - - rule_2.3.7.4 - - patch +# - name: "SCORED | 2.3.7.3 | PATCH | L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: InactivityTimeoutSecs +# data: 900 +# type: dword +# when: rule_2_3_7_3 +# tags: +# - level1 +# - level2 +# - rule_2.3.7.3 +# - patch -- name: "SCORED | 2.3.7.5 | PATCH | L1 Configure Interactive logon Message title for users attempting to log on" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: LegalNoticeCaption - data: "{{ legalnoticecaption }}" - type: string - when: rule_2_3_7_5 - tags: - - level1 - - level2 - - rule_2.3.7.5 - - patch +# - name: "SCORED | 2.3.7.4 | PATCH | L1 Configure Interactive logon Message text for users attempting to log on" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: LegalNoticeText +# data: "{{ legalnoticetext }}" +# type: string +# when: rule_2_3_7_4 +# tags: +# - level1 +# - level2 +# - rule_2.3.7.4 +# - patch -- name: "SCORED | 2.3.7.6 | PATCH | L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: cachedlogonscount - data: 1 - type: string - when: rule_2_3_7_6 - tags: - - level2 - - rule_2.3.7.6 - - patch +# - name: "SCORED | 2.3.7.5 | PATCH | L1 Configure Interactive logon Message title for users attempting to log on" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: LegalNoticeCaption +# data: "{{ legalnoticecaption }}" +# type: string +# when: rule_2_3_7_5 +# tags: +# - level1 +# - level2 +# - rule_2.3.7.5 +# - patch -- name: "SCORED | 2.3.7.7 | PATCH | L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: PasswordExpiryWarning - data: 14 - type: dword - when: rule_2_3_7_7 - tags: - - level1 - - level2 - - rule_2.3.7.7 - - patch +# - name: "SCORED | 2.3.7.6 | PATCH | L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon +# name: cachedlogonscount +# data: 1 +# type: string +# when: rule_2_3_7_6 +# tags: +# - level2 +# - rule_2.3.7.6 +# - patch -- name: "SCORED | 2.3.7.8 | PATCH | L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ForceUnlockLogon - data: 1 - type: dword - when: - - rule_2_3_7_8 - - ansible_windows_domain_role == "Member server" - tags: - - level1 - - level2 - - rule_2.3.7.8 - - patch +# - name: "SCORED | 2.3.7.7 | PATCH | L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon +# name: PasswordExpiryWarning +# data: 14 +# type: dword +# when: rule_2_3_7_7 +# tags: +# - level1 +# - level2 +# - rule_2.3.7.7 +# - patch -- name: "SCORED | 2.3.7.9 | PATCH | L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: scremoveoption - data: 1 - type: string - when: rule_2_3_7_9 - tags: - - level1 - - level2 - - rule_2.3.7.9 - - patch +# - name: "SCORED | 2.3.7.8 | PATCH | L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon +# name: ForceUnlockLogon +# data: 1 +# type: dword +# when: +# - rule_2_3_7_8 +# - ansible_windows_domain_role == "Member server" +# tags: +# - level1 +# - level2 +# - rule_2.3.7.8 +# - patch -- name: "SCORED | 2.3.8.1 | PATCH | L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: RequireSecuritySignature - data: 1 - type: dword - when: rule_2_3_8_1 - tags: - - level1 - - level2 - - rule_2.3.8.1 - - patch +# - name: "SCORED | 2.3.7.9 | PATCH | L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon +# name: scremoveoption +# data: 1 +# type: string +# when: rule_2_3_7_9 +# tags: +# - level1 +# - level2 +# - rule_2.3.7.9 +# - patch -- name: "SCORED | 2.3.8.2 | PATCH | L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: EnableSecuritySignature - data: 1 - type: dword - when: rule_2_3_8_2 - tags: - - level1 - - level2 - - rule_2.3.8.2 - - patch +# - name: "SCORED | 2.3.8.1 | PATCH | L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters +# name: RequireSecuritySignature +# data: 1 +# type: dword +# when: rule_2_3_8_1 +# tags: +# - level1 +# - level2 +# - rule_2.3.8.1 +# - patch -- name: "SCORED | 2.3.8.3 | PATCH | L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: EnablePlainTextPassword - data: 0 - type: dword - when: rule_2_3_8_3 - tags: - - level1 - - level2 - - rule_2.3.8.3 - - patch +# - name: "SCORED | 2.3.8.2 | PATCH | L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters +# name: EnableSecuritySignature +# data: 1 +# type: dword +# when: rule_2_3_8_2 +# tags: +# - level1 +# - level2 +# - rule_2.3.8.2 +# - patch -- name: "SCORED | 2.3.9.1 | PATCH | L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: autodisconnect - data: 15 - type: dword - when: rule_2_3_9_1 - tags: - - level1 - - level2 - - rule_2.3.9.1 - - patch +# - name: "SCORED | 2.3.8.3 | PATCH | L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters +# name: EnablePlainTextPassword +# data: 0 +# type: dword +# when: rule_2_3_8_3 +# tags: +# - level1 +# - level2 +# - rule_2.3.8.3 +# - patch -- name: "SCORED | 2.3.9.2 | PATCH | L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: requiresecuritysignature - data: 1 - type: dword - when: rule_2_3_9_2 - tags: - - level1 - - level2 - - rule_2.3.9.2 - - patch +# - name: "SCORED | 2.3.9.1 | PATCH | L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters +# name: autodisconnect +# data: 15 +# type: dword +# when: rule_2_3_9_1 +# tags: +# - level1 +# - level2 +# - rule_2.3.9.1 +# - patch -- name: "SCORED | 2.3.9.3 | PATCH | L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: enablesecuritysignature - data: 1 - type: dword - when: rule_2_3_9_3 - tags: - - level1 - - level2 - - rule_2.3.9.3 - - patch +# - name: "SCORED | 2.3.9.2 | PATCH | L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters +# name: requiresecuritysignature +# data: 1 +# type: dword +# when: rule_2_3_9_2 +# tags: +# - level1 +# - level2 +# - rule_2.3.9.2 +# - patch -- name: "SCORED | 2.3.9.4 | PATCH | L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: enableforcedlogoff - data: 1 - type: dword - when: rule_2_3_9_4 - tags: - - level1 - - level2 - - rule_2.3.9.4 - - patch +# - name: "SCORED | 2.3.9.3 | PATCH | L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters +# name: enablesecuritysignature +# data: 1 +# type: dword +# when: rule_2_3_9_3 +# tags: +# - level1 +# - level2 +# - rule_2.3.9.3 +# - patch -- name: "SCORED | 2.3.9.5 | PATCH | L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: SMBServerNameHardeningLevel - data: 1 - type: dword - when: - - rule_2_3_9_5 - - ansible_windows_domain_role == "Member server" - tags: - - level1 - - level2 - - rule_2.3.9.5 - - patch +# - name: "SCORED | 2.3.9.4 | PATCH | L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters +# name: enableforcedlogoff +# data: 1 +# type: dword +# when: rule_2_3_9_4 +# tags: +# - level1 +# - level2 +# - rule_2.3.9.4 +# - patch -- name: "SCORED | 2.3.10.1 | PATCH | L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled" - win_security_policy: - section: System Access - key: LSAAnonymousNameLookup - value: 0 - when: rule_2_3_10_1 - tags: - - level1 - - level2 - - rule_2.3.10.1 - - patch +# - name: "SCORED | 2.3.9.5 | PATCH | L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters +# name: SMBServerNameHardeningLevel +# data: 1 +# type: dword +# when: +# - rule_2_3_9_5 +# - ansible_windows_domain_role == "Member server" +# tags: +# - level1 +# - level2 +# - rule_2.3.9.5 +# - patch -- name: "SCORED | 2.3.10.2 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: RestrictAnonymousSAM - data: 1 - type: dword - when: - - rule_2_3_10_2 - - ansible_windows_domain_role == "Member server" - tags: - - level1 - - level2 - - rule_2.3.10.2 - - patch +# - name: "SCORED | 2.3.10.1 | PATCH | L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled" +# win_security_policy: +# section: System Access +# key: LSAAnonymousNameLookup +# value: 0 +# when: rule_2_3_10_1 +# tags: +# - level1 +# - level2 +# - rule_2.3.10.1 +# - patch -- name: "SCORED | 2.3.10.3 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: RestrictAnonymous - data: 1 - type: dword - when: - - rule_2_3_10_3 - - ansible_windows_domain_role == "Member server" - tags: - - level1 - - level2 - - rule_2.3.10.3 - - patch +# - name: "SCORED | 2.3.10.2 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa +# name: RestrictAnonymousSAM +# data: 1 +# type: dword +# when: +# - rule_2_3_10_2 +# - ansible_windows_domain_role == "Member server" +# tags: +# - level1 +# - level2 +# - rule_2.3.10.2 +# - patch -- name: "SCORED | 2.3.10.4 | PATCH | L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: DisableDomainCreds - data: 1 - type: dword - when: rule_2_3_10_4 - tags: - - level2 - - rule_2.3.10.4 - - patch +# - name: "SCORED | 2.3.10.3 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa +# name: RestrictAnonymous +# data: 1 +# type: dword +# when: +# - rule_2_3_10_3 +# - ansible_windows_domain_role == "Member server" +# tags: +# - level1 +# - level2 +# - rule_2.3.10.3 +# - patch -- name: "SCORED | 2.3.10.5 | PATCH | L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: EveryoneIncludesAnonymous - data: 0 - type: dword - when: rule_2_3_10_5 - tags: - - level1 - - level2 - - rule_2.3.10.5 - - patch +# - name: "SCORED | 2.3.10.4 | PATCH | L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa +# name: DisableDomainCreds +# data: 1 +# type: dword +# when: rule_2_3_10_4 +# tags: +# - level2 +# - rule_2.3.10.4 +# - patch -- name: "SCORED | 2.3.10.6 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously DC only" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionPipes - data: "" - type: multistring - when: - - rule_2_3_10_6 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_2.3.10.6 - - patch +# - name: "SCORED | 2.3.10.5 | PATCH | L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa +# name: EveryoneIncludesAnonymous +# data: 0 +# type: dword +# when: rule_2_3_10_5 +# tags: +# - level1 +# - level2 +# - rule_2.3.10.5 +# - patch -- name: "SCORED | 2.3.10.7 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously MS only" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionPipes - data: "" - type: multistring - when: - - rule_2_3_10_7 - - ansible_windows_domain_role == "Member server" - tags: - - level1 - - level2 - - rule_2.3.10.7 - - patch +# - name: "SCORED | 2.3.10.6 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously DC only" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters +# name: NullSessionPipes +# data: "" +# type: multistring +# when: +# - rule_2_3_10_6 +# - ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_2.3.10.6 +# - patch -- name: "SCORED | 2.3.10.8 | PATCH | L1 Configure Network access Remotely accessible registry paths" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] - type: multistring - when: rule_2_3_10_8 - tags: - - level1 - - level2 - - rule_2.3.10.8 - - patch +# - name: "SCORED | 2.3.10.7 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously MS only" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters +# name: NullSessionPipes +# data: "" +# type: multistring +# when: +# - rule_2_3_10_7 +# - ansible_windows_domain_role == "Member server" +# tags: +# - level1 +# - level2 +# - rule_2.3.10.7 +# - patch -- name: "SCORED | 2.3.10.9 | PATCH | L1 Configure Network access Remotely accessible registry paths and sub-paths" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] - type: multistring - when: rule_2_3_10_9 - tags: - - level1 - - level2 - - rule_2.3.10.9 - - patch +# - name: "SCORED | 2.3.10.8 | PATCH | L1 Configure Network access Remotely accessible registry paths" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths +# name: "Machine" +# data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] +# type: multistring +# when: rule_2_3_10_8 +# tags: +# - level1 +# - level2 +# - rule_2.3.10.8 +# - patch -- name: "SCORED | 2.3.10.10 | PATCH | L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: RestrictNullSessAccess - data: 1 - type: dword - when: rule_2_3_10_10 - tags: - - level1 - - level2 - - rule_2.3.10.10 - - patch +# - name: "SCORED | 2.3.10.9 | PATCH | L1 Configure Network access Remotely accessible registry paths and sub-paths" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths +# name: "Machine" +# data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] +# type: multistring +# when: rule_2_3_10_9 +# tags: +# - level1 +# - level2 +# - rule_2.3.10.9 +# - patch -- name: "SCORED | 2.3.10.11 | PATCH | L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa - name: RestrictRemoteSAM - data: "O:BAG:BAD:(A;;RC;;;BA)" - type: string - when: rule_2_3_10_11 - tags: - - level1 - - level2 - - rule_2.3.10.11 - - patch +# - name: "SCORED | 2.3.10.10 | PATCH | L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters +# name: RestrictNullSessAccess +# data: 1 +# type: dword +# when: rule_2_3_10_10 +# tags: +# - level1 +# - level2 +# - rule_2.3.10.10 +# - patch + +# - name: "SCORED | 2.3.10.11 | PATCH | L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" +# win_regedit: +# path: HKLM:\System\CurrentControlSet\Control\Lsa +# name: RestrictRemoteSAM +# data: "O:BAG:BAD:(A;;RC;;;BA)" +# type: string +# when: rule_2_3_10_11 +# tags: +# - level1 +# - level2 +# - rule_2.3.10.11 +# - patch - name: "SCORED | 2.3.10.12 | PATCH | L1 Ensure Network access Shares that can be accessed anonymously is set to None" win_regedit: diff --git a/tasks/section02.yml b/tasks/section02.yml index f3f9ffe..0f55b3e 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -643,4 +643,930 @@ - level1-domaincontroller - level1-memberserver - rule_2.2.48 - - patch \ No newline at end of file + - patch + +- name: "SCORED | 2.3.1.1 | PATCH | (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)" + win_security_policy: + section: System Access + key: EnableAdminAccount + value: 0 + when: + - rule_2_3_1_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-memberserver + - rule_2.3.1.1 + - patch + +- name: "SCORED | 2.3.1.2 | PATCH | (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: NoConnectedUser + data: 3 + type: dword + when: rule_2_3_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.2 + - patch + +- name: "SCORED | 2.3.1.3 | PATCH | (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)" + win_security_policy: + section: System Access + key: EnableGuestAccount + value: 0 + when: + - rule_2_3_1_3 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-memberserver + - rule_2.3.1.3 + - patch + +- name: "SCORED | 2.3.1.4 | PATCH | (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: LimitBlankPasswordUse + data: 1 + type: dword + when: rule_2_3_1_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.4 + - patch + +- name: "SCORED | 2.3.1.5 | PATCH | (L1) Configure 'Accounts: Rename administrator account'" + win_security_policy: + section: System Access + key: newadministratorname + value: GeorgeSharp + when: rule_2_3_1_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.5 + - patch + +- name: "SCORED | 2.3.1.6 | PATCH | (L1) Configure 'Accounts: Rename guest account'" + win_security_policy: + section: System Access + key: NewGuestName + value: BobCooper + when: rule_2_3_1_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.6 + - patch + +- name: "SCORED | 2.3.2.1 | PATCH | (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: SCENoApplyLegacyAuditPolicy + data: 1 + type: dword + when: rule_2_3_2_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.2.1 + - patch + +- name: "SCORED | 2.3.2.2 | PATCH | (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: CrashOnAuditFail + data: 0 + type: dword + when: rule_2_3_2_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.2.2 + - patch + +- name: "SCORED | 2.3.4.1 | PATCH | (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: AllocateDASD + data: 0 + type: string + when: rule_2_3_4_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.4.1 + - patch + +- name: "SCORED | 2.3.4.2 | PATCH | (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers + name: AddPrinterDrivers + data: 1 + type: dword + when: rule_2_3_4_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.4.2 + - patch + +- name: "SCORED | 2.3.5.1 | PATCH | (L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" + win_regedit: + path: HKLM:\System\CurrentControlSet\Control\Lsa + name: SubmitControl + data: 0 + type: dword + when: + - rule_2_3_5_1 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - rule_2.3.5.1 + - patch + +- name: "SCORED | 2.3.5.2 | PATCH | (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters + name: LDAPServerIntegrity + data: 2 + type: dword + when: + - rule_2_3_5_2 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - rule_2.3.5.2 + - patch + +- name: "SCORED | 2.3.5.3 | PATCH | (L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled'" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters + name: RefusePasswordChange + data: 0 + type: dword + when: + - rule_2_3_5_3 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - rule_2.3.5.3 + - patch + +- name: "SCORED | 2.3.6.1 | PATCH | (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: RequireSignOrSeal + data: 1 + type: dword + when: + - rule_2_3_6_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.1 + - patch + +- name: "SCORED | 2.3.6.2 | PATCH | (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: sealsecurechannel + data: 1 + type: dword + when: + - rule_2_3_6_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.2 + - patch + +- name: "SCORED | 2.3.6.3 | PATCH | (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: signsecurechannel + data: 1 + type: dword + when: + - rule_2_3_6_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.3 + - patch + +- name: "SCORED | 2.3.6.4 | PATCH | (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: disablepasswordchange + data: 1 + type: dword + when: + - rule_2_3_6_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.4 + - patch + +- name: "SCORED | 2.3.6.5 | PATCH | (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: MaximumPasswordAge + data: 30 + type: dword + when: + - rule_2_3_6_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.5 + - patch + +- name: "SCORED | 2.3.6.6 | PATCH | (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: RequireStrongKey + data: 1 + type: dword + when: + - rule_2_3_6_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.6 + - patch + +- name: "SCORED | 2.3.7.1 | PATCH | (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DontDisplayLastUserName + data: 1 + type: dword + when: rule_2_3_7_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.1 + - patch + +- name: "SCORED | 2.3.7.2 | PATCH | (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableCAD + data: 0 + type: dword + when: rule_2_3_7_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.2 + - patch + +- name: "SCORED | 2.3.7.3 | PATCH | (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: InactivityTimeoutSecs + data: 900 + type: dword + when: rule_2_3_7_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.3 + - patch + +- name: "SCORED | 2.3.7.4 | PATCH | (L1) Configure 'Interactive logon: Message text for users attempting to log on'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LegalNoticeText + data: "{{ legalnoticetext }}" + type: string + when: rule_2_3_7_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.4 + - patch + +- name: "SCORED | 2.3.7.5 | PATCH | (L1) Configure 'Interactive logon: Message title for users attempting to log on'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LegalNoticeCaption + data: "{{ legalnoticecaption }}" + type: string + when: rule_2_3_7_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.5 + - patch + +- name: "SCORED | 2.3.7.6 | PATCH | (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: cachedlogonscount + data: 1 + type: string + when: + - rule_2_3_7_6 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level2-memberserver + - rule_2.3.7.6 + - patch + +- name: "SCORED | 2.3.7.7 | PATCH | (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: PasswordExpiryWarning + data: 14 + type: dword + when: rule_2_3_7_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.7 + - patch + +- name: "SCORED | 2.3.7.8 | PATCH | (L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ForceUnlockLogon + data: 1 + type: dword + when: + - rule_2_3_7_8 + - ansible_windows_domain_role == "Member server" + tags: + - level1-memberserver + - rule_2.3.7.8 + - patch + +- name: "SCORED | 2.3.7.9 | PATCH | (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: scremoveoption + data: 1 + type: string + when: rule_2_3_7_9 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.9 + - patch + +- name: "SCORED | 2.3.8.1 | PATCH | (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: RequireSecuritySignature + data: 1 + type: dword + when: rule_2_3_8_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.8.1 + - patch + +- name: "SCORED | 2.3.8.2 | PATCH | (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: EnableSecuritySignature + data: 1 + type: dword + when: rule_2_3_8_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.8.2 + - patch + +- name: "SCORED | 2.3.8.3 | PATCH | (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: EnablePlainTextPassword + data: 0 + type: dword + when: rule_2_3_8_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.8.3 + - patch + +- name: "SCORED | 2.3.9.1 | PATCH | (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: autodisconnect + data: 15 + type: dword + when: rule_2_3_9_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.1 + - patch + +- name: "SCORED | 2.3.9.2 | PATCH | (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: requiresecuritysignature + data: 1 + type: dword + when: rule_2_3_9_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.2 + - patch + +- name: "SCORED | 2.3.9.3 | PATCH | (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: enablesecuritysignature + data: 1 + type: dword + when: rule_2_3_9_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.3 + - patch + +- name: "SCORED | 2.3.9.4 | PATCH | (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: enableforcedlogoff + data: 1 + type: dword + when: rule_2_3_9_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.4 + - patch + +- name: "SCORED | 2.3.9.5 | PATCH | (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only)" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: SMBServerNameHardeningLevel + data: 1 + type: dword + when: + - rule_2_3_9_5 + - ansible_windows_domain_role == "Member server" + tags: + - level1-memberserver + - rule_2.3.9.5 + - patch + +- name: "SCORED | 2.3.10.1 | PATCH | (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" + win_security_policy: + section: System Access + key: LSAAnonymousNameLookup + value: 0 + when: rule_2_3_10_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.1 + - patch + +- name: "SCORED | 2.3.10.2 | PATCH | (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: RestrictAnonymousSAM + data: 1 + type: dword + when: + - rule_2_3_10_2 + - ansible_windows_domain_role == "Member server" + tags: + - level1-memberserver + - rule_2.3.10.2 + - patch + +- name: "SCORED | 2.3.10.3 | PATCH | (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: RestrictAnonymous + data: 1 + type: dword + when: + - rule_2_3_10_3 + - ansible_windows_domain_role == "Member server" + tags: + - level1-memberserver + - rule_2.3.10.3 + - patch + +- name: "SCORED | 2.3.10.4 | PATCH | (L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: DisableDomainCreds + data: 1 + type: dword + when: rule_2_3_10_4 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_2.3.10.4 + - patch + +- name: "SCORED | 2.3.10.5 | PATCH | (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: EveryoneIncludesAnonymous + data: 0 + type: dword + when: rule_2_3_10_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.5 + - patch + +- name: "SCORED | 2.3.10.6 | PATCH | (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionPipes + data: "" + type: multistring + when: + - rule_2_3_10_6 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - rule_2.3.10.6 + - patch + +- name: "SCORED | 2.3.10.7 | PATCH | (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionPipes + data: "" + type: multistring + when: + - rule_2_3_10_7 + - ansible_windows_domain_role == "Member server" + tags: + - level1-memberserver + - rule_2.3.10.7 + - patch + +- name: "SCORED | 2.3.10.8 | PATCH | (L1) Configure 'Network access: Remotely accessible registry paths'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths + name: "Machine" + data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] + type: multistring + when: rule_2_3_10_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.8 + - patch + +- name: "SCORED | 2.3.10.9 | PATCH | (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths + name: "Machine" + data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] + type: multistring + when: rule_2_3_10_9 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.9 + - patch + +- name: "SCORED | 2.3.10.10 | PATCH | (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: RestrictNullSessAccess + data: 1 + type: dword + when: rule_2_3_10_10 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.10 + - patch + +- name: "SCORED | 2.3.10.11 | PATCH | (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)" + win_regedit: + path: HKLM:\System\CurrentControlSet\Control\Lsa + name: RestrictRemoteSAM + data: "O:BAG:BAD:(A;;RC;;;BA)" + type: string + when: + - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_10_11 + tags: + - level1-memberserver + - rule_2.3.10.11 + - patch + +- name: "SCORED | 2.3.10.12 | PATCH | (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionShares + data: "" + type: multistring + when: rule_2_3_10_12 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.12 + - patch + +- name: "SCORED | 2.3.10.13 | PATCH | (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: ForceGuest + data: 0 + type: dword + when: rule_2_3_10_13 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.13 + - patch + +- name: "SCORED | 2.3.11.1 | PATCH | (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: UseMachineId + data: 1 + type: dword + when: rule_2_3_11_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.1 + - patch + +- name: "SCORED | 2.3.11.2 | PATCH | (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: allownullsessionfallback + data: 0 + type: dword + when: rule_2_3_11_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.2 + - patch + +- name: "SCORED | 2.3.11.3 | PATCH | (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U + name: AllowOnlineID + data: 0 + type: dword + when: rule_2_3_11_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.3 + - patch + +- name: "SCORED | 2.3.11.4 | PATCH | (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters + name: SupportedEncryptionTypes + data: 2147483644 + type: dword + when: rule_2_3_11_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.4 + - patch + +- name: "SCORED | 2.3.11.5 | PATCH | (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: NoLMHash + data: 1 + type: dword + when: rule_2_3_11_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.5 + - patch + +- name: "NOTSCORED | 2.3.11.6 | PATCH | (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters + name: EnableForcedLogOff + data: 1 + type: dword + when: rule_2_3_11_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.6 + - patch + +- name: "SCORED | 2.3.11.7 | PATCH | (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: LMCompatibilityLevel + data: 5 + type: dword + when: rule_2_3_11_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.7 + - patch + +- name: "SCORED | 2.3.11.8 | PATCH | (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Ldap + name: LDAPClientIntegrity + data: 1 + type: dword + when: rule_2_3_11_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.8 + - patch + +- name: "SCORED | 2.3.11.9 | PATCH | (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: NTLMMinClientSec + data: 537395200 + type: dword + when: rule_2_3_11_9 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.9 + - patch + +- name: "SCORED | 2.3.11.10 | PATCH | (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: NTLMMinServerSec + data: 537395200 + type: dword + when: rule_2_3_11_10 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.10 + - patch + +- name: "SCORED | 2.3.13.1 | PATCH | (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ShutdownWithoutLogon + data: 0 + type: dword + when: rule_2_3_13_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.13.1 + - patch + +- name: "SCORED | 2.3.15.1 | PATCH | (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel + name: ObCaseInsensitive + data: 1 + type: dword + when: rule_2_3_15_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.15.1 + - patch + +- name: "SCORED | 2.3.15.2 | PATCH | (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Session Manager + name: ProtectionMode + data: 1 + type: dword + when: rule_2_3_15_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.15.2 + - patch + +- name: "SCORED | 2.3.17.1 | PATCH | (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: FilterAdministratorToken + data: 1 + type: dword + when: rule_2_3_17_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.1 + - patch + +- name: "SCORED | 2.3.17.2 | PATCH | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableUIADesktopToggle + data: 0 + type: dword + when: rule_2_3_17_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.2 + - patch + +- name: "SCORED | 2.3.17.3 | PATCH | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ConsentPromptBehaviorUser + data: 2 + type: dword + when: rule_2_3_17_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.3 + - patch + +- name: "SCORED | 2.3.17.4 | PATCH | (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableInstallerDetection + data: 1 + type: dword + when: rule_2_3_17_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.4 + - patch + +- name: "SCORED | 2.3.17.5 | PATCH | (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableSecureUIAPaths + data: 1 + type: dword + when: rule_2_3_17_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.5 + - patch + +- name: "SCORED | 2.3.17.6 | PATCH | (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableLUA + data: 1 + type: dword + when: rule_2_3_17_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.6 + - patch + +- name: "SCORED | 2.3.17.7 | PATCH | (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: PromptOnSecureDesktop + data: 1 + type: dword + when: rule_2_3_17_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.7 + - patch + +- name: "SCORED | 2.3.17.8 | PATCH | (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableVirtualization + data: 1 + type: dword + when: rule_2_3_17_8 + tags: + - level1 + - level2 + - rule_2.3.17.8 + - patch From 527d34e6f05d3070b6e58a2c00110727257d29f6 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 1 Feb 2021 13:03:31 -0500 Subject: [PATCH 05/12] updated all section 17 to version 1.20 Signed-off-by: George Nalen --- defaults/main.yml | 7 +- tasks/old_section02.yml | 620 +++++----- tasks/old_section17.yml | 765 ++++++++++++ tasks/old_section18.yml | 2553 +++++++++++++++++++++++++++++++++++++++ tasks/section17.yml | 952 +++++++-------- 5 files changed, 4100 insertions(+), 797 deletions(-) create mode 100644 tasks/old_section17.yml create mode 100644 tasks/old_section18.yml diff --git a/defaults/main.yml b/defaults/main.yml index bf26961..e8fda71 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -175,10 +175,11 @@ rule_2_3_17_5: true rule_2_3_17_6: true rule_2_3_17_7: true rule_2_3_17_8: true -rule_2_3_17_9: true # section17 rule_17_1_1: true +rule_17_1_2: true +rule_17_1_3: true rule_17_2_1: true rule_17_2_2: true rule_17_2_3: true @@ -197,9 +198,13 @@ rule_17_5_5: true rule_17_5_6: true rule_17_6_1: true rule_17_6_2: true +rule_17_6_3: true +rule_17_6_4: true rule_17_7_1: true rule_17_7_2: true rule_17_7_3: true +rule_17_7_4: true +rule_17_7_5: true rule_17_8_1: true rule_17_9_1: true rule_17_9_2: true diff --git a/tasks/old_section02.yml b/tasks/old_section02.yml index 41c700a..c9ad642 100644 --- a/tasks/old_section02.yml +++ b/tasks/old_section02.yml @@ -1236,316 +1236,314 @@ # - rule_2.3.10.11 # - patch -- name: "SCORED | 2.3.10.12 | PATCH | L1 Ensure Network access Shares that can be accessed anonymously is set to None" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionShares - data: "" - type: multistring - when: rule_2_3_10_12 - tags: - - level1 - - level2 - - rule_2.3.10.12 - - patch - -- name: "SCORED | 2.3.10.13 | PATCH | L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: ForceGuest - data: 0 - type: dword - when: rule_2_3_10_13 - tags: - - level1 - - level2 - - rule_2.3.10.13 - - patch - -- name: "SCORED | 2.3.11.1 | PATCH | L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: UseMachineId - data: 1 - type: dword - when: rule_2_3_11_1 - tags: - - level1 - - level2 - - rule_2.3.11.1 - - patch - -- name: "SCORED | 2.3.11.2 | PATCH | L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: allownullsessionfallback - data: 0 - type: dword - when: rule_2_3_11_2 - tags: - - level1 - - level2 - - rule_2.3.11.2 - - patch - -- name: "SCORED | 2.3.11.3 | PATCH | L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U - name: AllowOnlineID - data: 0 - type: dword - when: rule_2_3_11_3 - tags: - - level1 - - level2 - - rule_2.3.11.3 - - patch - -- name: "SCORED | 2.3.11.4 | PATCH | L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters - name: SupportedEncryptionTypes - data: 2147483644 - type: dword - when: rule_2_3_11_4 - tags: - - level1 - - level2 - - rule_2.3.11.4 - - patch - -- name: "SCORED | 2.3.11.5 | PATCH | L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: NoLMHash - data: 1 - type: dword - when: rule_2_3_11_5 - tags: - - level1 - - level2 - - rule_2.3.11.5 - - patch - -- name: "SCORED | 2.3.11.6 | PATCH | L1 Ensure Network security Force logoff when logon hours expire is set to Enabled" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters - name: EnableForcedLogOff - data: 1 - type: dword - when: rule_2_3_11_6 - tags: - - level1 - - level2 - - rule_2.3.11.6 - - patch - -- name: "SCORED | 2.3.11.7 | PATCH | L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: LMCompatibilityLevel - data: 5 - type: dword - when: rule_2_3_11_7 - tags: - - level1 - - level2 - - rule_2.3.11.7 - - patch - -- name: "SCORED | 2.3.11.8 | PATCH | L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Ldap - name: LDAPClientIntegrity - data: 1 - type: dword - when: rule_2_3_11_8 - tags: - - level1 - - level2 - - rule_2.3.11.8 - - patch - -- name: "SCORED | 2.3.11.9 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: NTLMMinClientSec - data: 537395200 - type: dword - when: rule_2_3_11_9 - tags: - - level1 - - level2 - - rule_2.3.11.9 - - patch - -- name: "SCORED | 2.3.11.10 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: NTLMMinServerSec - data: 537395200 - type: dword - when: rule_2_3_11_10 - tags: - - level1 - - level2 - - rule_2.3.11.10 - - patch - -- name: "SCORED | 2.3.13.1 | PATCH | L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ShutdownWithoutLogon - data: 0 - type: dword - when: rule_2_3_13_1 - tags: - - level1 - - level2 - - rule_2.3.13.1 - - patch - -- name: "SCORED | 2.3.15.1 | PATCH | L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel - name: ObCaseInsensitive - data: 1 - type: dword - when: rule_2_3_15_1 - tags: - - level1 - - level2 - - rule_2.3.15.1 - - patch - -- name: "SCORED | 2.3.15.2 | PATCH | L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager - name: ProtectionMode - data: 1 - type: dword - when: rule_2_3_15_2 - tags: - - level1 - - level2 - - rule_2.3.15.2 - - patch - -- name: "SCORED | 2.3.17.1 | PATCH | L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: FilterAdministratorToken - data: 1 - type: dword - when: rule_2_3_17_1 - tags: - - level1 - - level2 - - rule_2.3.17.1 - - patch - -- name: "SCORED | 2.3.17.2 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableUIADesktopToggle - data: 0 - type: dword - when: rule_2_3_17_2 - tags: - - level1 - - level2 - - rule_2.3.17.2 - - patch - -- name: "SCORED | 2.3.17.3 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ConsentPromptBehaviorAdmin - data: 2 - type: dword - when: rule_2_3_17_3 - tags: - - level1 - - level2 - - rule_2.3.17.3 - - patch - -- name: "SCORED | 2.3.17.4 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ConsentPromptBehaviorUser - data: 0 - type: dword - when: rule_2_3_17_4 - tags: - - level1 - - level2 - - rule_2.3.17.4 - - patch - -- name: "SCORED | 2.3.17.5 | PATCH | L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableInstallerDetection - data: 1 - type: dword - when: rule_2_3_17_5 - tags: - - level1 - - level2 - - rule_2.3.17.5 - - patch - -- name: "SCORED | 2.3.17.6 | PATCH | L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableSecureUIAPaths - data: 1 - type: dword - when: rule_2_3_17_6 - tags: - - level1 - - level2 - - rule_2.3.17.6 - - patch - -- name: "SCORED | 2.3.17.7 | PATCH | L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableLUA - data: 1 - type: dword - when: rule_2_3_17_7 - tags: - - level1 - - level2 - - rule_2.3.17.7 - - patch - -- name: "SCORED | 2.3.17.8 | PATCH | L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: PromptOnSecureDesktop - data: 1 - type: dword - when: rule_2_3_17_8 - tags: - - level1 - - level2 - - rule_2.3.17.8 - - patch - -- name: "SCORED | 2.3.17.9 | PATCH | L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableVirtualization - data: 1 - type: dword - when: rule_2_3_17_9 - tags: - - level1 - - level2 - - rule_2.3.17.9 - - patch +# - name: "SCORED | 2.3.10.12 | PATCH | L1 Ensure Network access Shares that can be accessed anonymously is set to None" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters +# name: NullSessionShares +# data: "" +# type: multistring +# when: rule_2_3_10_12 +# tags: +# - level1 +# - level2 +# - rule_2.3.10.12 +# - patch + +# - name: "SCORED | 2.3.10.13 | PATCH | L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa +# name: ForceGuest +# data: 0 +# type: dword +# when: rule_2_3_10_13 +# tags: +# - level1 +# - level2 +# - rule_2.3.10.13 +# - patch + +# - name: "SCORED | 2.3.11.1 | PATCH | L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa +# name: UseMachineId +# data: 1 +# type: dword +# when: rule_2_3_11_1 +# tags: +# - level1 +# - level2 +# - rule_2.3.11.1 +# - patch + +# - name: "SCORED | 2.3.11.2 | PATCH | L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 +# name: allownullsessionfallback +# data: 0 +# type: dword +# when: rule_2_3_11_2 +# tags: +# - level1 +# - level2 +# - rule_2.3.11.2 +# - patch + +# - name: "SCORED | 2.3.11.3 | PATCH | L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U +# name: AllowOnlineID +# data: 0 +# type: dword +# when: rule_2_3_11_3 +# tags: +# - level1 +# - level2 +# - rule_2.3.11.3 +# - patch + +# - name: "SCORED | 2.3.11.4 | PATCH | L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters +# name: SupportedEncryptionTypes +# data: 2147483644 +# type: dword +# when: rule_2_3_11_4 +# tags: +# - level1 +# - level2 +# - rule_2.3.11.4 +# - patch + +# - name: "SCORED | 2.3.11.5 | PATCH | L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa +# name: NoLMHash +# data: 1 +# type: dword +# when: rule_2_3_11_5 +# tags: +# - level1 +# - level2 +# - rule_2.3.11.5 +# - patch + +# - name: "SCORED | 2.3.11.6 | PATCH | L1 Ensure Network security Force logoff when logon hours expire is set to Enabled" +# win_regedit: +# path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters +# name: EnableForcedLogOff +# data: 1 +# type: dword +# when: rule_2_3_11_6 +# tags: +# - level1 +# - level2 +# - rule_2.3.11.6 +# - patch + +# - name: "SCORED | 2.3.11.7 | PATCH | L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa +# name: LMCompatibilityLevel +# data: 5 +# type: dword +# when: rule_2_3_11_7 +# tags: +# - level1 +# - level2 +# - rule_2.3.11.7 +# - patch + +# - name: "SCORED | 2.3.11.8 | PATCH | L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Ldap +# name: LDAPClientIntegrity +# data: 1 +# type: dword +# when: rule_2_3_11_8 +# tags: +# - level1 +# - level2 +# - rule_2.3.11.8 +# - patch + +# - name: "SCORED | 2.3.11.9 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 +# name: NTLMMinClientSec +# data: 537395200 +# type: dword +# when: rule_2_3_11_9 +# tags: +# - level1 +# - level2 +# - rule_2.3.11.9 +# - patch + +# - name: "SCORED | 2.3.11.10 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 +# name: NTLMMinServerSec +# data: 537395200 +# type: dword +# when: rule_2_3_11_10 +# tags: +# - level1 +# - level2 +# - rule_2.3.11.10 +# - patch + +# - name: "SCORED | 2.3.13.1 | PATCH | L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: ShutdownWithoutLogon +# data: 0 +# type: dword +# when: rule_2_3_13_1 +# tags: +# - level1 +# - level2 +# - rule_2.3.13.1 +# - patch + +# - name: "SCORED | 2.3.15.1 | PATCH | L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel +# name: ObCaseInsensitive +# data: 1 +# type: dword +# when: rule_2_3_15_1 +# tags: +# - level1 +# - level2 +# - rule_2.3.15.1 +# - patch + +# - name: "SCORED | 2.3.15.2 | PATCH | L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Session Manager +# name: ProtectionMode +# data: 1 +# type: dword +# when: rule_2_3_15_2 +# tags: +# - level1 +# - level2 +# - rule_2.3.15.2 +# - patch + +# - name: "SCORED | 2.3.17.1 | PATCH | L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: FilterAdministratorToken +# data: 1 +# type: dword +# when: rule_2_3_17_1 +# tags: +# - level1 +# - level2 +# - rule_2.3.17.1 +# - patch + +# - name: "SCORED | 2.3.17.2 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: EnableUIADesktopToggle +# data: 0 +# type: dword +# when: rule_2_3_17_2 +# tags: +# - level1 +# - level2 +# - rule_2.3.17.2 +# - patch + +# - name: "SCORED | 2.3.17.3 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: ConsentPromptBehaviorAdmin +# data: 2 +# type: dword +# when: rule_2_3_17_3 +# tags: +# - level1 +# - level2 +# - rule_2.3.17.3 +# - patch + +# - name: "SCORED | 2.3.17.4 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: ConsentPromptBehaviorUser +# data: 0 +# type: dword +# when: rule_2_3_17_4 +# tags: +# - level1 +# - level2 +# - rule_2.3.17.4 +# - patch + +# - name: "SCORED | 2.3.17.5 | PATCH | L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: EnableInstallerDetection +# data: 1 +# type: dword +# when: rule_2_3_17_5 +# tags: +# - level1 +# - level2 +# - rule_2.3.17.5 +# - patch + +# - name: "SCORED | 2.3.17.6 | PATCH | L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: EnableSecureUIAPaths +# data: 1 +# type: dword +# when: rule_2_3_17_6 +# tags: +# - level1 +# - level2 +# - rule_2.3.17.6 +# - patch +# - name: "SCORED | 2.3.17.7 | PATCH | L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: EnableLUA +# data: 1 +# type: dword +# when: rule_2_3_17_7 +# tags: +# - level1 +# - level2 +# - rule_2.3.17.7 +# - patch +# - name: "SCORED | 2.3.17.8 | PATCH | L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: PromptOnSecureDesktop +# data: 1 +# type: dword +# when: rule_2_3_17_8 +# tags: +# - level1 +# - level2 +# - rule_2.3.17.8 +# - patch + +# - name: "SCORED | 2.3.17.9 | PATCH | L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: EnableVirtualization +# data: 1 +# type: dword +# when: rule_2_3_17_9 +# tags: +# - level1 +# - level2 +# - rule_2.3.17.9 +# - patch diff --git a/tasks/old_section17.yml b/tasks/old_section17.yml new file mode 100644 index 0000000..ab2d25b --- /dev/null +++ b/tasks/old_section17.yml @@ -0,0 +1,765 @@ +--- +- name: "SCORED | 17.1.1 | AUDIT | L1 Ensure Audit Credential Validation is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_1_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_1_1 + tags: + - level1 + - level2 + - rule_17.1.1 + - audit + +- name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure" + block: + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable + when: "'Success' not in rule_17_1_1_audit.stdout" + changed_when: "'Success' not in rule_17_1_1_audit.stdout" + + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable + when: "'Failure' not in rule_17_1_1_audit.stdout" + changed_when: "'Failure' not in rule_17_1_1_audit.stdout" + when: + - rule_17_1_1 + - rule_17_1_1_audit is defined + - ansible_windows_domain_role == "Primary domain controller" + - "'Success' not in rule_17_1_1_audit.stdout" + tags: + - level1 + - level2 + - rule_17.1.1 + - patch + +- name: "SCORED | 17.2.1 | AUDIT | L1 Ensure Audit Application Group Management is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_2_1 + tags: + - level1 + - level2 + - rule_17.2.1 + - audit + +- name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" + block: + - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + when: "'Success' not in rule_17_2_1_audit.stdout" + changed_when: "'Success' not in rule_17_2_1_audit.stdout" + + - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable + when: "'Failure' not in rule_17_2_1_audit.stdout" + changed_when: "'Failure' not in rule_17_2_1_audit.stdout" + when: + - rule_17_2_1 + - rule_17_2_1_audit is defined + - ansible_windows_domain_role == "Primary domain controller" + - "'Success' not in rule_17_2_1_audit.stdout" + tags: + - level1 + - level2 + - rule_17.2.1 + - patch + +- name: "SCORED | 17.2.2 | AUDIT | L1 Ensure Audit Computer Account Management is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_2_audit + changed_when: no + ignore_errors: yes + when: + - rule_17_2_2 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_17.2.2 + - audit + +- name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable + when: + - rule_17_2_2 + - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_2_audit is defined + - "'Success' not in rule_17_2_2_audit.stdout" + changed_when: "'Success' not in rule_17_2_2_audit.stdout" + tags: + - level1 + - level2 + - rule_17.2.2 + - patch + +- name: "SCORED | 17.2.3 | AUDIT | L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only" + win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_3_audit + changed_when: no + ignore_errors: yes + when: + - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_3 + tags: + - rule_17.2.3 + - audit + +- name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only" + win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable + when: + - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_3 + - rule_17_2_3_audit is defined + - "'Success' not in rule_17_2_3_audit.stdout" + changed_when: "'Success' not in rule_17_2_3_audit.stdout" + tags: + - rule_17.2.3 + - patch + +- name: "SCORED | 17.2.4 | AUDIT | L1 Ensure Audit Other Account Management Events is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_4_audit + changed_when: no + ignore_errors: yes + when: rule_17_2_4 + tags: + - level1 + - level2 + - rule_17.2.4 + - audit + +- name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable + when: + - rule_17_2_4 + - rule_17_2_4_audit is defined + - ansible_windows_domain_role == "Primary domain controller" + - "'Success' not in rule_17_2_4_audit.stdout" + changed_when: "'Success' not in rule_17_2_4_audit.stdout" + tags: + - level1 + - level2 + - rule_17.2.4 + - patch + +- name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_5_audit + changed_when: no + ignore_errors: yes + when: rule_17_2_5 + tags: + - level1 + - level2 + - rule_17.2.5 + - audit + +- name: "SCORED | 17.2.5 | PATCH | L1 Ensure Audit Security Group Management is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + when: + - rule_17_2_5 + - rule_17_2_5_audit is defined + - "'Success' not in rule_17_2_5_audit.stdout" + tags: + - level1 + - level2 + - rule_17.2.5 + - patch + +- name: "SCORED | 17.2.6 | AUDIT | L1 Ensure Audit User Account Management is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_6_audit + changed_when: no + ignore_errors: yes + when: rule_17_2_6 + tags: + - level1 + - level2 + - rule_17.2.6 + - audit + +- name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure" + block: + - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable + when: "'Success' not in rule_17_2_6_audit.stdout" + changed_when: "'Success' not in rule_17_2_6_audit.stdout" + + - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable + when: "'Failure' not in rule_17_2_6_audit.stdout" + changed_when: "'Failure' not in rule_17_2_6_audit.stdout" + when: + - rule_17_2_6 + - rule_17_2_6_audit is defined + tags: + - level1 + - level2 + - rule_17.2.6 + - patch + +- name: "SCORED | 17.3.1 | AUDIT | L1 Ensure Audit PNP Activity is set to Success" + win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_3_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_3_1 + tags: + - level1 + - level2 + - rule_17.3.1 + - audit + +- name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to Success" + win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable + changed_when: "'Success' not in rule_17_3_1_audit.stdout" + when: + - rule_17_3_1 + - rule_17_3_1_audit is defined + - "'Success' not in rule_17_3_1_audit.stdout" + tags: + - level1 + - level2 + - rule_17.3.1 + - patch + +- name: "SCORED | 17.3.2 | AUDIT | L1 Ensure Audit Process Creation is set to Success" + win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_3_2_audit + changed_when: no + ignore_errors: yes + when: rule_17_3_2 + tags: + - level1 + - level2 + - rule_17.3.2 + - audit + +- name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to Success" + win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable + changed_when: "'Success' not in rule_17_3_2_audit.stdout" + when: + - rule_17_3_2 + - rule_17_3_2_audit is defined + - "'Success' not in rule_17_3_2_audit.stdout" + tags: + - level1 + - level2 + - rule_17.3.2 + - patch + +- name: "SCORED | 17.4.1 | AUDIT | L1 Ensure Audit Directory Service Access is set to Success and Failure DC only" + win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_4_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_4_1 + tags: + - rule_17.4.1 + - audit + +- name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to Success and Failure DC only" + win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable + changed_when: "'Success' not in rule_17_4_1_audit.stdout" + when: + - rule_17_4_1 + - rule_17_4_1_audit is defined + - "'Success' not in rule_17_4_1_audit.stdout" + tags: + - rule_17.4.1 + - patch + +- name: "SCORED | 17.4.2 | AUDIT | L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only" + win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_4_2_audit + changed_when: no + ignore_errors: yes + when: + - rule_17_4_2 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_17.4.2 + - audit + +- name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only" + win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable + changed_when: "'Success' not in rule_17_4_2_audit.stdout" + when: + - rule_17_4_2 + - ansible_windows_domain_role == "Primary domain controller" + - rule_17_4_2_audit is defined + - "'Success' not in rule_17_4_2_audit.stdout" + tags: + - rule_17.4.2 + - patch + +- name: "SCORED | 17.5.1 | AUDIT | L1 Ensure Audit Account Lockout is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_5_1 + tags: + - level1 + - level2 + - rule_17.5.1 + - audit + +- name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable + changed_when: "'Failure' not in rule_17_5_1_audit.stdout" + when: + - rule_17_5_1 + - rule_17_5_1_audit is defined + - "'Failure' not in rule_17_5_1_audit.stdout" + tags: + - level1 + - level2 + - rule_17.5.1 + - patch + +- name: "SCORED | 17.5.2 | AUDIT | L1 Ensure Audit Group Membership is set to Success" + win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_2_audit + changed_when: no + ignore_errors: yes + when: rule_17_5_2 + tags: + - level1 + - level2 + - rule_17.5.2 + - audit + +- name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to Success" + win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable + changed_when: "'Success' not in wn19_au_000170_audit.stdout" + when: + - rule_17_5_2 + - wn19_au_000170_audit is defined + - "'Success' not in wn19_au_000170_audit.stdout" + tags: + - level1 + - level2 + - rule_17.5.2 + - patch + +- name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to Success" + win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_3_audit + changed_when: no + ignore_errors: yes + when: rule_17_5_3 + tags: + - level1 + - level2 + - rule_17.5.3 + - audit + +- name: "SCORED | 17.5.3 | PATCH | L1 Ensure Audit Logoff is set to Success" + win_shell: AuditPol /set /subcategory:"Logoff" /success:enable + changed_when: "'Success' not in rule_17_5_3_audit.stdout" + when: + - rule_17_5_3 + - rule_17_5_3_audit is defined + - "'Success' not in rule_17_5_3_audit.stdout" + tags: + - level1 + - level2 + - rule_17.5.3 + - patch + +- name: "SCORED | 17.5.4 | AUDIT | L1 Ensure Audit Logon is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_4_audit + changed_when: no + ignore_errors: yes + when: rule_17_5_4 + tags: + - level1 + - level2 + - rule_17.5.4 + - audit + +- name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure" + block: + - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Logon" /success:enable + changed_when: "'Success' not in rule_17_5_4_audit.stdout" + when: + - rule_17_5_4_audit is defined + - "'Failure' not in rule_17_5_4_audit.stdout" + + - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Logon" /failure:enable + changed_when: "'Failure' not in rule_17_5_4_audit.stdout" + when: + - rule_17_5_4_audit is defined + - "'Failure' not in rule_17_5_4_audit.stdout" + when: rule_17_5_4 + tags: + - level1 + - level2 + - rule_17.5.4 + - patch + +- name: "SCORED | 17.5.5 | AUDIT | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_5_audit + changed_when: no + ignore_errors: yes + when: + - rule_17_5_5 + tags: + - level1 + - level2 + - rule_17.5.5 + - audit + +- name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" + block: + - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable + changed_when: "'Success' not in rule_17_5_5_audit.stdout" + when: + - rule_17_5_5_audit is defined + - "'Success' not in rule_17_5_5_audit.stdout" + + - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable + changed_when: "'Failure' not in rule_17_5_5_audit.stdout" + when: + - rule_17_5_5_audit is defined + - "'Failure' not in rule_17_5_5_audit.stdout" + when: + - rule_17_5_5 + tags: + - level1 + - level2 + - rule_17.5.5 + - patch + +- name: "SCORED | 17.5.6 | AUDIT | L1 Ensure Audit Special Logon is set to Success" + win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_6_audit + changed_when: no + ignore_errors: yes + when: rule_17_5_6 + tags: + - level1 + - level2 + - rule_17.5.6 + - audit + +- name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to Success" + win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable + changed_when: "'Success' not in rule_17_5_6_audit.stdout" + when: + - rule_17_5_6 + - rule_17_5_6_audit is defined + - "'Success' not in rule_17_5_6_audit.stdout" + tags: + - level1 + - level2 + - rule_17.5.6 + - patch + +- name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Other Object Access Events is set to Success and Failure" + win_audit_policy_system: + subcategory: Other Object Access Events + audit_type: success, failure + when: rule_17_6_1 + tags: + - level1 + - level2 + - rule_17.6.1 + - patch + +- name: "SCORED | 17.6.2 | AUDIT | L1 Ensure Audit Removable Storage is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_6_2_audit + changed_when: no + ignore_errors: yes + when: rule_17_6_2 + tags: + - level1 + - level2 + - rule_17.6.2 + - audit + +- name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable + changed_when: "'Success' not in rule_17_6_2_audit.stdout" + when: + - rule_17_6_2 + - rule_17_6_2_audit is defined + - "'Success' not in rule_17_6_2_audit.stdout" + tags: + - level1 + - level2 + - rule_17.6.2 + - patch + +- name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_7_1 + tags: + - level1 + - level2 + - rule_17.7.1 + - audit + +- name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_1_audit.stdout" + when: + - rule_17_7_1 + - rule_17_7_1_audit is defined + - "'Success' not in rule_17_7_1_audit.stdout" + tags: + - level1 + - level2 + - rule_17.7.1 + - patch + +- name: "SCORED | 17.7.2 | AUDIT | L1 Ensure Audit Authentication Policy Change is set to Success" + win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_2_audit + changed_when: no + ignore_errors: yes + when: rule_17_7_2 + tags: + - level1 + - level2 + - rule_17.7.2 + - audit + +- name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to Success" + win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_2_audit.stdout" + when: + - rule_17_7_2 + - rule_17_7_2_audit is defined + - "'Success' not in rule_17_7_2_audit.stdout" + tags: + - level1 + - level2 + - rule_17.7.2 + - patch + +- name: "SCORED | 17.7.3 | AUDIT | L1 Ensure Audit Authorization Policy Change is set to Success" + win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_3_audit + changed_when: no + ignore_errors: yes + when: rule_17_7_3 + tags: + - level1 + - level2 + - rule_17.7.3 + - audit + +- name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to Success" + win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_3_audit.stdout" + when: + - rule_17_7_3 + - rule_17_7_3_audit is defined + - "'Success' not in rule_17_7_3_audit.stdout" + tags: + - level1 + - level2 + - rule_17.7.3 + - patch + +- name: "SCORED | 17.8.1 | AUDIT | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_8_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_8_1 + tags: + - level1 + - level2 + - rule_17.8.1 + - audit + +- name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" + block: + - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable + changed_when: "'Success' not in rule_17_8_1_audit.stdout" + when: + - rule_17_8_1_audit is defined + - "'Success' not in rule_17_8_1_audit.stdout" + + - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable + changed_when: "'Failure' not in rule_17_8_1_audit.stdout" + when: + - rule_17_8_1_audit is defined + - "'Failure' not in rule_17_8_1_audit.stdout" + + when: rule_17_8_1 + tags: + - level1 + - level2 + - rule_17.8.1 + - patch + +- name: "SCORED | 17.9.1 | AUDIT | L1 Ensure Audit IPsec Driver is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_9_1 + tags: + - level1 + - level2 + - rule_17.9.1 + - audit + +- name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure" + block: + - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable + changed_when: "'Success' not in rule_17_9_1_audit.stdout" + when: + - rule_17_9_1_audit is defined + - "'Success' not in rule_17_9_1_audit.stdout" + - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable + changed_when: "'Failure' not in rule_17_9_1_audit.stdout" + when: + - rule_17_9_1_audit is defined + - "'Failure' not in rule_17_9_1_audit.stdout" + + when: rule_17_9_1 + tags: + - level1 + - level2 + - rule_17.9.1 + - patch + +- name: "SCORED | 17.9.2 | AUDIT | L1 Ensure Audit Other System Events is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_2_audit + changed_when: no + ignore_errors: yes + when: rule_17_9_2 + tags: + - level1 + - level2 + - rule_17.9.2 + - audit + +- name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure" + block: + - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable + changed_when: "'Success' not in rule_17_9_2_audit.stdout" + when: + - rule_17_9_2_audit is defined + - "'Success' not in rule_17_9_2_audit.stdout" + - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable + changed_when: "'Failure' not in rule_17_9_2_audit.stdout" + when: + - rule_17_9_2_audit is defined + - "'Failure' not in rule_17_9_2_audit.stdout" + when: rule_17_9_2 + tags: + - level1 + - level2 + - rule_17.9.2 + - patch + +- name: "SCORED | 17.9.3 | AUDIT | L1 Ensure Audit Security State Change is set to Success" + win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_3_audit + changed_when: no + ignore_errors: yes + when: rule_17_9_3 + tags: + - level1 + - level2 + - rule_17.9.3 + - audit + +- name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to Success" + win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable + changed_when: "'Success' not in rule_17_9_3_audit.stdout" + when: + - rule_17_9_3 + - rule_17_9_3_audit is defined + - "'Success' not in rule_17_9_3_audit.stdout" + tags: + - level1 + - level2 + - rule_17.9.3 + - patch + +- name: "SCORED | 17.9.4 | AUDIT | L1 Ensure Audit Security System Extension is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_4_audit + changed_when: no + ignore_errors: yes + when: rule_17_9_4 + tags: + - level1 + - level2 + - rule_17.9.4 + - audit + +- name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable + changed_when: "'Success' not in rule_17_9_4_audit.stdout" + when: + - rule_17_9_4 + - rule_17_9_4_audit is defined + - "'Success' not in rule_17_9_4_audit.stdout" + tags: + - level1 + - level2 + - rule_17.9.4 + - patch + +- name: "SCORED | 17.9.5 | AUDIT | L1 Ensure Audit System Integrity is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_5_audit + changed_when: no + ignore_errors: yes + when: rule_17_9_5 + tags: + - level1 + - level2 + - rule_17.9.5 + - audit + +- name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure" + block: + - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable + changed_when: "'Success' not in rule_17_9_5_audit.stdout" + when: + - rule_17_9_5_audit is defined + - "'Success' not in rule_17_9_5_audit.stdout" + + - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable + changed_when: "'Failure' not in rule_17_9_5_audit.stdout" + when: + - rule_17_9_5_audit is defined + - "'Failure' not in rule_17_9_5_audit.stdout" + when: rule_17_9_5 + tags: + - level1 + - level2 + - rule_17.9.5 + - patch + diff --git a/tasks/old_section18.yml b/tasks/old_section18.yml new file mode 100644 index 0000000..98a58e8 --- /dev/null +++ b/tasks/old_section18.yml @@ -0,0 +1,2553 @@ +--- +#one of the settings in the file render the server unreachable from ansible with this message "the specified credentials were rejected by the server" +- name: "SCORED | 18.1.1.1 | PATCH | L1 Ensure Prevent enabling lock screen camera is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Personalization + name: NoLockScreenCamera + data: 1 + type: dword + when: rule_18_1_1_1 + tags: + - level1 + - level2 + - rule_18.1.1.1 + - patch + +- name: "SCORED | 18.1.1.2 | PATCH | L1 Ensure Prevent enabling lock screen slide show is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Personalization + name: NoLockScreenSlideshow + data: 1 + type: dword + when: rule_18_1_1_2 + tags: + - level1 + - level2 + - rule_18.1.1.2 + - patch + +- name: "SCORED | 18.1.2.2 | AUDIT | L1 Ensure Allow input personalization is set to Disabled" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_1_2_2 + tags: + - level1 + - level2 + - rule_18.1.2.2 + - audit + +- name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow input personalization is set to Disabled" + command: "echo true" + when: + - is_implemented + - rule_18_1_2_2 + tags: + - level1 + - level2 + - rule_18.1.2.2 + - patch + +- name: "SCORED | 18.1.3 | AUDIT | L2 Ensure Allow Online Tips is set to Disabled" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_1_3 + tags: + - level2 + - rule_18.1.3 + - audit + +- name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" + command: "echo true" + when: + - is_implemented + - rule_18_1_3 + tags: + - level2 + - rule_18.1.3 + - patch + +- name: "SCORED | 18.2.1 | AUDIT | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_2_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.1 + - audit + +- name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" + command: "echo true" + when: + - is_implemented + - rule_18_2_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.1 + - patch + +- name: "SCORED | 18.2.2 | AUDIT | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_2_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.2 + - audit + +- name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" + command: "echo true" + when: + - is_implemented + - rule_18_2_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.2 + - patch + +- name: "SCORED | 18.2.3 | AUDIT | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_2_3 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.3 + - audit + +- name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" + command: "echo true" + when: + - is_implemented + - rule_18_2_3 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.3 + - patch + +- name: "SCORED | 18.2.4 | AUDIT | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_2_4 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.4 + - audit + +- name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" + command: "echo true" + when: + - is_implemented + - rule_18_2_4 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.4 + - patch + +- name: "SCORED | 18.2.5 | AUDIT | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_2_5 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.5 + - audit + +- name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" + command: "echo true" + when: + - is_implemented + - rule_18_2_5 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.5 + - patch + +- name: "SCORED | 18.2.6 | AUDIT | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_2_6 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.6 + - audit + +- name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" + command: "echo true" + when: + - is_implemented + - rule_18_2_6 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.6 + - patch + +- name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_3_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.3.1 + - audit + +- name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" + command: "echo true" + when: + - is_implemented + - rule_18_3_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.3.1 + - patch + +- name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_3_2 + tags: + - level1 + - level2 + - rule_18.3.2 + - audit + +- name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" + command: "echo true" + when: + - is_implemented + - rule_18_3_2 + tags: + - level1 + - level2 + - rule_18.3.2 + - patch + +- name: "SCORED | 18_3_3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + name: SMB1 + data: 0 + type: dword + state: present + notify: reboot_windows + when: rule_18_3_3 + tags: + - level1 + - level2 + - rule_18.3.3 + - patch + +- name: "SCORED | 18_3_4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel + name: DisableExceptionChainValidation + data: 1 + type: dword + state: present + when: rule_18_3_4 + tags: + - level1 + - level2 + - rule_18.3.4 + - patch + +- name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_3_5 + tags: + - level1 + - level2 + - rule_18.3.5 + - audit + +- name: "SCORED | 18.3.5 | PATCH | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" + command: "echo true" + when: + - is_implemented + - rule_18_3_5 + tags: + - level1 + - level2 + - rule_18.3.5 + - patch + +- name: "SCORED | 18.3.6 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest + state: present + value: UseLogonCredential + data: 0 + datatype: dword + when: rule_18_3_6 + tags: + - level1 + - level2 + - rule_18.3.6 + - patch + +- name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + state: present + value: AutoAdminLogon + data: 0 + datatype: dword + when: rule_18_4_1 + tags: + - level1 + - level2 + - rule_18.4.1 + - patch + +- name: "SCORED | 18.4.2 | PATCH | L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + state: present + value: DisableIPSourceRouting + data: 2 + datatype: dword + when: rule_18_4_2 + tags: + - level1 + - level2 + - rule_18.4.2 + - patch + +- name: "SCORED | 18.4.3 | PATCH | L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: DisableIPSourceRouting + data: 2 + datatype: dword + when: rule_18_4_3 + tags: + - level1 + - level2 + - rule_18.4.3 + - patch + +- name: "SCORED | 18.4.4 | PATCH | L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: EnableICMPRedirect + data: 0 + datatype: dword + when: rule_18_4_4 + tags: + - level1 + - level2 + - rule_18.4.4 + - patch + +- name: "SCORED | 18.4.5 | PATCH | L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: KeepAliveTime + data: 300000 + datatype: dword + when: rule_18_4_5 + tags: + - level2 + - rule_18.4.5 + - patch + +- name: "SCORED | 18.4.6 | PATCH | L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters + state: present + name: NoNameReleaseOnDemand + data: 1 + type: dword + when: rule_18_4_6 + tags: + - level1 + - level2 + - rule_18.4.6 + - patch + +- name: "SCORED | 18.4.7 | PATCH | L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + state: present + name: PerformRouterDiscovery + data: 0 + type: dword + when: rule_18_4_7 + tags: + - level2 + - rule_18.4.7 + - patch + +- name: "SCORED | 18.4.8 | PATCH | L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Session Manager + name: SafeDllSearchMode + data: 1 + type: dword + state: present + when: rule_18_4_8 + tags: + - level1 + - level2 + - rule_18.4.8 + - patch + +- name: "SCORED | 18.4.9 | PATCH | L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ScreenSaverGracePeriod + data: 5 + type: string + state: present + when: rule_18_4_9 + tags: + - level1 + - level2 + - rule_18.4.9 + - patch + +- name: "SCORED | 18.4.10 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters + name: TcpMaxDataRetransmissions + data: 3 + type: dword + when: rule_18_4_10 + tags: + - level2 + - rule_18.4.10 + - patch + +- name: "SCORED | 18.4.11 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + name: TcpMaxDataRetransmissions + data: 3 + type: dword + when: rule_18_4_11 + tags: + - level2 + - rule_18.4.11 + - patch + +- name: "SCORED | 18.4.12 | PATCH | L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security + name: WarningLevel + data: 90 + type: dword + when: rule_18_4_12 + tags: + - level1 + - level2 + - rule_18.4.12 + - patch + + +- name: "SCORED | 18.5.4.1 | PATCH | L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\NetBT\Parameters + name: NodeType + data: 2 + type: dword + when: + - rule_18_5_4_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.5.4.1 + - patch + +- name: "SCORED | 18.5.4.2 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient + name: EnableMulticast + data: 0 + type: dword + when: + - rule_18_5_4_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.5.4.2 + - patch + +- name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: EnableFontProviders + data: 0 + type: dword + when: rule_18_5_5_1 + tags: + - level2 + - rule_18.5.5.1 + - patch + +- name: "SCORED | 18.5.8.1 | PATCH | L1 Ensure Enable insecure guest logons is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation + name: AllowInsecureGuestAuth + data: 0 + type: dword + when: rule_18_5_8_1 + tags: + - level1 + - level2 + - rule_18.5.8.1 + - patch + +- name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" + block: + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowLLTDIOOndomain + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowLLTDIOOnPublicNet + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: EnableLLTDIO + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: ProhibitLLTDIOOnPrivateNet + data: 0 + type: dword + when: rule_18_5_9_1 + tags: + - level2 + - rule_18.5.9.1 + - patch + +- name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled" + block: + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowRspndrOnDomain + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowRspndrOnPublicNet + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: EnableRspndr + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: ProhibitRspndrOnPrivateNet + data: 0 + type: dword + when: rule_18_5_9_2 + tags: + - level2 + - rule_18.5.9.2 + - patch + +- name: "SCORED | 18.5.10.2 | PATCH | L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Peernet + name: Disabled + data: 1 + type: dword + when: rule_18_5_10_2 + tags: + - level2 + - rule_18.5.10.2 + - patch + +- name: "SCORED | 18.5.11.2 | PATCH | L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + name: NC_AllowNetBridge_NLA + data: 0 + type: dword + when: rule_18_5_11_2 + tags: + - level1 + - level2 + - rule_18.5.11.2 + - patch + +- name: "SCORED | 18.5.11.3 | PATCH | L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections + name: NC_ShowSharedAccessUI + data: 0 + type: dword + when: rule_18_5_11_3 + tags: + - level1 + - level2 + - rule_18.5.11.3 + - patch + +- name: "SCORED | 18.5.11.4 | PATCH | L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + name: NC_StdDomainUserSetLocation + data: 1 + type: dword + when: rule_18_5_11_4 + tags: + - level1 + - level2 + - rule_18.5.11.4 + - patch + +- name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" + block: + - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + name: "\\\\*\\NETLOGON" + data: "RequireMutualAuthentication=1, RequireIntegrity=1" + type: string + - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + name: "\\\\*\\SYSVOL" + data: "RequireMutualAuthentication=1, RequireIntegrity=1" + type: string + when: rule_18_5_14_1 + tags: + - level1 + - level2 + - rule_18.5.14.1 + - patch + +- name: "SCORED | 18.5.19.2.1 | PATCH | L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters + name: DisabledComponents + data: 255 + type: dword + when: rule_18_5_19_2_1 + tags: + - level2 + - rule_18.5.19.2.1 + - patch + +- name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" + block: + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: EnableRegistrars + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableUPnPRegistrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableInBand802DOT11Registrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableFlashConfigRegistrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableWPDRegistrar + data: 0 + type: dword + when: rule_18_5_20_1 + tags: + - level2 + - rule_18.5.20.1 + - patch + +- name: "SCORED | 18.5.20.2 | PATCH | L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui + name: DisableWcnUi + data: 1 + type: dword + when: rule_18_5_20_2 + tags: + - level2 + - rule_18.5.20.2 + - patch + +- name: "SCORED | 18.5.21.1 | PATCH | L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + name: fMinimizeConnections + data: 1 + type: dword + when: rule_18_5_21_1 + tags: + - level1 + - level2 + - rule_18.5.21.1 + - patch + +- name: "SCORED | 18.5.21.2 | PATCH | L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + name: fBlockNonDomain + data: 1 + type: dword + when: + - rule_18_5_21_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level2 + - rule_18.5.21.2 + - patch + +- name: "SCORED | 18.8.3.1 | PATCH | L1 Ensure Include command line in process creation events is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit + name: ProcessCreationIncludeCmdLine_Enabled + data: 0 + type: dword + when: rule_18_8_3_1 + tags: + - level1 + - level2 + - rule_18.8.3.1 + - patch + + +- name: "SCORED | 18.8.4.1 | PATCH | L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation + name: AllowProtectedCreds + data: 1 + type: dword + when: rule_18_8_4_1 + tags: + - level1 + - level2 + - rule_18.8.4.1 + - patch + +- name: "SCORED | 18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled MS Only" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: EnableVirtualizationBasedSecurity + data: 1 + type: dword + when: + - rule_18_8_5_1 + - ansible_windows_domain_role == "Member server" + tags: + - rule_18.8.5.1 + - patch + +- name: "SCORED | 18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection MS Only" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: RequirePlatformSecurityFeatures + data: 3 + type: dword + when: + - rule_18_8_5_2 + - ansible_windows_domain_role == "Member server" + tags: + - rule_18.8.5.2 + - patch + +- name: "SCORED | 18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock MS Only" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: HypervisorEnforcedCodeIntegrity + data: 1 + type: dword + when: + - rule_18_8_5_3 + - ansible_windows_domain_role == "Member server" + tags: + - rule_18.8.5.3 + - patch + +- name: "SCORED | 18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked MS Only" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: HVCIMATRequired + data: 1 + type: dword + when: + - rule_18_8_5_4 + - ansible_windows_domain_role == "Member server" + tags: + - rule_18.8.5.4 + - patch + +- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: LsaCfgFlags + data: 1 + type: dword + when: + - rule_18_8_5_5 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_18.8.5.5 + - patch + +- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: LsaCfgFlags + data: 1 + type: dword + when: + - rule_18_8_5_5 + - ansible_windows_domain_role == "Member server" + tags: + - rule_18.8.5.5 + - patch + +- name: "SCORED | 18.8.14.1 | PATCH | L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" + win_regedit: + path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch + name: DriverLoadPolicy + data: 3 + type: dword + when: rule_18_8_14_1 + tags: + - level1 + - level2 + - rule_18.8.14.1 + - patch + +- name: "SCORED | 18.8.21.2 | PATCH | L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + name: NoBackgroundPolicy + data: 0 + type: dword + when: rule_18_8_21_2 + tags: + - level1 + - level2 + - rule_18.8.21.2 + - patch + +- name: "SCORED | 18.8.21.3 | PATCH | L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + name: NoGPOListChanges + data: 0 + type: dword + when: rule_18_8_21_3 + tags: + - level1 + - level2 + - rule_18.8.21.3 + - patch + +- name: "SCORED | 18.8.21.4 | PATCH | L1 Ensure Continue experiences on this device is set to Disabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: EnableCdp + data: 0 + type: dword + when: rule_18_8_21_4 + tags: + - level1 + - level2 + - rule_18.8.21.4 + - patch + +- name: "SCORED | 18.8.21.5 | PATCH | L1 Ensure Turn off background refresh of Group Policy is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy + state: absent + delete_key: yes + when: rule_18_8_21_5 + tags: + - level1 + - level2 + - rule_18.8.21.5 + - patch + +- name: "SCORED | 18.8.22.1.1 | PATCH | L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + name: DisableWebPnPDownload + data: 1 + type: dword + when: rule_18_8_22_1_1 + tags: + - level1 + - level2 + - rule_18.8.22.1.1 + - patch + +- name: "SCORED | 18.8.22.1.2 | PATCH | L2 Ensure Turn off handwriting personalization data sharing is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc + name: PreventHandwritingDataSharing + data: 1 + type: dword + when: rule_18_8_22_1_2 + tags: + - level2 + - rule_18.8.22.1.2 + - patch + +- name: "SCORED | 18.8.22.1.3 | PATCH | L2 Ensure Turn off handwriting recognition error reporting is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports + name: PreventHandwritingErrorReports + data: 1 + type: dword + when: rule_18_8_22_1_3 + tags: + - level2 + - rule_18.8.22.1.3 + - patch + +- name: "SCORED | 18.8.22.1.4 | PATCH | L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard + name: ExitOnMSICW + data: 1 + type: dword + when: rule_18_8_22_1_4 + tags: + - level2 + - rule_18.8.22.1.4 + - patch + +- name: "SCORED | 18.8.22.1.5 | PATCH | L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoWebServices + data: 1 + type: dword + when: rule_18_8_22_1_5 + tags: + - level1 + - level2 + - rule_18.8.22.1.5 + - patch + +- name: "SCORED | 18.8.22.1.6 | PATCH | L2 Ensure Turn off printing over HTTP is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + name: DisableHTTPPrinting + data: 1 + type: dword + when: rule_18_8_22_1_6 + tags: + - level1 + - level2 + - rule_18.8.22.1.6 + - patch + +- name: "SCORED | 18.8.22.1.7 | PATCH | L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control + name: NoRegistration + data: 1 + type: dword + when: rule_18_8_22_1_7 + tags: + - level2 + - rule_18.8.22.1.7 + - patch + +- name: "SCORED |18.8.22.1.8 | PATCH | L2 Ensure Turn off Search Companion content file updates is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Searchcompanion + name: DisableContentFileUpdates + data: 1 + type: dword + when: rule_18_8_22_1_8 + tags: + - level2 + - rule_18.8.22.1.8 + - patch + +- name: "SCORED | 18.8.22.1.9 | PATCH | L2 Ensure Turn off the Order Prints picture task is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoOnlinePrintsWizard + data: 1 + type: dword + when: rule_18_8_22_1_9 + tags: + - level2 + - rule_18.8.22.1.9 + - patch + +- name: "SCORED | 18.8.22.1.10 | PATCH | L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoPublishingWizard + data: 1 + type: dword + when: rule_18_8_22_1_10 + tags: + - level2 + - rule_18.8.22.1.10 + - patch + +- name: "SCORED | 18.8.22.1.11 | PATCH | L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Messenger\Client + name: CEIP + data: 2 + type: dword + when: rule_18_8_22_1_11 + tags: + - level2 + - rule_18.8.22.1.11 + - patch + +- name: "SCORED | 18.8.22.1.12 | PATCH | L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows + name: CEIPEnable + data: 0 + type: dword + when: rule_18_8_22_1_12 + tags: + - level2 + - rule_18.8.22.1.12 + - patch + +- name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled" + block: + - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting + name: Disabled + data: 1 + type: dword + - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting + name: DoReport + data: 0 + type: dword + when: rule_18_8_22_1_13 + tags: + - level2 + - rule_18.8.22.1.13 + - patch + +- name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic" + block: + - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + name: DevicePKInitBehavior + data: 0 + type: dword + - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + name: DevicePKInitEnabled + data: 1 + type: dword + when: rule_18_8_25_1 + tags: + - level2 + - rule_18.8.25.1 + - patch + +- name: "SCORED | 18.8.26.1 | PATCH | L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Control Panel\International + name: BlockUserInputMethodsForSignIn + data: 1 + type: dword + when: rule_18_8_26_1 + tags: + - level2 + - rule_18.8.26.1 + - patch + +- name: "SCORED | 18.8.27.1 | PATCH | L1 Ensure Block user from showing account details on sign-in is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: BlockUserFromShowingAccountDetailsOnSignin + data: 1 + type: dword + when: rule_18_8_27_1 + tags: + - level1 + - level2 + - rule_18.8.27.1 + - patch + +- name: "SCORED | 18.8.27.2 | PATCH | L1 Ensure Do not display network selection UI is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DontDisplayNetworkSelectionUI + data: 1 + type: dword + when: rule_18_8_27_2 + tags: + - level1 + - level2 + - rule_18.8.27.2 + - patch + +- name: "SCORED | 18.8.27.3 | PATCH | L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DontEnumerateConnectedUsers + data: 1 + type: dword + when: rule_18_8_27_3 + tags: + - level1 + - level2 + - rule_18.8.27.3 + - patch + +- name: "SCORED | 18.8.27.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: EnumerateLocalUsers + data: 0 + type: dword + when: rule_18_8_27_4 + tags: + - level1 + - level2 + - rule_18.8.27.4 + - patch + +- name: "SCORED | 18.8.27.5 | PATCH | L1 Ensure Turn off app notifications on the lock screen is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DisableLockScreenAppNotifications + data: 1 + type: dword + when: rule_18_8_27_5 + tags: + - level1 + - level2 + - rule_18.8.27.5 + - patch + +- name: "SCORED | 18.8.27.6 | PATCH | L1 Ensure Turn off picture password sign-in is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: BlockDomainPicturePassword + data: 1 + type: dword + when: rule_18_8_27_6 + tags: + - level1 + - level2 + - rule_18.8.27.6 + - patch + +- name: "SCORED | 18.8.27.7 | PATCH | L1 Ensure Turn on convenience PIN sign-in is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: AllowDomainPINLogon + data: 0 + type: dword + when: rule_18_8_27_7 + tags: + - level1 + - level2 + - rule_18.8.27.7 + - patch + +- name: "SCORED | | PATCH | L1 Ensure Untrusted Font Blocking is set to Enabled Block untrusted fonts and log events" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\MitigationOptions + name: MitigationOptions_FontBocking + data: 0 + type: dword + when: rule_18_8_28_1 + tags: + - level1 + - level2 + - rule_18.8.28.1 + - patch + +- name: "SCORED | 18.8.33.6.2 | PATCH | L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 + name: ACSettingIndex + data: 0 + type: dword + when: rule_18_8_33_6_2 + tags: + - level2 + - rule_18.8.33.6.2 + - patch + +- name: "SCORED | 18.8.33.6.3 | PATCH | L1 Ensure Require a password when a computer wakes on battery is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + name: DCSettingIndex + data: 1 + type: dword + when: rule_18_8_33_6_3 + tags: + - level1 + - level2 + - rule_18.8.33.6.3 + - patch + +- name: "SCORED | 18.8.33.6.4 | PATCH | L1 Ensure Require a password when a computer wakes plugged in is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + name: ACSettingIndex + data: 1 + type: dword + when: rule_18_8_33_6_4 + tags: + - level1 + - level2 + - rule_18.8.33.6.4 + - patch + +- name: "SCORED | 18.8.35.1 | PATCH | L1 Ensure Configure Offer Remote Assistance is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fAllowUnsolicited + data: 0 + type: dword + when: rule_18_8_35_1 + tags: + - level1 + - level2 + - rule_18.8.35.1 + - patch + +- name: "SCORED | 18.8.35.2 | PATCH | L1 Ensure Configure Solicited Remote Assistance is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fAllowToGetHelp + data: 0 + type: dword + when: rule_18_8_35_2 + tags: + - level1 + - level2 + - rule_18.8.35.2 + - patch + +- name: "SCORED | 18.8.36.1 | PATCH | L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + name: EnableAuthEpResolution + data: 1 + type: dword + when: + - rule_18_8_36_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.8.36.1 + - patch + +- name: "SCORED | 18.8.36.2 | PATCH | L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + name: RestrictRemoteClients + data: 1 + type: dword + when: + - rule_18_8_36_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level2 + - rule_18.8.36.2 + - patch + +- name: "SCORED | 18.8.44.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy + name: DisableQueryRemoteServer + data: 0 + type: dword + when: rule_18_8_44_5_1 + tags: + - level2 + - rule_18.8.44.5.1 + - patch + +- name: "SCORED | 18.8.44.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} + name: ScenarioExecutionEnabled + data: 0 + type: dword + when: rule_18_8_44_11_1 + tags: + - level2 + - rule_18.8.44.11.1 + - patch + +- name: "SCORED | 18.8.46.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo + name: DisabledByGroupPolicy + data: 1 + type: dword + when: rule_18_8_46_1 + tags: + - level2 + - rule_18.8.46.1 + - patch + +- name: "SCORED | 18.8.49.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient + name: Enabled + data: 1 + type: dword + when: rule_18_8_49_1_1 + tags: + - level2 + - rule_18.8.49.1.1 + - patch + +- name: "SCORED | 18.8.49.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver + name: Enabled + data: 1 + type: dword + when: + - rule_18_8_49_1_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level2 + - rule_18.8.49.1.2 + - patch + +- name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager + name: AllowSharedLocalAppData + data: 0 + type: dword + when: rule_18_9_4_1 + tags: + - level2 + - rule_18.9.4.1 + - patch + +- name: "SCORED | 18.9.6.1 | PATCH | L1 Ensure Allow Microsoft accounts to be optional is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: MSAOptional + data: 1 + type: dword + when: rule_18_9_6_1 + tags: + - level1 + - level2 + - rule_18.9.6.1 + - patch + +- name: "SCORED | 18.9.8.1 | PATCH | L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoAutoplayfornonVolume + data: 1 + type: dword + when: rule_18_9_8_1 + tags: + - level1 + - level2 + - rule_18.9.8.1 + - patch + +- name: "SCORED | 18.9.8.2 | PATCH | L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoAutorun + data: 1 + type: dword + when: rule_18_9_8_2 + tags: + - level1 + - level2 + - rule_18.9.8.2 + - patch + +- name: "SCORED | 18.9.8.3 | PATCH | L1 Ensure Turn off Autoplay is set to Enabled All drives" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoDriveTypeAutoRun + data: 255 + type: dword + when: rule_18_9_8_3 + tags: + - level1 + - level2 + - rule_18.9.8.3 + - patch + +- name: "SCORED | 18.9.10.1.1 | PATCH | L1 Ensure Configure enhanced anti-spoofing is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures + name: EnhancedAntiSpoofing + data: 1 + type: dword + when: rule_18_9_10_1_1 + tags: + - level1 + - level2 + - rule_18.9.10.1.1 + - patch + +- name: "SCORED | 18.9.12.1 | PATCH | L2 Ensure Allow Use of Camera is set to Disabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Camera + name: AllowCamera + data: 1 + type: dword + when: rule_18_9_12_1 + tags: + - level2 + - rule_18.9.12.1 + - patch + +- name: "SCORED | 18.9.13.1 | PATCH | L1 Ensure Turn off Microsoft consumer experiences is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent + name: DisableWindowsConsumerFeatures + data: 1 + type: dword + when: rule_18_9_13_1 + tags: + - level1 + - level2 + - rule_18.9.13.1 + - patch + +- name: "SCORED | 18.9.14.1 | PATCH | L1 Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect + name: RequirePinForPairing + data: 1 + type: dword + when: rule_18_9_14_1 + tags: + - level1 + - level2 + - rule_18.9.14.1 + - patch + +- name: "SCORED | 18.9.15.1 | PATCH | L1 Ensure Do not display the password reveal button is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Credui + name: DisablePasswordReveal + data: 1 + type: dword + when: rule_18_9_15_1 + tags: + - level1 + - level2 + - rule_18.9.15.1 + - patch + +- name: "SCORED | 18.9.15.2 | PATCH | L1 Ensure Enumerate administrator accounts on elevation is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui + name: EnumerateAdministrators + data: 0 + type: dword + when: rule_18_9_15_2 + tags: + - level1 + - level2 + - rule_18.9.15.2 + - patch + +- name: "SCORED | 18.9.16.1 | PATCH | L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: AllowTelemetry + data: 0 + type: dword + when: rule_18_9_16_1 + tags: + - level1 + - level2 + - rule_18.9.16.1 + - patch + +- name: "SCORED | 18.9.16.2 | PATCH | L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: DisableEnterpriseAuthProxy + data: 0 + type: dword + when: rule_18_9_16_2 + tags: + - level2 + - rule_18.9.16.2 + - patch + +- name: "SCORED | 18.9.16.3 | PATCH | L1 Ensure Disable pre-release features or settings is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds + name: EnableConfigFlighting + data: 01 + type: dword + when: rule_18_9_16_3 + tags: + - level1 + - level2 + - rule_18.9.16.3 + - patch + +- name: "SCORED | 18.9.16.4 | PATCH | L1 Ensure Do not show feedback notifications is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: DoNotShowFeedbackNotifications + data: 1 + type: dword + when: rule_18_9_16_4 + tags: + - level1 + - level2 + - rule_18.9.16.4 + - patch + +- name: "SCORED | 18.9.16.5 | PATCH | L1 Ensure Toggle user control over Insider builds is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds + name: AllowBuildPreview + data: 0 + type: dword + when: rule_18_9_16_5 + tags: + - level1 + - level2 + - rule_18.9.16.5 + - patch + +- name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application + name: Retention + data: 0 + type: dword + when: rule_18_9_26_1_1 + tags: + - level1 + - level2 + - rule_18.9.26.1.1 + - patch + +- name: "SCORED | 18.9.26.1.2 | PATCH | L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application + name: MaxSize + data: 65538 + type: dword + when: rule_18_9_26_1_2 + tags: + - level1 + - level2 + - rule_18.9.26.1.2 + - patch + +- name: "SCORED | 18.9.26.2.1 | PATCH | L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: Retention + data: 0 + type: string + when: rule_18_9_26_2_1 + tags: + - level1 + - level2 + - rule_18.9.26.2.1 + - patch + +- name: "SCORED | 18.9.26.2.2 | PATCH | L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: MaxSize + data: 196608 + type: dword + when: rule_18_9_26_2_2 + tags: + - level1 + - level2 + - rule_18.9.26.2.2 + - patch + +- name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application + name: Retention + data: 0 + type: string + when: rule_18_9_26_3_1 + tags: + - level1 + - level2 + - rule_18.9.26.3.1 + - patch + +- name: "SCORED | 18.9.26.3.2 | PATCH | L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup + name: MaxSize + data: 32768 + type: dword + when: rule_18_9_26_3_2 + tags: + - level1 + - level2 + - rule_18.9.26.3.2 + - patch + +- name: "SCORED | 18.9.26.4.1 | PATCH | L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: Retention + data: 0 + type: string + when: rule_18_9_26_4_1 + tags: + - level1 + - level2 + - rule_18.9.26.4.1 + - patch + +- name: "SCORED | 18.9.26.4.2 | PATCH | L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: MaxSize + data: 65538 + type: dword + when: rule_18_9_26_4_2 + tags: + - level1 + - level2 + - rule_18.9.26.4.2 + - patch + +- name: "SCORED | 18.9.30.2 | PATCH | L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoDataExecutionPrevention + data: 0 + type: dword + when: rule_18_9_30_2 + tags: + - level1 + - level2 + - rule_18.9.30.2 + - patch + +- name: "SCORED | 18.9.30.3 | PATCH | L1 Ensure Turn off heap termination on corruption is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoHeapTerminationOnCorruption + data: 0 + type: dword + when: rule_18_9_30_3 + tags: + - level1 + - level2 + - rule_18.9.30.3 + - patch + +- name: "SCORED | 18.9.30.4 | PATCH | L1 Ensure Turn off shell protocol protected mode is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: PreXPSP2ShellProtocolBehavior + data: 0 + type: dword + when: rule_18_9_30_4 + tags: + - level1 + - level2 + - rule_18.9.30.4 + - patch + +- name: "SCORED | 18.9.39.2 | PATCH | L2 Ensure Turn off location is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors + name: DisableLocation + data: 1 + type: dword + when: rule_18_9_39_2 + tags: + - level2 + - rule_18.9.39.2 + - patch + +- name: "SCORED | 18.9.43.1 | PATCH | L2 Ensure Allow Message Service Cloud Sync is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Messaging + name: AllowMessageSync + data: 0 + type: dword + when: rule_18_9_43_1 + tags: + - level2 + - rule_18.9.43.1 + - patch + +- name: "SCORED | 18.9.44.1 | PATCH | L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount + name: DisableUserAuth + data: 1 + type: dword + when: rule_18_9_44_1 + tags: + - level1 + - level2 + - rule_18.9.44.1 + - patch + +- name: "SCORED | 18.9.52.1 | PATCH | L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive + name: DisableFileSyncNGSC + data: 1 + type: dword + when: rule_18_9_52_1 + tags: + - level1 + - level2 + - rule_18.9.52.1 + - patch + +- name: "SCORED | 18.9.58.2.2 | PATCH | L1 Ensure Do not allow passwords to be saved is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DisablePasswordSaving + data: 1 + type: dword + when: rule_18_9_58_2_2 + tags: + - level1 + - level2 + - rule_18.9.58.2.2 + - patch + +- name: "SCORED | 18.9.58.3.2.1 | PATCH | L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fSingleSessionPerUser + data: 1 + type: dword + when: rule_18_9_58_3_2_1 + tags: + - level2 + - rule_18.9.58.3.2.1 + - patch + +- name: "SCORED | 18.9.58.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableCcm + data: 1 + type: dword + when: rule_18_9_58_3_3_1 + tags: + - level2 + - rule_18.9.58.3.3.1 + - patch + +- name: "SCORED | 18.9.58.3.3.2 | PATCH | L1 Ensure Do not allow drive redirection is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableCdm + data: 1 + type: dword + when: rule_18_9_58_3_3_2 + tags: + - level1 + - level2 + - rule_18.9.58.3.3.2 + - patch + +- name: "SCORED | 18.9.58.3.3.3 | PATCH | L2 Ensure Do not allow LPT port redirection is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableLPT + data: 1 + type: dword + when: rule_18_9_58_3_3_3 + tags: + - level2 + - rule_18.9.58.3.3.3 + - patch + +- name: "SCORED | 18.9.58.3.3.4 | PATCH | L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisablePNPRedir + data: 1 + type: dword + when: rule_18_9_58_3_3_4 + tags: + - level2 + - rule_18.9.58.3.3.4 + - patch + +- name: "SCORED | 18.9.58.3.9.1 | PATCH | L1 Ensure Always prompt for password upon connection is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fPromptForPassword + data: 1 + type: dword + when: rule_18_9_58_3_9_1 + tags: + - level1 + - level2 + - rule_18.9.58.3.9.1 + - patch + +- name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fEncryptRPCTraffic + data: 1 + type: dword + when: rule_18_9_58_3_9_2 + tags: + - level1 + - level2 + - rule_18.9.58.3.9.2 + - audit + +- name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services + name: fEncryptRPCTraffic + data: 1 + type: dword + when: rule_18_9_58_3_9_2 + tags: + - level1 + - level2 + - rule_18.9.58.3.9.2 + - patch + +- name: "SCORED | 18.9.58.3.9.3 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MinEncryptionLevel + data: 3 + type: dword + when: rule_18_9_58_3_9_3 + tags: + - level1 + - level2 + - rule_18.9.58.3.9.3 + - patch + +- name: "SCORED | 18.9.58.3.10.1 | PATCH | L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxIdleTime + data: 3600000 + type: dword + when: rule_18_9_58_3_10_1 + tags: + - level2 + - rule_18.9.58.3.10.1 + - patch + +- name: "SCORED | 18.9.58.3.10.2 | PATCH | L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxDisconnectionTime + data: 28800000 + type: dword + when: rule_18_9_58_3_10_2 + tags: + - level2 + - rule_18.9.58.3.10.2 + - patch + +- name: "SCORED | 18.9.58.3.11.1 | PATCH | L1 Ensure Do not delete temp folders upon exit is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DeleteTempDirsOnExit + data: 1 + type: dword + when: rule_18_9_58_3_11_1 + tags: + - level1 + - level2 + - rule_18.9.58.3.11.1 + - patch + +- name: "SCORED | 18.9.58.3.11.2 | PATCH | L1 Ensure Do not use temporary folders per session is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: PerSessionTempDir + data: 1 + type: dword + when: rule_18_9_58_3_11_2 + tags: + - level1 + - level2 + - rule_18.9.58.3.11.2 + - patch + +- name: "SCORED | 18.9.59.1 | PATCH | L1 Ensure Prevent downloading of enclosures is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds + name: DisableEnclosureDownload + data: 1 + type: dword + when: rule_18_9_59_1 + tags: + - level1 + - level2 + - rule_18.9.59.1 + - patch + +- name: "SCORED | 18.9.60.2 | PATCH | L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowCloudSearch + data: 0 + type: dword + when: rule_18_9_60_2 + tags: + - level2 + - rule_18.9.60.2 + - patch + +- name: "SCORED | 18.9.60.3 | PATCH | L1 Ensure Allow indexing of encrypted files is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowIndexingEncryptedStoresOrItems + data: 0 + type: dword + when: rule_18_9_60_3 + tags: + - level1 + - level2 + - rule_18.9.60.3 + - patch + +- name: "SCORED | 18.9.65.1 | PATCH | L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform + name: NoGenTicket + data: 1 + type: dword + when: rule_18_9_65_1 + tags: + - level2 + - rule_18.9.65.1 + - patch + +- name: "SCORED | 18.9.76.3.1 | PATCH | L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: LocalSettingOverrideSpynetReporting + data: 0 + type: dword + when: rule_18_9_76_3_1 + tags: + - level1 + - level2 + - rule_18.9.76.3.1 + - patch + +- name: "SCORED | 18.9.76.3.2 | PATCH | L2 Ensure Join Microsoft MAPS is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: SpynetReporting + data: 0 + type: dword + when: rule_18_9_76_3_2 + tags: + - level2 + - rule_18.9.76.3.2 + - patch + +- name: "SCORED | 18.9.76.7.1 | PATCH | L1 Ensure Turn on behavior monitoring is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableBehaviorMonitoring + data: 0 + type: dword + when: rule_18_9_76_7_1 + tags: + - level1 + - level2 + - rule_18.9.76.7.1 + - patch + +- name: "SCORED | 18.9.76.9.1 | PATCH | L2 Ensure Configure Watson events is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting + name: DisableGenericRePorts + data: 1 + type: dword + when: rule_18_9_76_9_1 + tags: + - level2 + - rule_18.9.76.9.1 + - patch + +- name: "SCORED | 18.9.76.10.1 | PATCH | L1 Ensure Scan removable drives is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableRemovableDriveScanning + data: 0 + type: dword + when: rule_18_9_76_10_1 + tags: + - level1 + - level2 + - rule_18.9.76.10.1 + - patch + +- name: "SCORED | 18.9.76.10.2 | PATCH | L1 Ensure Turn on e-mail scanning is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableEmailScanning + data: 0 + type: dword + when: rule_18_9_76_10_2 + tags: + - level1 + - level2 + - rule_18.9.76.10.2 + - patch + +- name: "SCORED | 18.9.76.13.1.1 | PATCH | L1 Ensure Configure Attack Surface Reduction rules is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR + name: ExploitGuard_ASR_Rules + data: 1 + type: dword + when: rule_18_9_76_13_1_1 + tags: + - level1 + - level2 + - rule_18.9.76.13.1.1 + - patch + +- name: "SCORED | 18.9.76.13.1.2 | PATCH | L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules + name: "{{ item }}" + data: 1 + type: string # aka REG_SZ + loop: + - 26190899-1602-49e8-8b27-eb1d0a1ce869 + - 3b576869-a4ec-4529-8536-b80a7769e899 + - 5beb7efe-fd9a-4556-801d-275e5ffc04cc + - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 + - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c + - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b + - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 + - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 + - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 + - d3e037e1-3eb8-44c8-a917-57927947596d + - d4f940ab-401b-4efc-aadc-ad5f3c50688a + when: rule_18_9_76_13_1_2 + tags: + - level1 + - level2 + - rule_18.9.76.13.1.2 + - patch + +- name: "SCORED | 18.9.76.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + name: ExploitGuard_ASR_Rules + data: 1 + type: dword + when: rule_18_9_76_13_3_1 + tags: + - level1 + - level2 + - rule_18.9.76.13.3.1 + - patch + +- name: "SCORED | 18.9.76.14 | PATCH | L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender + name: DisableAntiSpyware + data: 0 + type: dword + when: rule_18_9_76_14 + tags: + - level1 + - level2 + - rule_18.9.76.14 + - patch + +- name: "SCORED | 18.9.79.1.1 | PATCH | L1 Ensure Prevent users from modifying settings is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + name: DisallowExploitProtectionOverride + data: 1 + type: dword + when: rule_18_9_79_1_1 + tags: + - level1 + - level2 + - rule_18.9.79.1.1 + - patch + +- name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" + block: + - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: EnableSmartScreen + data: 1 + type: dword + - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: ShellSmartScreenLevel + data: Block + type: string + when: rule_18_9_80_1_1 + tags: + - level1 + - level2 + - rule_18.9.80.1.1 + - patch + +- name: "SCORED | 18.9.84.1 | PATCH | L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace + name: AllowSuggestedAppsInWindowsInkWorkspace + data: 0 + type: dword + when: rule_18_9_84_1 + tags: + - level2 + - rule_18.9.84.1 + - patch + +- name: "SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace + name: AllowWindowsInkWorkspace + data: 1 + type: dword + when: rule_18_9_84_2 + tags: + - level1 + - level2 + - rule_18.9.84.2 + - patch + +- name: "SCORED | 18.9.85.1 | PATCH | L1 Ensure Allow user control over installs is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: EnableUserControl + data: 0 + type: dword + when: rule_18_9_85_1 + tags: + - level1 + - level2 + - rule_18.9.85.1 + - patch + +- name: "SCORED | 18.9.85.2 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + when: rule_18_9_85_2 + tags: + - level1 + - level2 + - rule_18.9.85.2 + - patch + +- name: "SCORED | 18.9.85.3 | PATCH | L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: SafeForScripting + data: 0 + type: dword + when: rule_18_9_85_3 + tags: + - level2 + - rule_18.9.85.3 + - patch + +- name: "SCORED | 18.9.86.1 | PATCH | L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableAutomaticRestartSignOn + data: 1 + type: dword + when: rule_18_9_86_1 + tags: + - level1 + - level2 + - rule_18.9.86.1 + - patch + +- name: "SCORED | 18.9.95.1 | PATCH | L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging + name: EnableScriptBlockLogging + data: 1 + type: dword + when: rule_18_9_95_1 + tags: + - level1 + - level2 + - rule_18.9.95.1 + - patch + +- name: "SCORED | 18.9.95.2 | PATCH | L1 Ensure Turn on PowerShell Transcription is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription + name: EnableTranscripting + data: 1 + type: dword + when: rule_18_9_95_2 + tags: + - level1 + - level2 + - rule_18.9.95.2 + - patch + +- name: "SCORED | 18.9.97.1.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowBasic + data: 0 + type: dword + when: rule_18_9_97_1_1 + tags: + - level1 + - level2 + - rule_18.9.97.1.1 + - patch + +- name: "SCORED | 18.9.97.1.2 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowUnencryptedTraffic + data: 0 + type: dword + when: rule_18_9_97_1_2 + tags: + - level1 + - level2 + - rule_18.9.97.1.2 + - patch + +- name: "SCORED | 18.9.97.1.3 | PATCH | L1 Ensure Disallow Digest authentication is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowDigest + data: 0 + type: dword + when: rule_18_9_97_1_3 + tags: + - level1 + - level2 + - rule_18.9.97.1.3 + - patch + +- name: "SCORED | 18.9.97.2.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowBasic + data: 0 + type: dword + when: rule_18_9_97_2_1 + tags: + - level1 + - level2 + - rule_18.9.97.2.1 + - patch + +#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +- name: "SCORED | 18.9.97.2.2 | PATCH | L2 Ensure Allow remote server management through WinRM is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowAutoConfig + data: 1 + type: dword + when: + - rule_18_9_97_2_2 + - is_implemented + tags: + - level2 + - rule_18.9.97.2.2 + - patch + +- name: "SCORED | 18.9.97.2.3 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowUnencryptedTraffic + data: 0 + type: dword + when: rule_18_9_97_2_3 + tags: + - level1 + - level2 + - rule_18.9.97.2.3 + - patch + +- name: "SCORED | 18.9.97.2.4 | PATCH | L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: DisableRunAs + data: 1 + type: dword + when: rule_18_9_97_2_4 + tags: + - level1 + - level2 + - rule_18.9.97.2.4 + - patch + +#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +- name: "SCORED | 18.9.98.1 | PATCH | L2 Ensure Allow Remote Shell Access is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs + name: AllowRemoteShellAccess + data: 1 + type: dword + when: + - rule_18_9_98_1 + - is_implemented + tags: + - level2 + - rule_18.9.98.1 + - patch + +- name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds" + block: + - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuilds + data: 1 + type: dword + - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuildsPolicyValue + data: 0 + type: dword + when: rule_18_9_101_1_1 + tags: + - level1 + - level2 + - rule_18.9.101.1.1 + - patch + +- name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" + block: + - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: DeferFeatureUpdates + data: 1 + type: dword + - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: DeferFeatureUpdatesPeriodInDays + data: 180 + type: dword + - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: BranchReadinessLevel + data: 16 + type: dword + when: rule_18_9_101_1_2 + tags: + - level1 + - level2 + - rule_18.9.101.1.2 + - patch + +- name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days" + block: + - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + name: DeferQualityUpdates + data: 1 + type: dword + - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + name: DeferQualityUpdatesPeriodInDays + data: 0 + type: dword + when: rule_18_9_101_1_3 + tags: + - level1 + - level2 + - rule_18.9.101.1.3 + - patch + +- name: "SCORED | 18.9.101.2 | PATCH | L1 Ensure Configure Automatic Updates is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoUpdate + data: 0 + type: dword + when: rule_18_9_101_2 + tags: + - level1 + - level2 + - rule_18.9.101.2 + - patch + +- name: "SCORED | 18.9.101.3 | PATCH | L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: ScheduledInstallDay + data: 0 + type: dword + when: rule_18_9_101_3 + tags: + - level1 + - level2 + - rule_18.9.101.3 + - patch + +- name: "SCORED | 18.9.101.4 | PATCH | L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoRebootWithLoggedOnUsers + data: 0 + type: dword + when: rule_18_9_101_4 + tags: + - level1 + - level2 + - rule_18.9.101.4 + - patch + diff --git a/tasks/section17.yml b/tasks/section17.yml index ab2d25b..9ae7b39 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -1,18 +1,12 @@ --- -- name: "SCORED | 17.1.1 | AUDIT | L1 Ensure Audit Credential Validation is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_1_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_1_1 - tags: - - level1 - - level2 - - rule_17.1.1 - - audit - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure" block: + - name: "SCORED | 17.1.1 | AUDIT | (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_1_1_audit + changed_when: no + ignore_errors: yes + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable when: "'Success' not in rule_17_1_1_audit.stdout" @@ -25,34 +19,75 @@ when: - rule_17_1_1 - rule_17_1_1_audit is defined - - ansible_windows_domain_role == "Primary domain controller" - "'Success' not in rule_17_1_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.1.1 - patch -- name: "SCORED | 17.2.1 | AUDIT | L1 Ensure Audit Application Group Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_1 +- name: "SCORED | 17.1.2 | PATCH | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)" + block: + - name: "SCORED | 17.1.2 | audit | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_1_2_audit + check_mode: no + changed_when: no + + - name: "SCORED | 17.1.2 | PATCH | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Set for success" + win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable + when: "'Success' not in rule_17_1_2_audit.stdout" + + - name: "SCORED | 17.1.2 | PATCH | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Set for failure" + win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable + when: "'Failure' not in rule_17_1_2_audit.stdout" + when: + - rule_17_1_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 - - rule_17.2.1 - - audit + - level1-domaincontroller + - rule_17.1.2 + - patch + - notimplemented -- name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" +- name: "SCORED | 17.1.3 | PATCH | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)" block: - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Success" + - name: "SCORED | 17.1.3 | audit | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_1_3_audit + check_mode: no + changed_when: no + + - name: "SCORED | 17.1.3 | PATCH | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Set for success" + win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable + when: "'Success' not in rule_17_1_3_audit.stdout" + + - name: "SCORED | 17.1.3 | PATCH | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Set for failure" + win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable + when: "'Failure' not in rule_17_1_3_audit.stdout" + when: + - rule_17_1_3 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - rule_17.1.3 + - patch + - notimplemented + +- name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + block: + - name: "SCORED | 17.2.1 | AUDIT | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_1_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable when: "'Success' not in rule_17_2_1_audit.stdout" changed_when: "'Success' not in rule_17_2_1_audit.stdout" - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Failure" + - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable when: "'Failure' not in rule_17_2_1_audit.stdout" changed_when: "'Failure' not in rule_17_2_1_audit.stdout" @@ -62,133 +97,105 @@ - ansible_windows_domain_role == "Primary domain controller" - "'Success' not in rule_17_2_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.2.1 - patch -- name: "SCORED | 17.2.2 | AUDIT | L1 Ensure Audit Computer Account Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_2_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_2_2 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_17.2.2 - - audit - -- name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable +- name: "SCORED | 17.2.2 | AUDIT | (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)" + block: + - name: "SCORED | 17.2.2 | AUDIT | (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_2_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.2.2 | PATCH | (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only) | Set success" + win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable + when: "'Success' not in rule_17_2_2_audit.stdout" when: - rule_17_2_2 - ansible_windows_domain_role == "Primary domain controller" - rule_17_2_2_audit is defined - - "'Success' not in rule_17_2_2_audit.stdout" - changed_when: "'Success' not in rule_17_2_2_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller - rule_17.2.2 - patch -- name: "SCORED | 17.2.3 | AUDIT | L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only" - win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_3_audit - changed_when: no - ignore_errors: yes - when: - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_3 - tags: - - rule_17.2.3 - - audit - -- name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only" - win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable +- name: "SCORED | 17.2.3 | AUDIT | (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)" + block: + - name: "SCORED | 17.2.3 | AUDIT | (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_3_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.2.3 | PATCH | (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only) | Set success" + win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable + when: "'Success' not in rule_17_2_3_audit.stdout" when: - - ansible_windows_domain_role == "Primary domain controller" - rule_17_2_3 - rule_17_2_3_audit is defined - - "'Success' not in rule_17_2_3_audit.stdout" - changed_when: "'Success' not in rule_17_2_3_audit.stdout" + - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_17.2.3 - patch -- name: "SCORED | 17.2.4 | AUDIT | L1 Ensure Audit Other Account Management Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_4 - tags: - - level1 - - level2 - - rule_17.2.4 - - audit - -- name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable +- name: "SCORED | 17.2.4 | AUDIT | (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)" + block: + - name: "SCORED | 17.2.4 | AUDIT | (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_4_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.2.4 | PATCH | (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only) | Set success" + win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable + when: "'Success' not in rule_17_2_4_audit.stdout" when: - rule_17_2_4 - rule_17_2_4_audit is defined - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_2_4_audit.stdout" - changed_when: "'Success' not in rule_17_2_4_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller - rule_17.2.4 - patch -- name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_5 - tags: - - level1 - - level2 - - rule_17.2.5 - - audit +- name: "SCORED | 17.2.5 | AUDIT | (L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + block: + - name: "SCORED | 17.2.5 | AUDIT | (L1) Ensure 'Audit Security Group Management' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_5_audit + changed_when: no + ignore_errors: yes -- name: "SCORED | 17.2.5 | PATCH | L1 Ensure Audit Security Group Management is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + - name: "SCORED | 17.2.5 | PATCH | (L1) Ensure 'Audit Security Group Management' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + when: "'Success' not in rule_17_2_5_audit.stdout" when: - rule_17_2_5 - rule_17_2_5_audit is defined - - "'Success' not in rule_17_2_5_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.2.5 - patch -- name: "SCORED | 17.2.6 | AUDIT | L1 Ensure Audit User Account Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_6_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_6 - tags: - - level1 - - level2 - - rule_17.2.6 - - audit - -- name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure" +- name: "SCORED | 17.2.6 | PATCH | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" block: - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Success" + - name: "SCORED | 17.2.6 | AUDIT | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_6_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.2.6 | PATCH | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable when: "'Success' not in rule_17_2_6_audit.stdout" changed_when: "'Success' not in rule_17_2_6_audit.stdout" - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Failure" + - name: "SCORED | 17.2.6 | PATCH | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable when: "'Failure' not in rule_17_2_6_audit.stdout" changed_when: "'Failure' not in rule_17_2_6_audit.stdout" @@ -196,238 +203,202 @@ - rule_17_2_6 - rule_17_2_6_audit is defined tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.2.6 - patch -- name: "SCORED | 17.3.1 | AUDIT | L1 Ensure Audit PNP Activity is set to Success" - win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_3_1 - tags: - - level1 - - level2 - - rule_17.3.1 - - audit - -- name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to Success" - win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable - changed_when: "'Success' not in rule_17_3_1_audit.stdout" +- name: "SCORED | 17.3.1 | AUDIT | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Get current settings" + block: + - name: "SCORED | 17.3.1 | AUDIT | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Set success" + win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_3_1_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.3.1 | PATCH | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Set failure" + win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable + changed_when: "'Success' not in rule_17_3_1_audit.stdout" + when: "'Success' not in rule_17_3_1_audit.stdout" when: - rule_17_3_1 - rule_17_3_1_audit is defined - - "'Success' not in rule_17_3_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.3.1 - patch -- name: "SCORED | 17.3.2 | AUDIT | L1 Ensure Audit Process Creation is set to Success" - win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_3_2 - tags: - - level1 - - level2 - - rule_17.3.2 - - audit - -- name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to Success" - win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable - changed_when: "'Success' not in rule_17_3_2_audit.stdout" +- name: "SCORED | 17.3.2 | AUDIT | (L1) Ensure 'Audit Process Creation' is set to include 'Success'" + block: + - name: "SCORED | 17.3.2 | AUDIT | (L1) Ensure 'Audit Process Creation' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_3_2_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.3.2 | PATCH | (L1) Ensure 'Audit Process Creation' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable + changed_when: "'Success' not in rule_17_3_2_audit.stdout" + when: "'Success' not in rule_17_3_2_audit.stdout" when: - rule_17_3_2 - rule_17_3_2_audit is defined - - "'Success' not in rule_17_3_2_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.3.2 - patch -- name: "SCORED | 17.4.1 | AUDIT | L1 Ensure Audit Directory Service Access is set to Success and Failure DC only" - win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_4_1 - tags: - - rule_17.4.1 - - audit - -- name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to Success and Failure DC only" - win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable - changed_when: "'Success' not in rule_17_4_1_audit.stdout" +- name: "SCORED | 17.4.1 | AUDIT | (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)" + block: + - name: "SCORED | 17.4.1 | AUDIT | (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_4_1_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.4.1 | PATCH | (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only) | Set failure" + win_shell: AuditPol /set /subcategory:"Directory Service Access" /failure:enable + changed_when: "'Success' not in rule_17_4_1_audit.stdout" + when: "'Success' not in rule_17_4_1_audit.stdout" when: - rule_17_4_1 - rule_17_4_1_audit is defined - - "'Success' not in rule_17_4_1_audit.stdout" tags: + - level1-domaincontroller - rule_17.4.1 - patch -- name: "SCORED | 17.4.2 | AUDIT | L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only" - win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_2_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_17.4.2 - - audit - -- name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only" - win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable - changed_when: "'Success' not in rule_17_4_2_audit.stdout" +- name: "SCORED | 17.4.2 | AUDIT | (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)" + block: + - name: "SCORED | 17.4.2 | AUDIT | (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_4_2_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.4.2 | PATCH | (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only) | Set success" + win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable + changed_when: "'Success' not in rule_17_4_2_audit.stdout" + when: "'Success' not in rule_17_4_2_audit.stdout" when: - rule_17_4_2 - ansible_windows_domain_role == "Primary domain controller" - rule_17_4_2_audit is defined - - "'Success' not in rule_17_4_2_audit.stdout" tags: + - level1-domaincontroller - rule_17.4.2 - patch -- name: "SCORED | 17.5.1 | AUDIT | L1 Ensure Audit Account Lockout is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_1 - tags: - - level1 - - level2 - - rule_17.5.1 - - audit - -- name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable - changed_when: "'Failure' not in rule_17_5_1_audit.stdout" +- name: "SCORED | 17.5.1 | AUDIT | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + block: + - name: "SCORED | 17.5.1 | AUDIT | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_1_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.5.1 | PATCH | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' | Set failure" + win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable + changed_when: "'Failure' not in rule_17_5_1_audit.stdout" + when: "'Failure' not in rule_17_5_1_audit.stdout" when: - rule_17_5_1 - rule_17_5_1_audit is defined - - "'Failure' not in rule_17_5_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.1 - patch -- name: "SCORED | 17.5.2 | AUDIT | L1 Ensure Audit Group Membership is set to Success" - win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_2 - tags: - - level1 - - level2 - - rule_17.5.2 - - audit - -- name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to Success" - win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable - changed_when: "'Success' not in wn19_au_000170_audit.stdout" +- name: "SCORED | 17.5.2 | AUDIT | (L1) Ensure 'Audit Group Membership' is set to include 'Success'" + block: + - name: "SCORED | 17.5.2 | AUDIT | (L1) Ensure 'Audit Group Membership' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_2_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.5.2 | PATCH | (L1) Ensure 'Audit Group Membership' is set to include 'Success'" | Set success" + win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable + changed_when: "'Success' not in wn19_au_000170_audit.stdout" + when: "'Success' not in wn19_au_000170_audit.stdout" when: - rule_17_5_2 - wn19_au_000170_audit is defined - - "'Success' not in wn19_au_000170_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.2 - patch -- name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to Success" - win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_3 - tags: - - level1 - - level2 - - rule_17.5.3 - - audit - -- name: "SCORED | 17.5.3 | PATCH | L1 Ensure Audit Logoff is set to Success" - win_shell: AuditPol /set /subcategory:"Logoff" /success:enable - changed_when: "'Success' not in rule_17_5_3_audit.stdout" +- name: "SCORED | 17.5.3 | AUDIT | (L1) Ensure 'Audit Logoff' is set to include 'Success'" + block: + - name: "SCORED | 17.5.3 | AUDIT | (L1) Ensure 'Audit Logoff' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_3_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.5.3 | PATCH | (L1) Ensure 'Audit Logoff' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Logoff" /success:enable + changed_when: "'Success' not in rule_17_5_3_audit.stdout" + when: "'Success' not in rule_17_5_3_audit.stdout" when: - rule_17_5_3 - rule_17_5_3_audit is defined - "'Success' not in rule_17_5_3_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.3 - patch -- name: "SCORED | 17.5.4 | AUDIT | L1 Ensure Audit Logon is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_4 - tags: - - level1 - - level2 - - rule_17.5.4 - - audit - -- name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure" +- name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure'" block: - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Logon" /success:enable - changed_when: "'Success' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" - - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Logon" /failure:enable - changed_when: "'Failure' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" + - name: "SCORED | 17.5.4 | AUDIT | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_4_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Success" + win_shell: AuditPol /set /subcategory:"Logon" /success:enable + changed_when: "'Success' not in rule_17_5_4_audit.stdout" + when: + - rule_17_5_4_audit is defined + - "'Failure' not in rule_17_5_4_audit.stdout" + + - name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Failure" + win_shell: AuditPol /set /subcategory:"Logon" /failure:enable + changed_when: "'Failure' not in rule_17_5_4_audit.stdout" + when: + - rule_17_5_4_audit is defined + - "'Failure' not in rule_17_5_4_audit.stdout" when: rule_17_5_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.4 - patch -- name: "SCORED | 17.5.5 | AUDIT | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_5_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_5_5 - tags: - - level1 - - level2 - - rule_17.5.5 - - audit - -- name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" +- name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" block: - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" + - name: "SCORED | 17.5.5 | AUDIT | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_5_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable changed_when: "'Success' not in rule_17_5_5_audit.stdout" when: - rule_17_5_5_audit is defined - "'Success' not in rule_17_5_5_audit.stdout" - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" + - name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable changed_when: "'Failure' not in rule_17_5_5_audit.stdout" when: @@ -436,169 +407,207 @@ when: - rule_17_5_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.5 - patch -- name: "SCORED | 17.5.6 | AUDIT | L1 Ensure Audit Special Logon is set to Success" - win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_6_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_6 - tags: - - level1 - - level2 - - rule_17.5.6 - - audit - -- name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to Success" - win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable - changed_when: "'Success' not in rule_17_5_6_audit.stdout" +- name: "SCORED | 17.5.6 | PATCH | (L1) Ensure 'Audit Special Logon' is set to include 'Success'" + block: + - name: "SCORED | 17.5.6 | AUDIT | (L1) Ensure 'Audit Special Logon' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_6_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.5.6 | PATCH | (L1) Ensure 'Audit Special Logon' is set to include 'Success' | Get current settings" + win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable + changed_when: "'Success' not in rule_17_5_6_audit.stdout" + when: "'Success' not in rule_17_5_6_audit.stdout" when: - rule_17_5_6 - rule_17_5_6_audit is defined - - "'Success' not in rule_17_5_6_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.6 - patch -- name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Other Object Access Events is set to Success and Failure" - win_audit_policy_system: - subcategory: Other Object Access Events - audit_type: success, failure +- name: "SCORED | 17.6.1 | PATCH | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + block: + - name: "SCORED | 17.6.1 | AUDIT | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_6_1_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.6.1 | PATCH | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable + when: "'Failure' not in rule_17_6_1_audit.stdout" when: rule_17_6_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.6.1 - patch -- name: "SCORED | 17.6.2 | AUDIT | L1 Ensure Audit Removable Storage is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_6_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_6_2 +- name: "SCORED | 17.6.2 | PATCH | (L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + win_audit_policy_system: + subcategory: File Share + audit_type: success, failure + when: + - rule_17_6_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.6.2 - - audit + - patch -- name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable - changed_when: "'Success' not in rule_17_6_2_audit.stdout" +- name: "SCORED | 17.6.3 | PATCH | (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + win_audit_policy_system: + subcategory: Other Object Access Events + audit_type: success, failure when: - - rule_17_6_2 - - rule_17_6_2_audit is defined - - "'Success' not in rule_17_6_2_audit.stdout" + - rule_17_6_3 tags: - - level1 - - level2 - - rule_17.6.2 + - level1-domaincontroller + - level1-memberserver + - rule_17.6.3 - patch -- name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_1 +- name: "SCORED | 17.6.4 | PATCH | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + block: + - name: "SCORED | 17.6.4 | AUDIT | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_6_4_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.6.4 | PATCH | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Set success" + win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable + changed_when: "'Success' not in rule_17_6_4_audit.stdout" + when: "'Success' not in rule_17_6_4_audit.stdout" + + - name: "SCORED | 17.6.4 | PATCH | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Set failure" + win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable + changed_when: "'failure' not in rule_17_6_4_audit.stdout" + when: "'Failure' not in rule_17_6_4_audit.stdout" + when: + - rule_17_6_4 tags: - - level1 - - level2 - - rule_17.7.1 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_17.6.4 + - patch -- name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_1_audit.stdout" +- name: "SCORED | 17.7.1 | PATCH | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + block: + - name: "SCORED | 17.7.1 | AUDIT | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_1_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.7.1 | PATCH | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_1_audit.stdout" + when: "'Success' not in rule_17_7_1_audit.stdout" when: - rule_17_7_1 - rule_17_7_1_audit is defined - - "'Success' not in rule_17_7_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.1 - patch -- name: "SCORED | 17.7.2 | AUDIT | L1 Ensure Audit Authentication Policy Change is set to Success" - win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_2 - tags: - - level1 - - level2 - - rule_17.7.2 - - audit - -- name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to Success" - win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_2_audit.stdout" +- name: "SCORED | 17.7.2 | PATCH | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + block: + - name: "SCORED | 17.7.2 | AUDIT | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_2_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.7.2 | PATCH | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_2_audit.stdout" + when: "'Success' not in rule_17_7_2_audit.stdout" when: - rule_17_7_2 - - rule_17_7_2_audit is defined - - "'Success' not in rule_17_7_2_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.2 - patch -- name: "SCORED | 17.7.3 | AUDIT | L1 Ensure Audit Authorization Policy Change is set to Success" - win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_3 +- name: "SCORED | 17.7.3 | PATCH | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + block: + - name: "SCORED | 17.7.3 | AUDIT | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_3_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.7.3 | PATCH | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_3_audit.stdout" + when: "'Success' not in rule_17_7_3_audit.stdout" + when: + - rule_17_7_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.3 - - audit + - patch -- name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to Success" - win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_3_audit.stdout" +- name: "SCORED | 17.7.4 | PATCH | (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + win_audit_policy_system: + subcategory: MPSSVC Rule-Level Policy Change + audit_type: success, failure when: - - rule_17_7_3 - - rule_17_7_3_audit is defined - - "'Success' not in rule_17_7_3_audit.stdout" + - rule_17_7_4 tags: - - level1 - - level2 - - rule_17.7.3 + - level1-domaincontroller + - level1-memberserver + - rule_17.7.4 - patch -- name: "SCORED | 17.8.1 | AUDIT | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_8_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_8_1 +- name: "SCORED | 17.7.5 | PATCH | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + block: + - name: "SCORED | 17.7.5 | AUDIT | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_5_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.7.5 | PATCH | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Set failure" + win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable + when: "'Failure' not in rule_17_7_5_audit.stdout" + when: + - rule_17_7_5 tags: - - level1 - - level2 - - rule_17.8.1 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_17.7.5 + - patch -- name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" +- name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" block: - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" + - name: "SCORED | 17.8.1 | AUDIT | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_8_1_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable changed_when: "'Success' not in rule_17_8_1_audit.stdout" when: - rule_17_8_1_audit is defined - "'Success' not in rule_17_8_1_audit.stdout" - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" + - name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable changed_when: "'Failure' not in rule_17_8_1_audit.stdout" when: @@ -607,32 +616,25 @@ when: rule_17_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.8.1 - patch -- name: "SCORED | 17.9.1 | AUDIT | L1 Ensure Audit IPsec Driver is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_1 - tags: - - level1 - - level2 - - rule_17.9.1 - - audit - -- name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure" +- name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" block: - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Success" + - name: "SCORED | 17.9.1 | AUDIT | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_1_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable changed_when: "'Success' not in rule_17_9_1_audit.stdout" when: - - rule_17_9_1_audit is defined - "'Success' not in rule_17_9_1_audit.stdout" - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Failure" + - name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable changed_when: "'Failure' not in rule_17_9_1_audit.stdout" when: @@ -641,32 +643,26 @@ when: rule_17_9_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.1 - patch -- name: "SCORED | 17.9.2 | AUDIT | L1 Ensure Audit Other System Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_2 - tags: - - level1 - - level2 - - rule_17.9.2 - - audit - -- name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure" +- name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" block: - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Success" + - name: "SCORED | 17.9.2 | AUDIT | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_2_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable changed_when: "'Success' not in rule_17_9_2_audit.stdout" when: - rule_17_9_2_audit is defined - "'Success' not in rule_17_9_2_audit.stdout" - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Failure" + - name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable changed_when: "'Failure' not in rule_17_9_2_audit.stdout" when: @@ -674,83 +670,69 @@ - "'Failure' not in rule_17_9_2_audit.stdout" when: rule_17_9_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.2 - patch -- name: "SCORED | 17.9.3 | AUDIT | L1 Ensure Audit Security State Change is set to Success" - win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_3_audit - changed_when: no - ignore_errors: yes +- name: "SCORED | 17.9.3 | AUDIT | (L1) Ensure 'Audit Security State Change' is set to include 'Success'" + block: + - name: "SCORED | 17.9.3 | AUDIT | (L1) Ensure 'Audit Security State Change' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_3_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.9.3 | PATCH | (L1) Ensure 'Audit Security State Change' is set to include 'Success' Set success" + win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable + changed_when: "'Success' not in rule_17_9_3_audit.stdout" + when: + - rule_17_9_3_audit is defined + - "'Success' not in rule_17_9_3_audit.stdout" when: rule_17_9_3 tags: - - level1 - - level2 - - rule_17.9.3 - - audit - -- name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to Success" - win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable - changed_when: "'Success' not in rule_17_9_3_audit.stdout" - when: - - rule_17_9_3 - - rule_17_9_3_audit is defined - - "'Success' not in rule_17_9_3_audit.stdout" - tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.3 - patch -- name: "SCORED | 17.9.4 | AUDIT | L1 Ensure Audit Security System Extension is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_4_audit - changed_when: no - ignore_errors: yes +- name: "SCORED | 17.9.4 | AUDIT | (L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + block: + - name: "SCORED | 17.9.4 | AUDIT | (L1) Ensure 'Audit Security System Extension' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_4_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.9.4 | PATCH | (L1) Ensure 'Audit Security System Extension' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable + changed_when: "'Success' not in rule_17_9_4_audit.stdout" + when: + - rule_17_9_4_audit is defined + - "'Success' not in rule_17_9_4_audit.stdout" when: rule_17_9_4 tags: - - level1 - - level2 - - rule_17.9.4 - - audit - -- name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable - changed_when: "'Success' not in rule_17_9_4_audit.stdout" - when: - - rule_17_9_4 - - rule_17_9_4_audit is defined - - "'Success' not in rule_17_9_4_audit.stdout" - tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.4 - patch -- name: "SCORED | 17.9.5 | AUDIT | L1 Ensure Audit System Integrity is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_5 - tags: - - level1 - - level2 - - rule_17.9.5 - - audit - -- name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure" +- name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" block: - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Success" + - name: "SCORED | 17.9.5 | AUDIT | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_5_audit + changed_when: no + ignore_errors: yes + + - name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable changed_when: "'Success' not in rule_17_9_5_audit.stdout" when: - rule_17_9_5_audit is defined - "'Success' not in rule_17_9_5_audit.stdout" - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Failure" + - name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable changed_when: "'Failure' not in rule_17_9_5_audit.stdout" when: @@ -758,8 +740,8 @@ - "'Failure' not in rule_17_9_5_audit.stdout" when: rule_17_9_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.5 - patch From 7e4848fd0649b2ba79d69060a033f6b4a958dd8f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 1 Feb 2021 17:01:58 -0500 Subject: [PATCH 06/12] updated section 18.1.x through 18.3.x to version 1.2.0 Signed-off-by: George Nalen --- tasks/section18.yml | 4869 +++++++++++++++++++++---------------------- 1 file changed, 2403 insertions(+), 2466 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 98a58e8..7a98ab2 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1,6 +1,6 @@ --- #one of the settings in the file render the server unreachable from ansible with this message "the specified credentials were rejected by the server" -- name: "SCORED | 18.1.1.1 | PATCH | L1 Ensure Prevent enabling lock screen camera is set to Enabled" +- name: "SCORED | 18.1.1.1 | PATCH | (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Personalization name: NoLockScreenCamera @@ -8,12 +8,12 @@ type: dword when: rule_18_1_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.1.1.1 - patch -- name: "SCORED | 18.1.1.2 | PATCH | L1 Ensure Prevent enabling lock screen slide show is set to Enabled" +- name: "SCORED | 18.1.1.2 | PATCH | (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Personalization name: NoLockScreenSlideshow @@ -21,2533 +21,2470 @@ type: dword when: rule_18_1_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.1.1.2 - patch -- name: "SCORED | 18.1.2.2 | AUDIT | L1 Ensure Allow input personalization is set to Disabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_1_2_2 - tags: - - level1 - - level2 - - rule_18.1.2.2 - - audit - -- name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow input personalization is set to Disabled" - command: "echo true" +- name: "SCORED | 18.1.2.2 | PATCH | (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization + name: AllowInputPersonalization + data: 0 + type: dword when: - - is_implemented - rule_18_1_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.1.2.2 - patch -- name: "SCORED | 18.1.3 | AUDIT | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_1_3 - tags: - - level2 - - rule_18.1.3 - - audit - -- name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" +- name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + block: + - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + command: "echo true" when: - is_implemented - rule_18_1_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.1.3 - - patch - -- name: "SCORED | 18.2.1 | AUDIT | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.1 - audit -- name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" +- name: "SCORED | 18.2.1 | AUDIT | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" + block: + - name: "SCORED | 18.2.1 | AUDIT | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.2.1 | PATCH | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only) + command: "echo true" when: - is_implemented - rule_18_2_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.1 - patch -- name: "SCORED | 18.2.2 | AUDIT | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.2 - - audit - -- name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" +- name: "SCORED | 18.2.2 | AUDIT | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" + block: + - name: "SCORED | 18.2.2 | AUDIT | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.2.2 | PATCH | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" + command: "echo true" when: - is_implemented - rule_18_2_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.2 - - patch - -- name: "SCORED | 18.2.3 | AUDIT | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.3 - audit -- name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" +- name: "SCORED | 18.2.3 | AUDIT | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" + block: + - name: "SCORED | 18.2.3 | AUDIT | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.2.3 | PATCH | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" + command: "echo true" when: - is_implemented - rule_18_2_3 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.3 - - patch - -- name: "SCORED | 18.2.4 | AUDIT | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.4 - audit -- name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" +- name: "SCORED | 18.2.4 | AUDIT | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" + block: + - name: "SCORED | 18.2.4 | AUDIT | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.2.4 | PATCH | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" + command: "echo true" when: - is_implemented - rule_18_2_4 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.4 - - patch - -- name: "SCORED | 18.2.5 | AUDIT | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.5 - audit -- name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" +- name: "SCORED | 18.2.5 | AUDIT | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + block: + - name: "SCORED | 18.2.5 | AUDIT | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.2.5 | PATCH | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + command: "echo true" when: - is_implemented - rule_18_2_5 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.5 - - patch - -- name: "SCORED | 18.2.6 | AUDIT | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.6 - audit -- name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" +- name: "SCORED | 18.2.6 | AUDIT | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" + block: + - name: "SCORED | 18.2.6 | AUDIT | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.2.6 | PATCH | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" + command: "echo true" when: - is_implemented - rule_18_2_6 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.6 - - patch - -- name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.3.1 - - audit - -- name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" - when: - - is_implemented - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.3.1 - - patch - -- name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_2 - tags: - - level1 - - level2 - - rule_18.3.2 - - audit - -- name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" - command: "echo true" - when: - - is_implemented - - rule_18_3_2 - tags: - - level1 - - level2 - - rule_18.3.2 - - patch - -- name: "SCORED | 18_3_3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters - name: SMB1 - data: 0 - type: dword - state: present - notify: reboot_windows - when: rule_18_3_3 - tags: - - level1 - - level2 - - rule_18.3.3 - - patch - -- name: "SCORED | 18_3_4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel - name: DisableExceptionChainValidation - data: 1 - type: dword - state: present - when: rule_18_3_4 - tags: - - level1 - - level2 - - rule_18.3.4 - - patch - -- name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_5 - tags: - - level1 - - level2 - - rule_18.3.5 - audit -- name: "SCORED | 18.3.5 | PATCH | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" - command: "echo true" - when: - - is_implemented - - rule_18_3_5 - tags: - - level1 - - level2 - - rule_18.3.5 - - patch - -- name: "SCORED | 18.3.6 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest - state: present - value: UseLogonCredential - data: 0 - datatype: dword - when: rule_18_3_6 - tags: - - level1 - - level2 - - rule_18.3.6 - - patch - -- name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - state: present - value: AutoAdminLogon - data: 0 - datatype: dword - when: rule_18_4_1 - tags: - - level1 - - level2 - - rule_18.4.1 - - patch - -- name: "SCORED | 18.4.2 | PATCH | L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters - state: present - value: DisableIPSourceRouting - data: 2 - datatype: dword - when: rule_18_4_2 - tags: - - level1 - - level2 - - rule_18.4.2 - - patch - -- name: "SCORED | 18.4.3 | PATCH | L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present - value: DisableIPSourceRouting - data: 2 - datatype: dword - when: rule_18_4_3 - tags: - - level1 - - level2 - - rule_18.4.3 - - patch - -- name: "SCORED | 18.4.4 | PATCH | L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present - value: EnableICMPRedirect - data: 0 - datatype: dword - when: rule_18_4_4 - tags: - - level1 - - level2 - - rule_18.4.4 - - patch - -- name: "SCORED | 18.4.5 | PATCH | L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present - value: KeepAliveTime - data: 300000 - datatype: dword - when: rule_18_4_5 - tags: - - level2 - - rule_18.4.5 - - patch - -- name: "SCORED | 18.4.6 | PATCH | L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters - state: present - name: NoNameReleaseOnDemand - data: 1 - type: dword - when: rule_18_4_6 - tags: - - level1 - - level2 - - rule_18.4.6 - - patch - -- name: "SCORED | 18.4.7 | PATCH | L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - state: present - name: PerformRouterDiscovery - data: 0 - type: dword - when: rule_18_4_7 - tags: - - level2 - - rule_18.4.7 - - patch - -- name: "SCORED | 18.4.8 | PATCH | L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager - name: SafeDllSearchMode - data: 1 - type: dword - state: present - when: rule_18_4_8 - tags: - - level1 - - level2 - - rule_18.4.8 - - patch - -- name: "SCORED | 18.4.9 | PATCH | L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ScreenSaverGracePeriod - data: 5 - type: string - state: present - when: rule_18_4_9 - tags: - - level1 - - level2 - - rule_18.4.9 - - patch - -- name: "SCORED | 18.4.10 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters - name: TcpMaxDataRetransmissions - data: 3 - type: dword - when: rule_18_4_10 - tags: - - level2 - - rule_18.4.10 - - patch - -- name: "SCORED | 18.4.11 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - name: TcpMaxDataRetransmissions - data: 3 - type: dword - when: rule_18_4_11 - tags: - - level2 - - rule_18.4.11 - - patch - -- name: "SCORED | 18.4.12 | PATCH | L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security - name: WarningLevel - data: 90 - type: dword - when: rule_18_4_12 - tags: - - level1 - - level2 - - rule_18.4.12 - - patch - - -- name: "SCORED | 18.5.4.1 | PATCH | L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NetBT\Parameters - name: NodeType - data: 2 - type: dword - when: - - rule_18_5_4_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.5.4.1 - - patch - -- name: "SCORED | 18.5.4.2 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient - name: EnableMulticast - data: 0 - type: dword - when: - - rule_18_5_4_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.5.4.2 - - patch - -- name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System - name: EnableFontProviders - data: 0 - type: dword - when: rule_18_5_5_1 - tags: - - level2 - - rule_18.5.5.1 - - patch - -- name: "SCORED | 18.5.8.1 | PATCH | L1 Ensure Enable insecure guest logons is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation - name: AllowInsecureGuestAuth - data: 0 - type: dword - when: rule_18_5_8_1 - tags: - - level1 - - level2 - - rule_18.5.8.1 - - patch - -- name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" - block: - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowLLTDIOOndomain - data: 0 - type: dword +# - name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" +# command: "echo true" +# register: result +# changed_when: no +# ignore_errors: yes +# when: +# - is_implemented +# - rule_18_3_1 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level1 +# - level2 +# - rule_18.3.1 +# - audit + +# - name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" +# command: "echo true" +# when: +# - is_implemented +# - rule_18_3_1 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level1 +# - level2 +# - rule_18.3.1 +# - patch + +# - name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" +# command: "echo true" +# register: result +# changed_when: no +# ignore_errors: yes +# when: +# - is_implemented +# - rule_18_3_2 +# tags: +# - level1 +# - level2 +# - rule_18.3.2 +# - audit + +# - name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" +# command: "echo true" +# when: +# - is_implemented +# - rule_18_3_2 +# tags: +# - level1 +# - level2 +# - rule_18.3.2 +# - patch + +# - name: "SCORED | 18_3_3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" +# win_regedit: +# path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters +# name: SMB1 +# data: 0 +# type: dword +# state: present +# notify: reboot_windows +# when: rule_18_3_3 +# tags: +# - level1 +# - level2 +# - rule_18.3.3 +# - patch + +# - name: "SCORED | 18_3_4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" +# win_regedit: +# path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel +# name: DisableExceptionChainValidation +# data: 1 +# type: dword +# state: present +# when: rule_18_3_4 +# tags: +# - level1 +# - level2 +# - rule_18.3.4 +# - patch + +# - name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" +# command: "echo true" +# register: result +# changed_when: no +# ignore_errors: yes +# when: +# - is_implemented +# - rule_18_3_5 +# tags: +# - level1 +# - level2 +# - rule_18.3.5 +# - audit + +# - name: "SCORED | 18.3.5 | PATCH | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" +# command: "echo true" +# when: +# - is_implemented +# - rule_18_3_5 +# tags: +# - level1 +# - level2 +# - rule_18.3.5 +# - patch + +# - name: "SCORED | 18.3.6 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" +# win_regedit: +# path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest +# state: present +# value: UseLogonCredential +# data: 0 +# datatype: dword +# when: rule_18_3_6 +# tags: +# - level1 +# - level2 +# - rule_18.3.6 +# - patch + +# - name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" +# win_regedit: +# path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon +# state: present +# value: AutoAdminLogon +# data: 0 +# datatype: dword +# when: rule_18_4_1 +# tags: +# - level1 +# - level2 +# - rule_18.4.1 +# - patch + +# - name: "SCORED | 18.4.2 | PATCH | L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +# win_regedit: +# path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters +# state: present +# value: DisableIPSourceRouting +# data: 2 +# datatype: dword +# when: rule_18_4_2 +# tags: +# - level1 +# - level2 +# - rule_18.4.2 +# - patch + +# - name: "SCORED | 18.4.3 | PATCH | L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +# win_regedit: +# path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters +# state: present +# value: DisableIPSourceRouting +# data: 2 +# datatype: dword +# when: rule_18_4_3 +# tags: +# - level1 +# - level2 +# - rule_18.4.3 +# - patch + +# - name: "SCORED | 18.4.4 | PATCH | L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" +# win_regedit: +# path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters +# state: present +# value: EnableICMPRedirect +# data: 0 +# datatype: dword +# when: rule_18_4_4 +# tags: +# - level1 +# - level2 +# - rule_18.4.4 +# - patch + +# - name: "SCORED | 18.4.5 | PATCH | L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" +# win_regedit: +# path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters +# state: present +# value: KeepAliveTime +# data: 300000 +# datatype: dword +# when: rule_18_4_5 +# tags: +# - level2 +# - rule_18.4.5 +# - patch + +# - name: "SCORED | 18.4.6 | PATCH | L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters +# state: present +# name: NoNameReleaseOnDemand +# data: 1 +# type: dword +# when: rule_18_4_6 +# tags: +# - level1 +# - level2 +# - rule_18.4.6 +# - patch + +# - name: "SCORED | 18.4.7 | PATCH | L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters +# state: present +# name: PerformRouterDiscovery +# data: 0 +# type: dword +# when: rule_18_4_7 +# tags: +# - level2 +# - rule_18.4.7 +# - patch + +# - name: "SCORED | 18.4.8 | PATCH | L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Control\Session Manager +# name: SafeDllSearchMode +# data: 1 +# type: dword +# state: present +# when: rule_18_4_8 +# tags: +# - level1 +# - level2 +# - rule_18.4.8 +# - patch + +# - name: "SCORED | 18.4.9 | PATCH | L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon +# name: ScreenSaverGracePeriod +# data: 5 +# type: string +# state: present +# when: rule_18_4_9 +# tags: +# - level1 +# - level2 +# - rule_18.4.9 +# - patch + +# - name: "SCORED | 18.4.10 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters +# name: TcpMaxDataRetransmissions +# data: 3 +# type: dword +# when: rule_18_4_10 +# tags: +# - level2 +# - rule_18.4.10 +# - patch + +# - name: "SCORED | 18.4.11 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters +# name: TcpMaxDataRetransmissions +# data: 3 +# type: dword +# when: rule_18_4_11 +# tags: +# - level2 +# - rule_18.4.11 +# - patch + +# - name: "SCORED | 18.4.12 | PATCH | L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security +# name: WarningLevel +# data: 90 +# type: dword +# when: rule_18_4_12 +# tags: +# - level1 +# - level2 +# - rule_18.4.12 +# - patch + + +# - name: "SCORED | 18.5.4.1 | PATCH | L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only" +# win_regedit: +# path: HKLM:\System\CurrentControlSet\Services\NetBT\Parameters +# name: NodeType +# data: 2 +# type: dword +# when: +# - rule_18_5_4_1 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level1 +# - level2 +# - rule_18.5.4.1 +# - patch + +# - name: "SCORED | 18.5.4.2 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient +# name: EnableMulticast +# data: 0 +# type: dword +# when: +# - rule_18_5_4_2 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level1 +# - level2 +# - rule_18.5.4.2 +# - patch + +# - name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System +# name: EnableFontProviders +# data: 0 +# type: dword +# when: rule_18_5_5_1 +# tags: +# - level2 +# - rule_18.5.5.1 +# - patch + +# - name: "SCORED | 18.5.8.1 | PATCH | L1 Ensure Enable insecure guest logons is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation +# name: AllowInsecureGuestAuth +# data: 0 +# type: dword +# when: rule_18_5_8_1 +# tags: +# - level1 +# - level2 +# - rule_18.5.8.1 +# - patch + +# - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" +# block: +# - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd +# name: AllowLLTDIOOndomain +# data: 0 +# type: dword - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowLLTDIOOnPublicNet - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: EnableLLTDIO - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: ProhibitLLTDIOOnPrivateNet - data: 0 - type: dword - when: rule_18_5_9_1 - tags: - - level2 - - rule_18.5.9.1 - - patch - -- name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled" - block: - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowRspndrOnDomain - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowRspndrOnPublicNet - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: EnableRspndr - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: ProhibitRspndrOnPrivateNet - data: 0 - type: dword - when: rule_18_5_9_2 - tags: - - level2 - - rule_18.5.9.2 - - patch - -- name: "SCORED | 18.5.10.2 | PATCH | L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Peernet - name: Disabled - data: 1 - type: dword - when: rule_18_5_10_2 - tags: - - level2 - - rule_18.5.10.2 - - patch - -- name: "SCORED | 18.5.11.2 | PATCH | L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections - name: NC_AllowNetBridge_NLA - data: 0 - type: dword - when: rule_18_5_11_2 - tags: - - level1 - - level2 - - rule_18.5.11.2 - - patch - -- name: "SCORED | 18.5.11.3 | PATCH | L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections - name: NC_ShowSharedAccessUI - data: 0 - type: dword - when: rule_18_5_11_3 - tags: - - level1 - - level2 - - rule_18.5.11.3 - - patch - -- name: "SCORED | 18.5.11.4 | PATCH | L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections - name: NC_StdDomainUserSetLocation - data: 1 - type: dword - when: rule_18_5_11_4 - tags: - - level1 - - level2 - - rule_18.5.11.4 - - patch - -- name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" - block: - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths - name: "\\\\*\\NETLOGON" - data: "RequireMutualAuthentication=1, RequireIntegrity=1" - type: string - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths - name: "\\\\*\\SYSVOL" - data: "RequireMutualAuthentication=1, RequireIntegrity=1" - type: string - when: rule_18_5_14_1 - tags: - - level1 - - level2 - - rule_18.5.14.1 - - patch - -- name: "SCORED | 18.5.19.2.1 | PATCH | L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters - name: DisabledComponents - data: 255 - type: dword - when: rule_18_5_19_2_1 - tags: - - level2 - - rule_18.5.19.2.1 - - patch - -- name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" - block: - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: EnableRegistrars - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableUPnPRegistrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableInBand802DOT11Registrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableFlashConfigRegistrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableWPDRegistrar - data: 0 - type: dword - when: rule_18_5_20_1 - tags: - - level2 - - rule_18.5.20.1 - - patch - -- name: "SCORED | 18.5.20.2 | PATCH | L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui - name: DisableWcnUi - data: 1 - type: dword - when: rule_18_5_20_2 - tags: - - level2 - - rule_18.5.20.2 - - patch - -- name: "SCORED | 18.5.21.1 | PATCH | L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy - name: fMinimizeConnections - data: 1 - type: dword - when: rule_18_5_21_1 - tags: - - level1 - - level2 - - rule_18.5.21.1 - - patch - -- name: "SCORED | 18.5.21.2 | PATCH | L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy - name: fBlockNonDomain - data: 1 - type: dword - when: - - rule_18_5_21_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level2 - - rule_18.5.21.2 - - patch - -- name: "SCORED | 18.8.3.1 | PATCH | L1 Ensure Include command line in process creation events is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit - name: ProcessCreationIncludeCmdLine_Enabled - data: 0 - type: dword - when: rule_18_8_3_1 - tags: - - level1 - - level2 - - rule_18.8.3.1 - - patch - - -- name: "SCORED | 18.8.4.1 | PATCH | L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation - name: AllowProtectedCreds - data: 1 - type: dword - when: rule_18_8_4_1 - tags: - - level1 - - level2 - - rule_18.8.4.1 - - patch - -- name: "SCORED | 18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: EnableVirtualizationBasedSecurity - data: 1 - type: dword - when: - - rule_18_8_5_1 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.1 - - patch - -- name: "SCORED | 18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: RequirePlatformSecurityFeatures - data: 3 - type: dword - when: - - rule_18_8_5_2 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.2 - - patch - -- name: "SCORED | 18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: HypervisorEnforcedCodeIntegrity - data: 1 - type: dword - when: - - rule_18_8_5_3 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.3 - - patch - -- name: "SCORED | 18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: HVCIMATRequired - data: 1 - type: dword - when: - - rule_18_8_5_4 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.4 - - patch - -- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: LsaCfgFlags - data: 1 - type: dword - when: - - rule_18_8_5_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_18.8.5.5 - - patch - -- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: LsaCfgFlags - data: 1 - type: dword - when: - - rule_18_8_5_5 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.5 - - patch - -- name: "SCORED | 18.8.14.1 | PATCH | L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" - win_regedit: - path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch - name: DriverLoadPolicy - data: 3 - type: dword - when: rule_18_8_14_1 - tags: - - level1 - - level2 - - rule_18.8.14.1 - - patch - -- name: "SCORED | 18.8.21.2 | PATCH | L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} - name: NoBackgroundPolicy - data: 0 - type: dword - when: rule_18_8_21_2 - tags: - - level1 - - level2 - - rule_18.8.21.2 - - patch - -- name: "SCORED | 18.8.21.3 | PATCH | L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} - name: NoGPOListChanges - data: 0 - type: dword - when: rule_18_8_21_3 - tags: - - level1 - - level2 - - rule_18.8.21.3 - - patch - -- name: "SCORED | 18.8.21.4 | PATCH | L1 Ensure Continue experiences on this device is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System - name: EnableCdp - data: 0 - type: dword - when: rule_18_8_21_4 - tags: - - level1 - - level2 - - rule_18.8.21.4 - - patch - -- name: "SCORED | 18.8.21.5 | PATCH | L1 Ensure Turn off background refresh of Group Policy is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy - state: absent - delete_key: yes - when: rule_18_8_21_5 - tags: - - level1 - - level2 - - rule_18.8.21.5 - - patch - -- name: "SCORED | 18.8.22.1.1 | PATCH | L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers - name: DisableWebPnPDownload - data: 1 - type: dword - when: rule_18_8_22_1_1 - tags: - - level1 - - level2 - - rule_18.8.22.1.1 - - patch - -- name: "SCORED | 18.8.22.1.2 | PATCH | L2 Ensure Turn off handwriting personalization data sharing is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc - name: PreventHandwritingDataSharing - data: 1 - type: dword - when: rule_18_8_22_1_2 - tags: - - level2 - - rule_18.8.22.1.2 - - patch - -- name: "SCORED | 18.8.22.1.3 | PATCH | L2 Ensure Turn off handwriting recognition error reporting is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports - name: PreventHandwritingErrorReports - data: 1 - type: dword - when: rule_18_8_22_1_3 - tags: - - level2 - - rule_18.8.22.1.3 - - patch - -- name: "SCORED | 18.8.22.1.4 | PATCH | L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard - name: ExitOnMSICW - data: 1 - type: dword - when: rule_18_8_22_1_4 - tags: - - level2 - - rule_18.8.22.1.4 - - patch - -- name: "SCORED | 18.8.22.1.5 | PATCH | L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoWebServices - data: 1 - type: dword - when: rule_18_8_22_1_5 - tags: - - level1 - - level2 - - rule_18.8.22.1.5 - - patch - -- name: "SCORED | 18.8.22.1.6 | PATCH | L2 Ensure Turn off printing over HTTP is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers - name: DisableHTTPPrinting - data: 1 - type: dword - when: rule_18_8_22_1_6 - tags: - - level1 - - level2 - - rule_18.8.22.1.6 - - patch - -- name: "SCORED | 18.8.22.1.7 | PATCH | L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control - name: NoRegistration - data: 1 - type: dword - when: rule_18_8_22_1_7 - tags: - - level2 - - rule_18.8.22.1.7 - - patch - -- name: "SCORED |18.8.22.1.8 | PATCH | L2 Ensure Turn off Search Companion content file updates is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Searchcompanion - name: DisableContentFileUpdates - data: 1 - type: dword - when: rule_18_8_22_1_8 - tags: - - level2 - - rule_18.8.22.1.8 - - patch - -- name: "SCORED | 18.8.22.1.9 | PATCH | L2 Ensure Turn off the Order Prints picture task is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoOnlinePrintsWizard - data: 1 - type: dword - when: rule_18_8_22_1_9 - tags: - - level2 - - rule_18.8.22.1.9 - - patch - -- name: "SCORED | 18.8.22.1.10 | PATCH | L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoPublishingWizard - data: 1 - type: dword - when: rule_18_8_22_1_10 - tags: - - level2 - - rule_18.8.22.1.10 - - patch - -- name: "SCORED | 18.8.22.1.11 | PATCH | L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Messenger\Client - name: CEIP - data: 2 - type: dword - when: rule_18_8_22_1_11 - tags: - - level2 - - rule_18.8.22.1.11 - - patch - -- name: "SCORED | 18.8.22.1.12 | PATCH | L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows - name: CEIPEnable - data: 0 - type: dword - when: rule_18_8_22_1_12 - tags: - - level2 - - rule_18.8.22.1.12 - - patch - -- name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled" - block: - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting - name: Disabled - data: 1 - type: dword - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting - name: DoReport - data: 0 - type: dword - when: rule_18_8_22_1_13 - tags: - - level2 - - rule_18.8.22.1.13 - - patch - -- name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic" - block: - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters - name: DevicePKInitBehavior - data: 0 - type: dword - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters - name: DevicePKInitEnabled - data: 1 - type: dword - when: rule_18_8_25_1 - tags: - - level2 - - rule_18.8.25.1 - - patch - -- name: "SCORED | 18.8.26.1 | PATCH | L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Control Panel\International - name: BlockUserInputMethodsForSignIn - data: 1 - type: dword - when: rule_18_8_26_1 - tags: - - level2 - - rule_18.8.26.1 - - patch - -- name: "SCORED | 18.8.27.1 | PATCH | L1 Ensure Block user from showing account details on sign-in is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: BlockUserFromShowingAccountDetailsOnSignin - data: 1 - type: dword - when: rule_18_8_27_1 - tags: - - level1 - - level2 - - rule_18.8.27.1 - - patch - -- name: "SCORED | 18.8.27.2 | PATCH | L1 Ensure Do not display network selection UI is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DontDisplayNetworkSelectionUI - data: 1 - type: dword - when: rule_18_8_27_2 - tags: - - level1 - - level2 - - rule_18.8.27.2 - - patch - -- name: "SCORED | 18.8.27.3 | PATCH | L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DontEnumerateConnectedUsers - data: 1 - type: dword - when: rule_18_8_27_3 - tags: - - level1 - - level2 - - rule_18.8.27.3 - - patch - -- name: "SCORED | 18.8.27.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: EnumerateLocalUsers - data: 0 - type: dword - when: rule_18_8_27_4 - tags: - - level1 - - level2 - - rule_18.8.27.4 - - patch - -- name: "SCORED | 18.8.27.5 | PATCH | L1 Ensure Turn off app notifications on the lock screen is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DisableLockScreenAppNotifications - data: 1 - type: dword - when: rule_18_8_27_5 - tags: - - level1 - - level2 - - rule_18.8.27.5 - - patch - -- name: "SCORED | 18.8.27.6 | PATCH | L1 Ensure Turn off picture password sign-in is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: BlockDomainPicturePassword - data: 1 - type: dword - when: rule_18_8_27_6 - tags: - - level1 - - level2 - - rule_18.8.27.6 - - patch - -- name: "SCORED | 18.8.27.7 | PATCH | L1 Ensure Turn on convenience PIN sign-in is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: AllowDomainPINLogon - data: 0 - type: dword - when: rule_18_8_27_7 - tags: - - level1 - - level2 - - rule_18.8.27.7 - - patch +# - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd +# name: AllowLLTDIOOnPublicNet +# data: 0 +# type: dword + +# - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd +# name: EnableLLTDIO +# data: 0 +# type: dword + +# - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd +# name: ProhibitLLTDIOOnPrivateNet +# data: 0 +# type: dword +# when: rule_18_5_9_1 +# tags: +# - level2 +# - rule_18.5.9.1 +# - patch + +# - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled" +# block: +# - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd +# name: AllowRspndrOnDomain +# data: 0 +# type: dword + +# - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd +# name: AllowRspndrOnPublicNet +# data: 0 +# type: dword + +# - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd +# name: EnableRspndr +# data: 0 +# type: dword + +# - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd +# name: ProhibitRspndrOnPrivateNet +# data: 0 +# type: dword +# when: rule_18_5_9_2 +# tags: +# - level2 +# - rule_18.5.9.2 +# - patch + +# - name: "SCORED | 18.5.10.2 | PATCH | L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Peernet +# name: Disabled +# data: 1 +# type: dword +# when: rule_18_5_10_2 +# tags: +# - level2 +# - rule_18.5.10.2 +# - patch + +# - name: "SCORED | 18.5.11.2 | PATCH | L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections +# name: NC_AllowNetBridge_NLA +# data: 0 +# type: dword +# when: rule_18_5_11_2 +# tags: +# - level1 +# - level2 +# - rule_18.5.11.2 +# - patch + +# - name: "SCORED | 18.5.11.3 | PATCH | L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections +# name: NC_ShowSharedAccessUI +# data: 0 +# type: dword +# when: rule_18_5_11_3 +# tags: +# - level1 +# - level2 +# - rule_18.5.11.3 +# - patch + +# - name: "SCORED | 18.5.11.4 | PATCH | L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections +# name: NC_StdDomainUserSetLocation +# data: 1 +# type: dword +# when: rule_18_5_11_4 +# tags: +# - level1 +# - level2 +# - rule_18.5.11.4 +# - patch + +# - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" +# block: +# - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths +# name: "\\\\*\\NETLOGON" +# data: "RequireMutualAuthentication=1, RequireIntegrity=1" +# type: string +# - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths +# name: "\\\\*\\SYSVOL" +# data: "RequireMutualAuthentication=1, RequireIntegrity=1" +# type: string +# when: rule_18_5_14_1 +# tags: +# - level1 +# - level2 +# - rule_18.5.14.1 +# - patch + +# - name: "SCORED | 18.5.19.2.1 | PATCH | L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" +# win_regedit: +# path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters +# name: DisabledComponents +# data: 255 +# type: dword +# when: rule_18_5_19_2_1 +# tags: +# - level2 +# - rule_18.5.19.2.1 +# - patch + +# - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" +# block: +# - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars +# name: EnableRegistrars +# data: 0 +# type: dword + +# - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars +# name: DisableUPnPRegistrar +# data: 0 +# type: dword + +# - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars +# name: DisableInBand802DOT11Registrar +# data: 0 +# type: dword + +# - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars +# name: DisableFlashConfigRegistrar +# data: 0 +# type: dword + +# - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars +# name: DisableWPDRegistrar +# data: 0 +# type: dword +# when: rule_18_5_20_1 +# tags: +# - level2 +# - rule_18.5.20.1 +# - patch + +# - name: "SCORED | 18.5.20.2 | PATCH | L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui +# name: DisableWcnUi +# data: 1 +# type: dword +# when: rule_18_5_20_2 +# tags: +# - level2 +# - rule_18.5.20.2 +# - patch + +# - name: "SCORED | 18.5.21.1 | PATCH | L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy +# name: fMinimizeConnections +# data: 1 +# type: dword +# when: rule_18_5_21_1 +# tags: +# - level1 +# - level2 +# - rule_18.5.21.1 +# - patch + +# - name: "SCORED | 18.5.21.2 | PATCH | L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy +# name: fBlockNonDomain +# data: 1 +# type: dword +# when: +# - rule_18_5_21_2 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level2 +# - rule_18.5.21.2 +# - patch + +# - name: "SCORED | 18.8.3.1 | PATCH | L1 Ensure Include command line in process creation events is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit +# name: ProcessCreationIncludeCmdLine_Enabled +# data: 0 +# type: dword +# when: rule_18_8_3_1 +# tags: +# - level1 +# - level2 +# - rule_18.8.3.1 +# - patch + + +# - name: "SCORED | 18.8.4.1 | PATCH | L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation +# name: AllowProtectedCreds +# data: 1 +# type: dword +# when: rule_18_8_4_1 +# tags: +# - level1 +# - level2 +# - rule_18.8.4.1 +# - patch + +# - name: "SCORED | 18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled MS Only" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard +# name: EnableVirtualizationBasedSecurity +# data: 1 +# type: dword +# when: +# - rule_18_8_5_1 +# - ansible_windows_domain_role == "Member server" +# tags: +# - rule_18.8.5.1 +# - patch + +# - name: "SCORED | 18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection MS Only" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard +# name: RequirePlatformSecurityFeatures +# data: 3 +# type: dword +# when: +# - rule_18_8_5_2 +# - ansible_windows_domain_role == "Member server" +# tags: +# - rule_18.8.5.2 +# - patch + +# - name: "SCORED | 18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock MS Only" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard +# name: HypervisorEnforcedCodeIntegrity +# data: 1 +# type: dword +# when: +# - rule_18_8_5_3 +# - ansible_windows_domain_role == "Member server" +# tags: +# - rule_18.8.5.3 +# - patch + +# - name: "SCORED | 18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked MS Only" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard +# name: HVCIMATRequired +# data: 1 +# type: dword +# when: +# - rule_18_8_5_4 +# - ansible_windows_domain_role == "Member server" +# tags: +# - rule_18.8.5.4 +# - patch + +# - name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard +# name: LsaCfgFlags +# data: 1 +# type: dword +# when: +# - rule_18_8_5_5 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - rule_18.8.5.5 +# - patch + +# - name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard +# name: LsaCfgFlags +# data: 1 +# type: dword +# when: +# - rule_18_8_5_5 +# - ansible_windows_domain_role == "Member server" +# tags: +# - rule_18.8.5.5 +# - patch + +# - name: "SCORED | 18.8.14.1 | PATCH | L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" +# win_regedit: +# path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch +# name: DriverLoadPolicy +# data: 3 +# type: dword +# when: rule_18_8_14_1 +# tags: +# - level1 +# - level2 +# - rule_18.8.14.1 +# - patch + +# - name: "SCORED | 18.8.21.2 | PATCH | L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} +# name: NoBackgroundPolicy +# data: 0 +# type: dword +# when: rule_18_8_21_2 +# tags: +# - level1 +# - level2 +# - rule_18.8.21.2 +# - patch + +# - name: "SCORED | 18.8.21.3 | PATCH | L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} +# name: NoGPOListChanges +# data: 0 +# type: dword +# when: rule_18_8_21_3 +# tags: +# - level1 +# - level2 +# - rule_18.8.21.3 +# - patch + +# - name: "SCORED | 18.8.21.4 | PATCH | L1 Ensure Continue experiences on this device is set to Disabled" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System +# name: EnableCdp +# data: 0 +# type: dword +# when: rule_18_8_21_4 +# tags: +# - level1 +# - level2 +# - rule_18.8.21.4 +# - patch + +# - name: "SCORED | 18.8.21.5 | PATCH | L1 Ensure Turn off background refresh of Group Policy is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy +# state: absent +# delete_key: yes +# when: rule_18_8_21_5 +# tags: +# - level1 +# - level2 +# - rule_18.8.21.5 +# - patch + +# - name: "SCORED | 18.8.22.1.1 | PATCH | L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers +# name: DisableWebPnPDownload +# data: 1 +# type: dword +# when: rule_18_8_22_1_1 +# tags: +# - level1 +# - level2 +# - rule_18.8.22.1.1 +# - patch + +# - name: "SCORED | 18.8.22.1.2 | PATCH | L2 Ensure Turn off handwriting personalization data sharing is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc +# name: PreventHandwritingDataSharing +# data: 1 +# type: dword +# when: rule_18_8_22_1_2 +# tags: +# - level2 +# - rule_18.8.22.1.2 +# - patch + +# - name: "SCORED | 18.8.22.1.3 | PATCH | L2 Ensure Turn off handwriting recognition error reporting is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports +# name: PreventHandwritingErrorReports +# data: 1 +# type: dword +# when: rule_18_8_22_1_3 +# tags: +# - level2 +# - rule_18.8.22.1.3 +# - patch + +# - name: "SCORED | 18.8.22.1.4 | PATCH | L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard +# name: ExitOnMSICW +# data: 1 +# type: dword +# when: rule_18_8_22_1_4 +# tags: +# - level2 +# - rule_18.8.22.1.4 +# - patch + +# - name: "SCORED | 18.8.22.1.5 | PATCH | L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer +# name: NoWebServices +# data: 1 +# type: dword +# when: rule_18_8_22_1_5 +# tags: +# - level1 +# - level2 +# - rule_18.8.22.1.5 +# - patch + +# - name: "SCORED | 18.8.22.1.6 | PATCH | L2 Ensure Turn off printing over HTTP is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers +# name: DisableHTTPPrinting +# data: 1 +# type: dword +# when: rule_18_8_22_1_6 +# tags: +# - level1 +# - level2 +# - rule_18.8.22.1.6 +# - patch + +# - name: "SCORED | 18.8.22.1.7 | PATCH | L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control +# name: NoRegistration +# data: 1 +# type: dword +# when: rule_18_8_22_1_7 +# tags: +# - level2 +# - rule_18.8.22.1.7 +# - patch + +# - name: "SCORED |18.8.22.1.8 | PATCH | L2 Ensure Turn off Search Companion content file updates is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Searchcompanion +# name: DisableContentFileUpdates +# data: 1 +# type: dword +# when: rule_18_8_22_1_8 +# tags: +# - level2 +# - rule_18.8.22.1.8 +# - patch + +# - name: "SCORED | 18.8.22.1.9 | PATCH | L2 Ensure Turn off the Order Prints picture task is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer +# name: NoOnlinePrintsWizard +# data: 1 +# type: dword +# when: rule_18_8_22_1_9 +# tags: +# - level2 +# - rule_18.8.22.1.9 +# - patch + +# - name: "SCORED | 18.8.22.1.10 | PATCH | L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer +# name: NoPublishingWizard +# data: 1 +# type: dword +# when: rule_18_8_22_1_10 +# tags: +# - level2 +# - rule_18.8.22.1.10 +# - patch + +# - name: "SCORED | 18.8.22.1.11 | PATCH | L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Messenger\Client +# name: CEIP +# data: 2 +# type: dword +# when: rule_18_8_22_1_11 +# tags: +# - level2 +# - rule_18.8.22.1.11 +# - patch + +# - name: "SCORED | 18.8.22.1.12 | PATCH | L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows +# name: CEIPEnable +# data: 0 +# type: dword +# when: rule_18_8_22_1_12 +# tags: +# - level2 +# - rule_18.8.22.1.12 +# - patch + +# - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled" +# block: +# - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting +# name: Disabled +# data: 1 +# type: dword +# - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting +# name: DoReport +# data: 0 +# type: dword +# when: rule_18_8_22_1_13 +# tags: +# - level2 +# - rule_18.8.22.1.13 +# - patch + +# - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic" +# block: +# - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters +# name: DevicePKInitBehavior +# data: 0 +# type: dword +# - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters +# name: DevicePKInitEnabled +# data: 1 +# type: dword +# when: rule_18_8_25_1 +# tags: +# - level2 +# - rule_18.8.25.1 +# - patch + +# - name: "SCORED | 18.8.26.1 | PATCH | L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Control Panel\International +# name: BlockUserInputMethodsForSignIn +# data: 1 +# type: dword +# when: rule_18_8_26_1 +# tags: +# - level2 +# - rule_18.8.26.1 +# - patch + +# - name: "SCORED | 18.8.27.1 | PATCH | L1 Ensure Block user from showing account details on sign-in is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\System +# name: BlockUserFromShowingAccountDetailsOnSignin +# data: 1 +# type: dword +# when: rule_18_8_27_1 +# tags: +# - level1 +# - level2 +# - rule_18.8.27.1 +# - patch + +# - name: "SCORED | 18.8.27.2 | PATCH | L1 Ensure Do not display network selection UI is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\System +# name: DontDisplayNetworkSelectionUI +# data: 1 +# type: dword +# when: rule_18_8_27_2 +# tags: +# - level1 +# - level2 +# - rule_18.8.27.2 +# - patch + +# - name: "SCORED | 18.8.27.3 | PATCH | L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\System +# name: DontEnumerateConnectedUsers +# data: 1 +# type: dword +# when: rule_18_8_27_3 +# tags: +# - level1 +# - level2 +# - rule_18.8.27.3 +# - patch + +# - name: "SCORED | 18.8.27.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\System +# name: EnumerateLocalUsers +# data: 0 +# type: dword +# when: rule_18_8_27_4 +# tags: +# - level1 +# - level2 +# - rule_18.8.27.4 +# - patch + +# - name: "SCORED | 18.8.27.5 | PATCH | L1 Ensure Turn off app notifications on the lock screen is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\System +# name: DisableLockScreenAppNotifications +# data: 1 +# type: dword +# when: rule_18_8_27_5 +# tags: +# - level1 +# - level2 +# - rule_18.8.27.5 +# - patch + +# - name: "SCORED | 18.8.27.6 | PATCH | L1 Ensure Turn off picture password sign-in is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\System +# name: BlockDomainPicturePassword +# data: 1 +# type: dword +# when: rule_18_8_27_6 +# tags: +# - level1 +# - level2 +# - rule_18.8.27.6 +# - patch + +# - name: "SCORED | 18.8.27.7 | PATCH | L1 Ensure Turn on convenience PIN sign-in is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\System +# name: AllowDomainPINLogon +# data: 0 +# type: dword +# when: rule_18_8_27_7 +# tags: +# - level1 +# - level2 +# - rule_18.8.27.7 +# - patch -- name: "SCORED | | PATCH | L1 Ensure Untrusted Font Blocking is set to Enabled Block untrusted fonts and log events" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\MitigationOptions - name: MitigationOptions_FontBocking - data: 0 - type: dword - when: rule_18_8_28_1 - tags: - - level1 - - level2 - - rule_18.8.28.1 - - patch - -- name: "SCORED | 18.8.33.6.2 | PATCH | L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 - name: ACSettingIndex - data: 0 - type: dword - when: rule_18_8_33_6_2 - tags: - - level2 - - rule_18.8.33.6.2 - - patch - -- name: "SCORED | 18.8.33.6.3 | PATCH | L1 Ensure Require a password when a computer wakes on battery is set to Enabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 - name: DCSettingIndex - data: 1 - type: dword - when: rule_18_8_33_6_3 - tags: - - level1 - - level2 - - rule_18.8.33.6.3 - - patch - -- name: "SCORED | 18.8.33.6.4 | PATCH | L1 Ensure Require a password when a computer wakes plugged in is set to Enabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 - name: ACSettingIndex - data: 1 - type: dword - when: rule_18_8_33_6_4 - tags: - - level1 - - level2 - - rule_18.8.33.6.4 - - patch - -- name: "SCORED | 18.8.35.1 | PATCH | L1 Ensure Configure Offer Remote Assistance is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fAllowUnsolicited - data: 0 - type: dword - when: rule_18_8_35_1 - tags: - - level1 - - level2 - - rule_18.8.35.1 - - patch - -- name: "SCORED | 18.8.35.2 | PATCH | L1 Ensure Configure Solicited Remote Assistance is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fAllowToGetHelp - data: 0 - type: dword - when: rule_18_8_35_2 - tags: - - level1 - - level2 - - rule_18.8.35.2 - - patch - -- name: "SCORED | 18.8.36.1 | PATCH | L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc - name: EnableAuthEpResolution - data: 1 - type: dword - when: - - rule_18_8_36_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.8.36.1 - - patch - -- name: "SCORED | 18.8.36.2 | PATCH | L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc - name: RestrictRemoteClients - data: 1 - type: dword - when: - - rule_18_8_36_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level2 - - rule_18.8.36.2 - - patch - -- name: "SCORED | 18.8.44.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy - name: DisableQueryRemoteServer - data: 0 - type: dword - when: rule_18_8_44_5_1 - tags: - - level2 - - rule_18.8.44.5.1 - - patch - -- name: "SCORED | 18.8.44.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} - name: ScenarioExecutionEnabled - data: 0 - type: dword - when: rule_18_8_44_11_1 - tags: - - level2 - - rule_18.8.44.11.1 - - patch - -- name: "SCORED | 18.8.46.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo - name: DisabledByGroupPolicy - data: 1 - type: dword - when: rule_18_8_46_1 - tags: - - level2 - - rule_18.8.46.1 - - patch - -- name: "SCORED | 18.8.49.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient - name: Enabled - data: 1 - type: dword - when: rule_18_8_49_1_1 - tags: - - level2 - - rule_18.8.49.1.1 - - patch - -- name: "SCORED | 18.8.49.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver - name: Enabled - data: 1 - type: dword - when: - - rule_18_8_49_1_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level2 - - rule_18.8.49.1.2 - - patch - -- name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager - name: AllowSharedLocalAppData - data: 0 - type: dword - when: rule_18_9_4_1 - tags: - - level2 - - rule_18.9.4.1 - - patch - -- name: "SCORED | 18.9.6.1 | PATCH | L1 Ensure Allow Microsoft accounts to be optional is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: MSAOptional - data: 1 - type: dword - when: rule_18_9_6_1 - tags: - - level1 - - level2 - - rule_18.9.6.1 - - patch - -- name: "SCORED | 18.9.8.1 | PATCH | L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoAutoplayfornonVolume - data: 1 - type: dword - when: rule_18_9_8_1 - tags: - - level1 - - level2 - - rule_18.9.8.1 - - patch - -- name: "SCORED | 18.9.8.2 | PATCH | L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoAutorun - data: 1 - type: dword - when: rule_18_9_8_2 - tags: - - level1 - - level2 - - rule_18.9.8.2 - - patch - -- name: "SCORED | 18.9.8.3 | PATCH | L1 Ensure Turn off Autoplay is set to Enabled All drives" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoDriveTypeAutoRun - data: 255 - type: dword - when: rule_18_9_8_3 - tags: - - level1 - - level2 - - rule_18.9.8.3 - - patch - -- name: "SCORED | 18.9.10.1.1 | PATCH | L1 Ensure Configure enhanced anti-spoofing is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures - name: EnhancedAntiSpoofing - data: 1 - type: dword - when: rule_18_9_10_1_1 - tags: - - level1 - - level2 - - rule_18.9.10.1.1 - - patch - -- name: "SCORED | 18.9.12.1 | PATCH | L2 Ensure Allow Use of Camera is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Camera - name: AllowCamera - data: 1 - type: dword - when: rule_18_9_12_1 - tags: - - level2 - - rule_18.9.12.1 - - patch - -- name: "SCORED | 18.9.13.1 | PATCH | L1 Ensure Turn off Microsoft consumer experiences is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent - name: DisableWindowsConsumerFeatures - data: 1 - type: dword - when: rule_18_9_13_1 - tags: - - level1 - - level2 - - rule_18.9.13.1 - - patch - -- name: "SCORED | 18.9.14.1 | PATCH | L1 Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect - name: RequirePinForPairing - data: 1 - type: dword - when: rule_18_9_14_1 - tags: - - level1 - - level2 - - rule_18.9.14.1 - - patch - -- name: "SCORED | 18.9.15.1 | PATCH | L1 Ensure Do not display the password reveal button is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Credui - name: DisablePasswordReveal - data: 1 - type: dword - when: rule_18_9_15_1 - tags: - - level1 - - level2 - - rule_18.9.15.1 - - patch - -- name: "SCORED | 18.9.15.2 | PATCH | L1 Ensure Enumerate administrator accounts on elevation is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui - name: EnumerateAdministrators - data: 0 - type: dword - when: rule_18_9_15_2 - tags: - - level1 - - level2 - - rule_18.9.15.2 - - patch - -- name: "SCORED | 18.9.16.1 | PATCH | L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: AllowTelemetry - data: 0 - type: dword - when: rule_18_9_16_1 - tags: - - level1 - - level2 - - rule_18.9.16.1 - - patch - -- name: "SCORED | 18.9.16.2 | PATCH | L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: DisableEnterpriseAuthProxy - data: 0 - type: dword - when: rule_18_9_16_2 - tags: - - level2 - - rule_18.9.16.2 - - patch +# - name: "SCORED | | PATCH | L1 Ensure Untrusted Font Blocking is set to Enabled Block untrusted fonts and log events" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows NT\MitigationOptions +# name: MitigationOptions_FontBocking +# data: 0 +# type: dword +# when: rule_18_8_28_1 +# tags: +# - level1 +# - level2 +# - rule_18.8.28.1 +# - patch + +# - name: "SCORED | 18.8.33.6.2 | PATCH | L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 +# name: ACSettingIndex +# data: 0 +# type: dword +# when: rule_18_8_33_6_2 +# tags: +# - level2 +# - rule_18.8.33.6.2 +# - patch + +# - name: "SCORED | 18.8.33.6.3 | PATCH | L1 Ensure Require a password when a computer wakes on battery is set to Enabled" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 +# name: DCSettingIndex +# data: 1 +# type: dword +# when: rule_18_8_33_6_3 +# tags: +# - level1 +# - level2 +# - rule_18.8.33.6.3 +# - patch + +# - name: "SCORED | 18.8.33.6.4 | PATCH | L1 Ensure Require a password when a computer wakes plugged in is set to Enabled" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 +# name: ACSettingIndex +# data: 1 +# type: dword +# when: rule_18_8_33_6_4 +# tags: +# - level1 +# - level2 +# - rule_18.8.33.6.4 +# - patch + +# - name: "SCORED | 18.8.35.1 | PATCH | L1 Ensure Configure Offer Remote Assistance is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: fAllowUnsolicited +# data: 0 +# type: dword +# when: rule_18_8_35_1 +# tags: +# - level1 +# - level2 +# - rule_18.8.35.1 +# - patch + +# - name: "SCORED | 18.8.35.2 | PATCH | L1 Ensure Configure Solicited Remote Assistance is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: fAllowToGetHelp +# data: 0 +# type: dword +# when: rule_18_8_35_2 +# tags: +# - level1 +# - level2 +# - rule_18.8.35.2 +# - patch + +# - name: "SCORED | 18.8.36.1 | PATCH | L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc +# name: EnableAuthEpResolution +# data: 1 +# type: dword +# when: +# - rule_18_8_36_1 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level1 +# - level2 +# - rule_18.8.36.1 +# - patch + +# - name: "SCORED | 18.8.36.2 | PATCH | L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc +# name: RestrictRemoteClients +# data: 1 +# type: dword +# when: +# - rule_18_8_36_2 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level2 +# - rule_18.8.36.2 +# - patch + +# - name: "SCORED | 18.8.44.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy +# name: DisableQueryRemoteServer +# data: 0 +# type: dword +# when: rule_18_8_44_5_1 +# tags: +# - level2 +# - rule_18.8.44.5.1 +# - patch + +# - name: "SCORED | 18.8.44.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} +# name: ScenarioExecutionEnabled +# data: 0 +# type: dword +# when: rule_18_8_44_11_1 +# tags: +# - level2 +# - rule_18.8.44.11.1 +# - patch + +# - name: "SCORED | 18.8.46.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo +# name: DisabledByGroupPolicy +# data: 1 +# type: dword +# when: rule_18_8_46_1 +# tags: +# - level2 +# - rule_18.8.46.1 +# - patch + +# - name: "SCORED | 18.8.49.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient +# name: Enabled +# data: 1 +# type: dword +# when: rule_18_8_49_1_1 +# tags: +# - level2 +# - rule_18.8.49.1.1 +# - patch + +# - name: "SCORED | 18.8.49.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver +# name: Enabled +# data: 1 +# type: dword +# when: +# - rule_18_8_49_1_2 +# - not ansible_windows_domain_role == "Primary domain controller" +# tags: +# - level2 +# - rule_18.8.49.1.2 +# - patch + +# - name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager +# name: AllowSharedLocalAppData +# data: 0 +# type: dword +# when: rule_18_9_4_1 +# tags: +# - level2 +# - rule_18.9.4.1 +# - patch + +# - name: "SCORED | 18.9.6.1 | PATCH | L1 Ensure Allow Microsoft accounts to be optional is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: MSAOptional +# data: 1 +# type: dword +# when: rule_18_9_6_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.6.1 +# - patch + +# - name: "SCORED | 18.9.8.1 | PATCH | L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Explorer +# name: NoAutoplayfornonVolume +# data: 1 +# type: dword +# when: rule_18_9_8_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.8.1 +# - patch + +# - name: "SCORED | 18.9.8.2 | PATCH | L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer +# name: NoAutorun +# data: 1 +# type: dword +# when: rule_18_9_8_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.8.2 +# - patch + +# - name: "SCORED | 18.9.8.3 | PATCH | L1 Ensure Turn off Autoplay is set to Enabled All drives" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer +# name: NoDriveTypeAutoRun +# data: 255 +# type: dword +# when: rule_18_9_8_3 +# tags: +# - level1 +# - level2 +# - rule_18.9.8.3 +# - patch + +# - name: "SCORED | 18.9.10.1.1 | PATCH | L1 Ensure Configure enhanced anti-spoofing is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures +# name: EnhancedAntiSpoofing +# data: 1 +# type: dword +# when: rule_18_9_10_1_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.10.1.1 +# - patch + +# - name: "SCORED | 18.9.12.1 | PATCH | L2 Ensure Allow Use of Camera is set to Disabled" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Camera +# name: AllowCamera +# data: 1 +# type: dword +# when: rule_18_9_12_1 +# tags: +# - level2 +# - rule_18.9.12.1 +# - patch + +# - name: "SCORED | 18.9.13.1 | PATCH | L1 Ensure Turn off Microsoft consumer experiences is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent +# name: DisableWindowsConsumerFeatures +# data: 1 +# type: dword +# when: rule_18_9_13_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.13.1 +# - patch + +# - name: "SCORED | 18.9.14.1 | PATCH | L1 Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect +# name: RequirePinForPairing +# data: 1 +# type: dword +# when: rule_18_9_14_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.14.1 +# - patch + +# - name: "SCORED | 18.9.15.1 | PATCH | L1 Ensure Do not display the password reveal button is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Credui +# name: DisablePasswordReveal +# data: 1 +# type: dword +# when: rule_18_9_15_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.15.1 +# - patch + +# - name: "SCORED | 18.9.15.2 | PATCH | L1 Ensure Enumerate administrator accounts on elevation is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui +# name: EnumerateAdministrators +# data: 0 +# type: dword +# when: rule_18_9_15_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.15.2 +# - patch + +# - name: "SCORED | 18.9.16.1 | PATCH | L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection +# name: AllowTelemetry +# data: 0 +# type: dword +# when: rule_18_9_16_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.16.1 +# - patch + +# - name: "SCORED | 18.9.16.2 | PATCH | L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection +# name: DisableEnterpriseAuthProxy +# data: 0 +# type: dword +# when: rule_18_9_16_2 +# tags: +# - level2 +# - rule_18.9.16.2 +# - patch -- name: "SCORED | 18.9.16.3 | PATCH | L1 Ensure Disable pre-release features or settings is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds - name: EnableConfigFlighting - data: 01 - type: dword - when: rule_18_9_16_3 - tags: - - level1 - - level2 - - rule_18.9.16.3 - - patch - -- name: "SCORED | 18.9.16.4 | PATCH | L1 Ensure Do not show feedback notifications is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: DoNotShowFeedbackNotifications - data: 1 - type: dword - when: rule_18_9_16_4 - tags: - - level1 - - level2 - - rule_18.9.16.4 - - patch - -- name: "SCORED | 18.9.16.5 | PATCH | L1 Ensure Toggle user control over Insider builds is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds - name: AllowBuildPreview - data: 0 - type: dword - when: rule_18_9_16_5 - tags: - - level1 - - level2 - - rule_18.9.16.5 - - patch - -- name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application - name: Retention - data: 0 - type: dword - when: rule_18_9_26_1_1 - tags: - - level1 - - level2 - - rule_18.9.26.1.1 - - patch - -- name: "SCORED | 18.9.26.1.2 | PATCH | L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application - name: MaxSize - data: 65538 - type: dword - when: rule_18_9_26_1_2 - tags: - - level1 - - level2 - - rule_18.9.26.1.2 - - patch - -- name: "SCORED | 18.9.26.2.1 | PATCH | L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: Retention - data: 0 - type: string - when: rule_18_9_26_2_1 - tags: - - level1 - - level2 - - rule_18.9.26.2.1 - - patch - -- name: "SCORED | 18.9.26.2.2 | PATCH | L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: MaxSize - data: 196608 - type: dword - when: rule_18_9_26_2_2 - tags: - - level1 - - level2 - - rule_18.9.26.2.2 - - patch - -- name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application - name: Retention - data: 0 - type: string - when: rule_18_9_26_3_1 - tags: - - level1 - - level2 - - rule_18.9.26.3.1 - - patch - -- name: "SCORED | 18.9.26.3.2 | PATCH | L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup - name: MaxSize - data: 32768 - type: dword - when: rule_18_9_26_3_2 - tags: - - level1 - - level2 - - rule_18.9.26.3.2 - - patch - -- name: "SCORED | 18.9.26.4.1 | PATCH | L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: Retention - data: 0 - type: string - when: rule_18_9_26_4_1 - tags: - - level1 - - level2 - - rule_18.9.26.4.1 - - patch - -- name: "SCORED | 18.9.26.4.2 | PATCH | L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: MaxSize - data: 65538 - type: dword - when: rule_18_9_26_4_2 - tags: - - level1 - - level2 - - rule_18.9.26.4.2 - - patch - -- name: "SCORED | 18.9.30.2 | PATCH | L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoDataExecutionPrevention - data: 0 - type: dword - when: rule_18_9_30_2 - tags: - - level1 - - level2 - - rule_18.9.30.2 - - patch - -- name: "SCORED | 18.9.30.3 | PATCH | L1 Ensure Turn off heap termination on corruption is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoHeapTerminationOnCorruption - data: 0 - type: dword - when: rule_18_9_30_3 - tags: - - level1 - - level2 - - rule_18.9.30.3 - - patch - -- name: "SCORED | 18.9.30.4 | PATCH | L1 Ensure Turn off shell protocol protected mode is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: PreXPSP2ShellProtocolBehavior - data: 0 - type: dword - when: rule_18_9_30_4 - tags: - - level1 - - level2 - - rule_18.9.30.4 - - patch - -- name: "SCORED | 18.9.39.2 | PATCH | L2 Ensure Turn off location is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors - name: DisableLocation - data: 1 - type: dword - when: rule_18_9_39_2 - tags: - - level2 - - rule_18.9.39.2 - - patch - -- name: "SCORED | 18.9.43.1 | PATCH | L2 Ensure Allow Message Service Cloud Sync is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Messaging - name: AllowMessageSync - data: 0 - type: dword - when: rule_18_9_43_1 - tags: - - level2 - - rule_18.9.43.1 - - patch - -- name: "SCORED | 18.9.44.1 | PATCH | L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount - name: DisableUserAuth - data: 1 - type: dword - when: rule_18_9_44_1 - tags: - - level1 - - level2 - - rule_18.9.44.1 - - patch - -- name: "SCORED | 18.9.52.1 | PATCH | L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive - name: DisableFileSyncNGSC - data: 1 - type: dword - when: rule_18_9_52_1 - tags: - - level1 - - level2 - - rule_18.9.52.1 - - patch - -- name: "SCORED | 18.9.58.2.2 | PATCH | L1 Ensure Do not allow passwords to be saved is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DisablePasswordSaving - data: 1 - type: dword - when: rule_18_9_58_2_2 - tags: - - level1 - - level2 - - rule_18.9.58.2.2 - - patch - -- name: "SCORED | 18.9.58.3.2.1 | PATCH | L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fSingleSessionPerUser - data: 1 - type: dword - when: rule_18_9_58_3_2_1 - tags: - - level2 - - rule_18.9.58.3.2.1 - - patch - -- name: "SCORED | 18.9.58.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCcm - data: 1 - type: dword - when: rule_18_9_58_3_3_1 - tags: - - level2 - - rule_18.9.58.3.3.1 - - patch - -- name: "SCORED | 18.9.58.3.3.2 | PATCH | L1 Ensure Do not allow drive redirection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCdm - data: 1 - type: dword - when: rule_18_9_58_3_3_2 - tags: - - level1 - - level2 - - rule_18.9.58.3.3.2 - - patch - -- name: "SCORED | 18.9.58.3.3.3 | PATCH | L2 Ensure Do not allow LPT port redirection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableLPT - data: 1 - type: dword - when: rule_18_9_58_3_3_3 - tags: - - level2 - - rule_18.9.58.3.3.3 - - patch - -- name: "SCORED | 18.9.58.3.3.4 | PATCH | L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisablePNPRedir - data: 1 - type: dword - when: rule_18_9_58_3_3_4 - tags: - - level2 - - rule_18.9.58.3.3.4 - - patch - -- name: "SCORED | 18.9.58.3.9.1 | PATCH | L1 Ensure Always prompt for password upon connection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fPromptForPassword - data: 1 - type: dword - when: rule_18_9_58_3_9_1 - tags: - - level1 - - level2 - - rule_18.9.58.3.9.1 - - patch - -- name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fEncryptRPCTraffic - data: 1 - type: dword - when: rule_18_9_58_3_9_2 - tags: - - level1 - - level2 - - rule_18.9.58.3.9.2 - - audit - -- name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services - name: fEncryptRPCTraffic - data: 1 - type: dword - when: rule_18_9_58_3_9_2 - tags: - - level1 - - level2 - - rule_18.9.58.3.9.2 - - patch - -- name: "SCORED | 18.9.58.3.9.3 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MinEncryptionLevel - data: 3 - type: dword - when: rule_18_9_58_3_9_3 - tags: - - level1 - - level2 - - rule_18.9.58.3.9.3 - - patch - -- name: "SCORED | 18.9.58.3.10.1 | PATCH | L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxIdleTime - data: 3600000 - type: dword - when: rule_18_9_58_3_10_1 - tags: - - level2 - - rule_18.9.58.3.10.1 - - patch - -- name: "SCORED | 18.9.58.3.10.2 | PATCH | L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxDisconnectionTime - data: 28800000 - type: dword - when: rule_18_9_58_3_10_2 - tags: - - level2 - - rule_18.9.58.3.10.2 - - patch - -- name: "SCORED | 18.9.58.3.11.1 | PATCH | L1 Ensure Do not delete temp folders upon exit is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DeleteTempDirsOnExit - data: 1 - type: dword - when: rule_18_9_58_3_11_1 - tags: - - level1 - - level2 - - rule_18.9.58.3.11.1 - - patch - -- name: "SCORED | 18.9.58.3.11.2 | PATCH | L1 Ensure Do not use temporary folders per session is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: PerSessionTempDir - data: 1 - type: dword - when: rule_18_9_58_3_11_2 - tags: - - level1 - - level2 - - rule_18.9.58.3.11.2 - - patch - -- name: "SCORED | 18.9.59.1 | PATCH | L1 Ensure Prevent downloading of enclosures is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds - name: DisableEnclosureDownload - data: 1 - type: dword - when: rule_18_9_59_1 - tags: - - level1 - - level2 - - rule_18.9.59.1 - - patch - -- name: "SCORED | 18.9.60.2 | PATCH | L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowCloudSearch - data: 0 - type: dword - when: rule_18_9_60_2 - tags: - - level2 - - rule_18.9.60.2 - - patch - -- name: "SCORED | 18.9.60.3 | PATCH | L1 Ensure Allow indexing of encrypted files is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowIndexingEncryptedStoresOrItems - data: 0 - type: dword - when: rule_18_9_60_3 - tags: - - level1 - - level2 - - rule_18.9.60.3 - - patch - -- name: "SCORED | 18.9.65.1 | PATCH | L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform - name: NoGenTicket - data: 1 - type: dword - when: rule_18_9_65_1 - tags: - - level2 - - rule_18.9.65.1 - - patch - -- name: "SCORED | 18.9.76.3.1 | PATCH | L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: LocalSettingOverrideSpynetReporting - data: 0 - type: dword - when: rule_18_9_76_3_1 - tags: - - level1 - - level2 - - rule_18.9.76.3.1 - - patch - -- name: "SCORED | 18.9.76.3.2 | PATCH | L2 Ensure Join Microsoft MAPS is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: SpynetReporting - data: 0 - type: dword - when: rule_18_9_76_3_2 - tags: - - level2 - - rule_18.9.76.3.2 - - patch - -- name: "SCORED | 18.9.76.7.1 | PATCH | L1 Ensure Turn on behavior monitoring is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableBehaviorMonitoring - data: 0 - type: dword - when: rule_18_9_76_7_1 - tags: - - level1 - - level2 - - rule_18.9.76.7.1 - - patch - -- name: "SCORED | 18.9.76.9.1 | PATCH | L2 Ensure Configure Watson events is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting - name: DisableGenericRePorts - data: 1 - type: dword - when: rule_18_9_76_9_1 - tags: - - level2 - - rule_18.9.76.9.1 - - patch - -- name: "SCORED | 18.9.76.10.1 | PATCH | L1 Ensure Scan removable drives is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableRemovableDriveScanning - data: 0 - type: dword - when: rule_18_9_76_10_1 - tags: - - level1 - - level2 - - rule_18.9.76.10.1 - - patch - -- name: "SCORED | 18.9.76.10.2 | PATCH | L1 Ensure Turn on e-mail scanning is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableEmailScanning - data: 0 - type: dword - when: rule_18_9_76_10_2 - tags: - - level1 - - level2 - - rule_18.9.76.10.2 - - patch - -- name: "SCORED | 18.9.76.13.1.1 | PATCH | L1 Ensure Configure Attack Surface Reduction rules is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR - name: ExploitGuard_ASR_Rules - data: 1 - type: dword - when: rule_18_9_76_13_1_1 - tags: - - level1 - - level2 - - rule_18.9.76.13.1.1 - - patch - -- name: "SCORED | 18.9.76.13.1.2 | PATCH | L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - name: "{{ item }}" - data: 1 - type: string # aka REG_SZ - loop: - - 26190899-1602-49e8-8b27-eb1d0a1ce869 - - 3b576869-a4ec-4529-8536-b80a7769e899 - - 5beb7efe-fd9a-4556-801d-275e5ffc04cc - - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - - d3e037e1-3eb8-44c8-a917-57927947596d - - d4f940ab-401b-4efc-aadc-ad5f3c50688a - when: rule_18_9_76_13_1_2 - tags: - - level1 - - level2 - - rule_18.9.76.13.1.2 - - patch - -- name: "SCORED | 18.9.76.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - name: ExploitGuard_ASR_Rules - data: 1 - type: dword - when: rule_18_9_76_13_3_1 - tags: - - level1 - - level2 - - rule_18.9.76.13.3.1 - - patch - -- name: "SCORED | 18.9.76.14 | PATCH | L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender - name: DisableAntiSpyware - data: 0 - type: dword - when: rule_18_9_76_14 - tags: - - level1 - - level2 - - rule_18.9.76.14 - - patch - -- name: "SCORED | 18.9.79.1.1 | PATCH | L1 Ensure Prevent users from modifying settings is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - name: DisallowExploitProtectionOverride - data: 1 - type: dword - when: rule_18_9_79_1_1 - tags: - - level1 - - level2 - - rule_18.9.79.1.1 - - patch - -- name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" - block: - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: EnableSmartScreen - data: 1 - type: dword - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: ShellSmartScreenLevel - data: Block - type: string - when: rule_18_9_80_1_1 - tags: - - level1 - - level2 - - rule_18.9.80.1.1 - - patch - -- name: "SCORED | 18.9.84.1 | PATCH | L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace - name: AllowSuggestedAppsInWindowsInkWorkspace - data: 0 - type: dword - when: rule_18_9_84_1 - tags: - - level2 - - rule_18.9.84.1 - - patch - -- name: "SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace - name: AllowWindowsInkWorkspace - data: 1 - type: dword - when: rule_18_9_84_2 - tags: - - level1 - - level2 - - rule_18.9.84.2 - - patch - -- name: "SCORED | 18.9.85.1 | PATCH | L1 Ensure Allow user control over installs is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: EnableUserControl - data: 0 - type: dword - when: rule_18_9_85_1 - tags: - - level1 - - level2 - - rule_18.9.85.1 - - patch - -- name: "SCORED | 18.9.85.2 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword - when: rule_18_9_85_2 - tags: - - level1 - - level2 - - rule_18.9.85.2 - - patch - -- name: "SCORED | 18.9.85.3 | PATCH | L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: SafeForScripting - data: 0 - type: dword - when: rule_18_9_85_3 - tags: - - level2 - - rule_18.9.85.3 - - patch - -- name: "SCORED | 18.9.86.1 | PATCH | L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DisableAutomaticRestartSignOn - data: 1 - type: dword - when: rule_18_9_86_1 - tags: - - level1 - - level2 - - rule_18.9.86.1 - - patch - -- name: "SCORED | 18.9.95.1 | PATCH | L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging - name: EnableScriptBlockLogging - data: 1 - type: dword - when: rule_18_9_95_1 - tags: - - level1 - - level2 - - rule_18.9.95.1 - - patch - -- name: "SCORED | 18.9.95.2 | PATCH | L1 Ensure Turn on PowerShell Transcription is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription - name: EnableTranscripting - data: 1 - type: dword - when: rule_18_9_95_2 - tags: - - level1 - - level2 - - rule_18.9.95.2 - - patch - -- name: "SCORED | 18.9.97.1.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowBasic - data: 0 - type: dword - when: rule_18_9_97_1_1 - tags: - - level1 - - level2 - - rule_18.9.97.1.1 - - patch - -- name: "SCORED | 18.9.97.1.2 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowUnencryptedTraffic - data: 0 - type: dword - when: rule_18_9_97_1_2 - tags: - - level1 - - level2 - - rule_18.9.97.1.2 - - patch - -- name: "SCORED | 18.9.97.1.3 | PATCH | L1 Ensure Disallow Digest authentication is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowDigest - data: 0 - type: dword - when: rule_18_9_97_1_3 - tags: - - level1 - - level2 - - rule_18.9.97.1.3 - - patch - -- name: "SCORED | 18.9.97.2.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowBasic - data: 0 - type: dword - when: rule_18_9_97_2_1 - tags: - - level1 - - level2 - - rule_18.9.97.2.1 - - patch - -#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "SCORED | 18.9.97.2.2 | PATCH | L2 Ensure Allow remote server management through WinRM is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowAutoConfig - data: 1 - type: dword - when: - - rule_18_9_97_2_2 - - is_implemented - tags: - - level2 - - rule_18.9.97.2.2 - - patch - -- name: "SCORED | 18.9.97.2.3 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowUnencryptedTraffic - data: 0 - type: dword - when: rule_18_9_97_2_3 - tags: - - level1 - - level2 - - rule_18.9.97.2.3 - - patch - -- name: "SCORED | 18.9.97.2.4 | PATCH | L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: DisableRunAs - data: 1 - type: dword - when: rule_18_9_97_2_4 - tags: - - level1 - - level2 - - rule_18.9.97.2.4 - - patch - -#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "SCORED | 18.9.98.1 | PATCH | L2 Ensure Allow Remote Shell Access is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs - name: AllowRemoteShellAccess - data: 1 - type: dword - when: - - rule_18_9_98_1 - - is_implemented - tags: - - level2 - - rule_18.9.98.1 - - patch - -- name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds" - block: - - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuilds - data: 1 - type: dword - - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuildsPolicyValue - data: 0 - type: dword - when: rule_18_9_101_1_1 - tags: - - level1 - - level2 - - rule_18.9.101.1.1 - - patch - -- name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" - block: - - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdates - data: 1 - type: dword - - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdatesPeriodInDays - data: 180 - type: dword - - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: BranchReadinessLevel - data: 16 - type: dword - when: rule_18_9_101_1_2 - tags: - - level1 - - level2 - - rule_18.9.101.1.2 - - patch - -- name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days" - block: - - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - name: DeferQualityUpdates - data: 1 - type: dword - - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - name: DeferQualityUpdatesPeriodInDays - data: 0 - type: dword - when: rule_18_9_101_1_3 - tags: - - level1 - - level2 - - rule_18.9.101.1.3 - - patch - -- name: "SCORED | 18.9.101.2 | PATCH | L1 Ensure Configure Automatic Updates is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoUpdate - data: 0 - type: dword - when: rule_18_9_101_2 - tags: - - level1 - - level2 - - rule_18.9.101.2 - - patch - -- name: "SCORED | 18.9.101.3 | PATCH | L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: ScheduledInstallDay - data: 0 - type: dword - when: rule_18_9_101_3 - tags: - - level1 - - level2 - - rule_18.9.101.3 - - patch - -- name: "SCORED | 18.9.101.4 | PATCH | L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoRebootWithLoggedOnUsers - data: 0 - type: dword - when: rule_18_9_101_4 - tags: - - level1 - - level2 - - rule_18.9.101.4 - - patch +# - name: "SCORED | 18.9.16.3 | PATCH | L1 Ensure Disable pre-release features or settings is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds +# name: EnableConfigFlighting +# data: 01 +# type: dword +# when: rule_18_9_16_3 +# tags: +# - level1 +# - level2 +# - rule_18.9.16.3 +# - patch + +# - name: "SCORED | 18.9.16.4 | PATCH | L1 Ensure Do not show feedback notifications is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection +# name: DoNotShowFeedbackNotifications +# data: 1 +# type: dword +# when: rule_18_9_16_4 +# tags: +# - level1 +# - level2 +# - rule_18.9.16.4 +# - patch + +# - name: "SCORED | 18.9.16.5 | PATCH | L1 Ensure Toggle user control over Insider builds is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds +# name: AllowBuildPreview +# data: 0 +# type: dword +# when: rule_18_9_16_5 +# tags: +# - level1 +# - level2 +# - rule_18.9.16.5 +# - patch + +# - name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application +# name: Retention +# data: 0 +# type: dword +# when: rule_18_9_26_1_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.26.1.1 +# - patch + +# - name: "SCORED | 18.9.26.1.2 | PATCH | L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application +# name: MaxSize +# data: 65538 +# type: dword +# when: rule_18_9_26_1_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.26.1.2 +# - patch + +# - name: "SCORED | 18.9.26.2.1 | PATCH | L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security +# name: Retention +# data: 0 +# type: string +# when: rule_18_9_26_2_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.26.2.1 +# - patch + +# - name: "SCORED | 18.9.26.2.2 | PATCH | L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security +# name: MaxSize +# data: 196608 +# type: dword +# when: rule_18_9_26_2_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.26.2.2 +# - patch + +# - name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application +# name: Retention +# data: 0 +# type: string +# when: rule_18_9_26_3_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.26.3.1 +# - patch + +# - name: "SCORED | 18.9.26.3.2 | PATCH | L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup +# name: MaxSize +# data: 32768 +# type: dword +# when: rule_18_9_26_3_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.26.3.2 +# - patch + +# - name: "SCORED | 18.9.26.4.1 | PATCH | L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System +# name: Retention +# data: 0 +# type: string +# when: rule_18_9_26_4_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.26.4.1 +# - patch + +# - name: "SCORED | 18.9.26.4.2 | PATCH | L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System +# name: MaxSize +# data: 65538 +# type: dword +# when: rule_18_9_26_4_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.26.4.2 +# - patch + +# - name: "SCORED | 18.9.30.2 | PATCH | L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Explorer +# name: NoDataExecutionPrevention +# data: 0 +# type: dword +# when: rule_18_9_30_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.30.2 +# - patch + +# - name: "SCORED | 18.9.30.3 | PATCH | L1 Ensure Turn off heap termination on corruption is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Explorer +# name: NoHeapTerminationOnCorruption +# data: 0 +# type: dword +# when: rule_18_9_30_3 +# tags: +# - level1 +# - level2 +# - rule_18.9.30.3 +# - patch + +# - name: "SCORED | 18.9.30.4 | PATCH | L1 Ensure Turn off shell protocol protected mode is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer +# name: PreXPSP2ShellProtocolBehavior +# data: 0 +# type: dword +# when: rule_18_9_30_4 +# tags: +# - level1 +# - level2 +# - rule_18.9.30.4 +# - patch + +# - name: "SCORED | 18.9.39.2 | PATCH | L2 Ensure Turn off location is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors +# name: DisableLocation +# data: 1 +# type: dword +# when: rule_18_9_39_2 +# tags: +# - level2 +# - rule_18.9.39.2 +# - patch + +# - name: "SCORED | 18.9.43.1 | PATCH | L2 Ensure Allow Message Service Cloud Sync is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Messaging +# name: AllowMessageSync +# data: 0 +# type: dword +# when: rule_18_9_43_1 +# tags: +# - level2 +# - rule_18.9.43.1 +# - patch + +# - name: "SCORED | 18.9.44.1 | PATCH | L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount +# name: DisableUserAuth +# data: 1 +# type: dword +# when: rule_18_9_44_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.44.1 +# - patch + +# - name: "SCORED | 18.9.52.1 | PATCH | L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive +# name: DisableFileSyncNGSC +# data: 1 +# type: dword +# when: rule_18_9_52_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.52.1 +# - patch + +# - name: "SCORED | 18.9.58.2.2 | PATCH | L1 Ensure Do not allow passwords to be saved is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: DisablePasswordSaving +# data: 1 +# type: dword +# when: rule_18_9_58_2_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.58.2.2 +# - patch + +# - name: "SCORED | 18.9.58.3.2.1 | PATCH | L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: fSingleSessionPerUser +# data: 1 +# type: dword +# when: rule_18_9_58_3_2_1 +# tags: +# - level2 +# - rule_18.9.58.3.2.1 +# - patch + +# - name: "SCORED | 18.9.58.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: fDisableCcm +# data: 1 +# type: dword +# when: rule_18_9_58_3_3_1 +# tags: +# - level2 +# - rule_18.9.58.3.3.1 +# - patch + +# - name: "SCORED | 18.9.58.3.3.2 | PATCH | L1 Ensure Do not allow drive redirection is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: fDisableCdm +# data: 1 +# type: dword +# when: rule_18_9_58_3_3_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.58.3.3.2 +# - patch + +# - name: "SCORED | 18.9.58.3.3.3 | PATCH | L2 Ensure Do not allow LPT port redirection is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: fDisableLPT +# data: 1 +# type: dword +# when: rule_18_9_58_3_3_3 +# tags: +# - level2 +# - rule_18.9.58.3.3.3 +# - patch + +# - name: "SCORED | 18.9.58.3.3.4 | PATCH | L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: fDisablePNPRedir +# data: 1 +# type: dword +# when: rule_18_9_58_3_3_4 +# tags: +# - level2 +# - rule_18.9.58.3.3.4 +# - patch + +# - name: "SCORED | 18.9.58.3.9.1 | PATCH | L1 Ensure Always prompt for password upon connection is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: fPromptForPassword +# data: 1 +# type: dword +# when: rule_18_9_58_3_9_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.58.3.9.1 +# - patch + +# - name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: fEncryptRPCTraffic +# data: 1 +# type: dword +# when: rule_18_9_58_3_9_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.58.3.9.2 +# - audit + +# - name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services +# name: fEncryptRPCTraffic +# data: 1 +# type: dword +# when: rule_18_9_58_3_9_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.58.3.9.2 +# - patch + +# - name: "SCORED | 18.9.58.3.9.3 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: MinEncryptionLevel +# data: 3 +# type: dword +# when: rule_18_9_58_3_9_3 +# tags: +# - level1 +# - level2 +# - rule_18.9.58.3.9.3 +# - patch + +# - name: "SCORED | 18.9.58.3.10.1 | PATCH | L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: MaxIdleTime +# data: 3600000 +# type: dword +# when: rule_18_9_58_3_10_1 +# tags: +# - level2 +# - rule_18.9.58.3.10.1 +# - patch + +# - name: "SCORED | 18.9.58.3.10.2 | PATCH | L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: MaxDisconnectionTime +# data: 28800000 +# type: dword +# when: rule_18_9_58_3_10_2 +# tags: +# - level2 +# - rule_18.9.58.3.10.2 +# - patch + +# - name: "SCORED | 18.9.58.3.11.1 | PATCH | L1 Ensure Do not delete temp folders upon exit is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: DeleteTempDirsOnExit +# data: 1 +# type: dword +# when: rule_18_9_58_3_11_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.58.3.11.1 +# - patch + +# - name: "SCORED | 18.9.58.3.11.2 | PATCH | L1 Ensure Do not use temporary folders per session is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: PerSessionTempDir +# data: 1 +# type: dword +# when: rule_18_9_58_3_11_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.58.3.11.2 +# - patch + +# - name: "SCORED | 18.9.59.1 | PATCH | L1 Ensure Prevent downloading of enclosures is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds +# name: DisableEnclosureDownload +# data: 1 +# type: dword +# when: rule_18_9_59_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.59.1 +# - patch + +# - name: "SCORED | 18.9.60.2 | PATCH | L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search +# name: AllowCloudSearch +# data: 0 +# type: dword +# when: rule_18_9_60_2 +# tags: +# - level2 +# - rule_18.9.60.2 +# - patch + +# - name: "SCORED | 18.9.60.3 | PATCH | L1 Ensure Allow indexing of encrypted files is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search +# name: AllowIndexingEncryptedStoresOrItems +# data: 0 +# type: dword +# when: rule_18_9_60_3 +# tags: +# - level1 +# - level2 +# - rule_18.9.60.3 +# - patch + +# - name: "SCORED | 18.9.65.1 | PATCH | L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform +# name: NoGenTicket +# data: 1 +# type: dword +# when: rule_18_9_65_1 +# tags: +# - level2 +# - rule_18.9.65.1 +# - patch + +# - name: "SCORED | 18.9.76.3.1 | PATCH | L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet +# name: LocalSettingOverrideSpynetReporting +# data: 0 +# type: dword +# when: rule_18_9_76_3_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.76.3.1 +# - patch + +# - name: "SCORED | 18.9.76.3.2 | PATCH | L2 Ensure Join Microsoft MAPS is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet +# name: SpynetReporting +# data: 0 +# type: dword +# when: rule_18_9_76_3_2 +# tags: +# - level2 +# - rule_18.9.76.3.2 +# - patch + +# - name: "SCORED | 18.9.76.7.1 | PATCH | L1 Ensure Turn on behavior monitoring is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection +# name: DisableBehaviorMonitoring +# data: 0 +# type: dword +# when: rule_18_9_76_7_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.76.7.1 +# - patch + +# - name: "SCORED | 18.9.76.9.1 | PATCH | L2 Ensure Configure Watson events is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting +# name: DisableGenericRePorts +# data: 1 +# type: dword +# when: rule_18_9_76_9_1 +# tags: +# - level2 +# - rule_18.9.76.9.1 +# - patch + +# - name: "SCORED | 18.9.76.10.1 | PATCH | L1 Ensure Scan removable drives is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan +# name: DisableRemovableDriveScanning +# data: 0 +# type: dword +# when: rule_18_9_76_10_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.76.10.1 +# - patch + +# - name: "SCORED | 18.9.76.10.2 | PATCH | L1 Ensure Turn on e-mail scanning is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan +# name: DisableEmailScanning +# data: 0 +# type: dword +# when: rule_18_9_76_10_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.76.10.2 +# - patch + +# - name: "SCORED | 18.9.76.13.1.1 | PATCH | L1 Ensure Configure Attack Surface Reduction rules is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR +# name: ExploitGuard_ASR_Rules +# data: 1 +# type: dword +# when: rule_18_9_76_13_1_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.76.13.1.1 +# - patch + +# - name: "SCORED | 18.9.76.13.1.2 | PATCH | L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules +# name: "{{ item }}" +# data: 1 +# type: string # aka REG_SZ +# loop: +# - 26190899-1602-49e8-8b27-eb1d0a1ce869 +# - 3b576869-a4ec-4529-8536-b80a7769e899 +# - 5beb7efe-fd9a-4556-801d-275e5ffc04cc +# - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 +# - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +# - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b +# - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +# - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +# - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 +# - d3e037e1-3eb8-44c8-a917-57927947596d +# - d4f940ab-401b-4efc-aadc-ad5f3c50688a +# when: rule_18_9_76_13_1_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.76.13.1.2 +# - patch + +# - name: "SCORED | 18.9.76.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection +# name: ExploitGuard_ASR_Rules +# data: 1 +# type: dword +# when: rule_18_9_76_13_3_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.76.13.3.1 +# - patch + +# - name: "SCORED | 18.9.76.14 | PATCH | L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Defender +# name: DisableAntiSpyware +# data: 0 +# type: dword +# when: rule_18_9_76_14 +# tags: +# - level1 +# - level2 +# - rule_18.9.76.14 +# - patch + +# - name: "SCORED | 18.9.79.1.1 | PATCH | L1 Ensure Prevent users from modifying settings is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection +# name: DisallowExploitProtectionOverride +# data: 1 +# type: dword +# when: rule_18_9_79_1_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.79.1.1 +# - patch + +# - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" +# block: +# - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\System +# name: EnableSmartScreen +# data: 1 +# type: dword +# - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\System +# name: ShellSmartScreenLevel +# data: Block +# type: string +# when: rule_18_9_80_1_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.80.1.1 +# - patch + +# - name: "SCORED | 18.9.84.1 | PATCH | L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace +# name: AllowSuggestedAppsInWindowsInkWorkspace +# data: 0 +# type: dword +# when: rule_18_9_84_1 +# tags: +# - level2 +# - rule_18.9.84.1 +# - patch + +# - name: "SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace +# name: AllowWindowsInkWorkspace +# data: 1 +# type: dword +# when: rule_18_9_84_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.84.2 +# - patch + +# - name: "SCORED | 18.9.85.1 | PATCH | L1 Ensure Allow user control over installs is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Installer +# name: EnableUserControl +# data: 0 +# type: dword +# when: rule_18_9_85_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.85.1 +# - patch + +# - name: "SCORED | 18.9.85.2 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Installer +# name: AlwaysInstallElevated +# data: 0 +# type: dword +# when: rule_18_9_85_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.85.2 +# - patch + +# - name: "SCORED | 18.9.85.3 | PATCH | L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Installer +# name: SafeForScripting +# data: 0 +# type: dword +# when: rule_18_9_85_3 +# tags: +# - level2 +# - rule_18.9.85.3 +# - patch + +# - name: "SCORED | 18.9.86.1 | PATCH | L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System +# name: DisableAutomaticRestartSignOn +# data: 1 +# type: dword +# when: rule_18_9_86_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.86.1 +# - patch + +# - name: "SCORED | 18.9.95.1 | PATCH | L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging +# name: EnableScriptBlockLogging +# data: 1 +# type: dword +# when: rule_18_9_95_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.95.1 +# - patch + +# - name: "SCORED | 18.9.95.2 | PATCH | L1 Ensure Turn on PowerShell Transcription is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription +# name: EnableTranscripting +# data: 1 +# type: dword +# when: rule_18_9_95_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.95.2 +# - patch + +# - name: "SCORED | 18.9.97.1.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client +# name: AllowBasic +# data: 0 +# type: dword +# when: rule_18_9_97_1_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.97.1.1 +# - patch + +# - name: "SCORED | 18.9.97.1.2 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client +# name: AllowUnencryptedTraffic +# data: 0 +# type: dword +# when: rule_18_9_97_1_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.97.1.2 +# - patch + +# - name: "SCORED | 18.9.97.1.3 | PATCH | L1 Ensure Disallow Digest authentication is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client +# name: AllowDigest +# data: 0 +# type: dword +# when: rule_18_9_97_1_3 +# tags: +# - level1 +# - level2 +# - rule_18.9.97.1.3 +# - patch + +# - name: "SCORED | 18.9.97.2.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service +# name: AllowBasic +# data: 0 +# type: dword +# when: rule_18_9_97_2_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.97.2.1 +# - patch + +# #This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +# - name: "SCORED | 18.9.97.2.2 | PATCH | L2 Ensure Allow remote server management through WinRM is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service +# name: AllowAutoConfig +# data: 1 +# type: dword +# when: +# - rule_18_9_97_2_2 +# - is_implemented +# tags: +# - level2 +# - rule_18.9.97.2.2 +# - patch + +# - name: "SCORED | 18.9.97.2.3 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service +# name: AllowUnencryptedTraffic +# data: 0 +# type: dword +# when: rule_18_9_97_2_3 +# tags: +# - level1 +# - level2 +# - rule_18.9.97.2.3 +# - patch + +# - name: "SCORED | 18.9.97.2.4 | PATCH | L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service +# name: DisableRunAs +# data: 1 +# type: dword +# when: rule_18_9_97_2_4 +# tags: +# - level1 +# - level2 +# - rule_18.9.97.2.4 +# - patch + +# #This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +# - name: "SCORED | 18.9.98.1 | PATCH | L2 Ensure Allow Remote Shell Access is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs +# name: AllowRemoteShellAccess +# data: 1 +# type: dword +# when: +# - rule_18_9_98_1 +# - is_implemented +# tags: +# - level2 +# - rule_18.9.98.1 +# - patch + +# - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds" +# block: +# - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate +# name: ManagePreviewBuilds +# data: 1 +# type: dword +# - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate +# name: ManagePreviewBuildsPolicyValue +# data: 0 +# type: dword +# when: rule_18_9_101_1_1 +# tags: +# - level1 +# - level2 +# - rule_18.9.101.1.1 +# - patch + +# - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" +# block: +# - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate +# name: DeferFeatureUpdates +# data: 1 +# type: dword +# - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate +# name: DeferFeatureUpdatesPeriodInDays +# data: 180 +# type: dword +# - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate +# name: BranchReadinessLevel +# data: 16 +# type: dword +# when: rule_18_9_101_1_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.101.1.2 +# - patch + +# - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days" +# block: +# - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate +# name: DeferQualityUpdates +# data: 1 +# type: dword +# - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" +# win_regedit: +# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate +# name: DeferQualityUpdatesPeriodInDays +# data: 0 +# type: dword +# when: rule_18_9_101_1_3 +# tags: +# - level1 +# - level2 +# - rule_18.9.101.1.3 +# - patch + +# - name: "SCORED | 18.9.101.2 | PATCH | L1 Ensure Configure Automatic Updates is set to Enabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au +# name: NoAutoUpdate +# data: 0 +# type: dword +# when: rule_18_9_101_2 +# tags: +# - level1 +# - level2 +# - rule_18.9.101.2 +# - patch + +# - name: "SCORED | 18.9.101.3 | PATCH | L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au +# name: ScheduledInstallDay +# data: 0 +# type: dword +# when: rule_18_9_101_3 +# tags: +# - level1 +# - level2 +# - rule_18.9.101.3 +# - patch + +# - name: "SCORED | 18.9.101.4 | PATCH | L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" +# win_regedit: +# path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au +# name: NoAutoRebootWithLoggedOnUsers +# data: 0 +# type: dword +# when: rule_18_9_101_4 +# tags: +# - level1 +# - level2 +# - rule_18.9.101.4 +# - patch From c4deb76d4ffaa4f3f5f7a839a514f1ead577435b Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 1 Feb 2021 19:14:37 -0500 Subject: [PATCH 07/12] updated section 18.3.x through 18.5.10.2 to version 1.2.0 Signed-off-by: George Nalen --- defaults/main.yml | 1 + tasks/section18.yml | 747 ++++++++++++++++++++++---------------------- 2 files changed, 373 insertions(+), 375 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e8fda71..f82e027 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -229,6 +229,7 @@ rule_18_3_3: true rule_18_3_4: true rule_18_3_5: true rule_18_3_6: true +rule_18_3_7: true rule_18_4_1: true rule_18_4_2: true rule_18_4_3: true diff --git a/tasks/section18.yml b/tasks/section18.yml index 7a98ab2..3eca7a3 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -173,286 +173,280 @@ - rule_18.2.6 - audit -# - name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" -# command: "echo true" -# register: result -# changed_when: no -# ignore_errors: yes -# when: -# - is_implemented -# - rule_18_3_1 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_18.3.1 -# - audit +- name: "SCORED | 18.3.1 | AUDIT | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + block: + - name: "SCORED | 18.3.1 | AUDIT | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes -# - name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" -# command: "echo true" -# when: -# - is_implemented -# - rule_18_3_1 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_18.3.1 -# - patch + - name: "SCORED | 18.3.1 | PATCH | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + command: "echo true" + when: + - is_implemented + - rule_18_3_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-memberserver + - rule_18.3.1 + - audit -# - name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" -# command: "echo true" -# register: result -# changed_when: no -# ignore_errors: yes -# when: -# - is_implemented -# - rule_18_3_2 -# tags: -# - level1 -# - level2 -# - rule_18.3.2 -# - audit +- name: "SCORED | 18.3.2 | AUDIT | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + block: + - name: "SCORED | 18.3.2 | AUDIT | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes -# - name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" -# command: "echo true" -# when: -# - is_implemented -# - rule_18_3_2 -# tags: -# - level1 -# - level2 -# - rule_18.3.2 -# - patch + - name: "SCORED | 18.3.2 | PATCH | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + command: "echo true" + when: + - is_implemented + - rule_18_3_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.3.2 + - audit -# - name: "SCORED | 18_3_3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" -# win_regedit: -# path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters -# name: SMB1 -# data: 0 -# type: dword -# state: present -# notify: reboot_windows -# when: rule_18_3_3 -# tags: -# - level1 -# - level2 -# - rule_18.3.3 -# - patch +- name: "SCORED | 18_3_3 | PATCH | (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + name: SMB1 + data: 0 + type: dword + state: present + notify: reboot_windows + when: rule_18_3_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.3.3 + - patch -# - name: "SCORED | 18_3_4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" -# win_regedit: -# path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel -# name: DisableExceptionChainValidation -# data: 1 -# type: dword -# state: present -# when: rule_18_3_4 -# tags: -# - level1 -# - level2 -# - rule_18.3.4 -# - patch +- name: "SCORED | 18_3_4 | PATCH | (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel + name: DisableExceptionChainValidation + data: 1 + type: dword + state: present + when: rule_18_3_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.3.4 + - patch -# - name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" -# command: "echo true" -# register: result -# changed_when: no -# ignore_errors: yes -# when: -# - is_implemented -# - rule_18_3_5 -# tags: -# - level1 -# - level2 -# - rule_18.3.5 -# - audit +- name: "SCORED | 18.3.5 | PATCH | (L1) Ensure 'Extended Protection for LDAP Authentication (Domain Controllers only)' is set to 'Enabled: Enabled, always (recommended)' (DC Only)" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters + name: LdapEnforceChannelBinding + data: 1 + type: dword + when: + - rule_18_3_5 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - rule_18.3.5 + - patch -# - name: "SCORED | 18.3.5 | PATCH | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" -# command: "echo true" -# when: -# - is_implemented -# - rule_18_3_5 -# tags: -# - level1 -# - level2 -# - rule_18.3.5 -# - patch -# - name: "SCORED | 18.3.6 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" -# win_regedit: -# path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest -# state: present -# value: UseLogonCredential -# data: 0 -# datatype: dword -# when: rule_18_3_6 -# tags: -# - level1 -# - level2 -# - rule_18.3.6 -# - patch +- name: "SCORED | 18.3.6 | PATCH | (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters + state: present + value: NodeType + data: 2 + datatype: dword + when: rule_18_3_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.3.6 + - patch -# - name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" -# win_regedit: -# path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -# state: present -# value: AutoAdminLogon -# data: 0 -# datatype: dword -# when: rule_18_4_1 -# tags: -# - level1 -# - level2 -# - rule_18.4.1 -# - patch +- name: "SCORED | 18.3.7 | PATCH | (L1) Ensure 'WDigest Authentication' is set to 'Disabled'" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest + state: present + value: UseLogonCredential + data: 0 + datatype: dword + when: rule_18_3_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.3.6 + - patch -# - name: "SCORED | 18.4.2 | PATCH | L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" -# win_regedit: -# path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters -# state: present -# value: DisableIPSourceRouting -# data: 2 -# datatype: dword -# when: rule_18_4_2 -# tags: -# - level1 -# - level2 -# - rule_18.4.2 -# - patch +- name: "SCORED | 18.4.1 | PATCH | (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + state: present + value: AutoAdminLogon + data: 0 + datatype: dword + when: rule_18_4_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.4.1 + - patch -# - name: "SCORED | 18.4.3 | PATCH | L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" -# win_regedit: -# path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -# state: present -# value: DisableIPSourceRouting -# data: 2 -# datatype: dword -# when: rule_18_4_3 -# tags: -# - level1 -# - level2 -# - rule_18.4.3 -# - patch +- name: "SCORED | 18.4.2 | PATCH | (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + state: present + value: DisableIPSourceRouting + data: 2 + datatype: dword + when: rule_18_4_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.4.2 + - patch -# - name: "SCORED | 18.4.4 | PATCH | L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" -# win_regedit: -# path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -# state: present -# value: EnableICMPRedirect -# data: 0 -# datatype: dword -# when: rule_18_4_4 -# tags: -# - level1 -# - level2 -# - rule_18.4.4 -# - patch +- name: "SCORED | 18.4.3 | PATCH | (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: DisableIPSourceRouting + data: 2 + datatype: dword + when: rule_18_4_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.4.3 + - patch -# - name: "SCORED | 18.4.5 | PATCH | L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" -# win_regedit: -# path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -# state: present -# value: KeepAliveTime -# data: 300000 -# datatype: dword -# when: rule_18_4_5 -# tags: -# - level2 -# - rule_18.4.5 -# - patch +- name: "SCORED | 18.4.4 | PATCH | (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: EnableICMPRedirect + data: 0 + datatype: dword + when: rule_18_4_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.4.4 + - patch -# - name: "SCORED | 18.4.6 | PATCH | L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters -# state: present -# name: NoNameReleaseOnDemand -# data: 1 -# type: dword -# when: rule_18_4_6 -# tags: -# - level1 -# - level2 -# - rule_18.4.6 -# - patch +- name: "SCORED | 18.4.5 | PATCH | (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: KeepAliveTime + data: 300000 + datatype: dword + when: rule_18_4_5 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.4.5 + - patch -# - name: "SCORED | 18.4.7 | PATCH | L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters -# state: present -# name: PerformRouterDiscovery -# data: 0 -# type: dword -# when: rule_18_4_7 -# tags: -# - level2 -# - rule_18.4.7 -# - patch +- name: "SCORED | 18.4.6 | PATCH | (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters + state: present + name: NoNameReleaseOnDemand + data: 1 + type: dword + when: rule_18_4_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.4.6 + - patch -# - name: "SCORED | 18.4.8 | PATCH | L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Session Manager -# name: SafeDllSearchMode -# data: 1 -# type: dword -# state: present -# when: rule_18_4_8 -# tags: -# - level1 -# - level2 -# - rule_18.4.8 -# - patch +- name: "SCORED | 18.4.7 | PATCH | (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + state: present + name: PerformRouterDiscovery + data: 0 + type: dword + when: rule_18_4_7 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.4.7 + - patch -# - name: "SCORED | 18.4.9 | PATCH | L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon -# name: ScreenSaverGracePeriod -# data: 5 -# type: string -# state: present -# when: rule_18_4_9 -# tags: -# - level1 -# - level2 -# - rule_18.4.9 -# - patch +- name: "SCORED | 18.4.8 | PATCH | (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Session Manager + name: SafeDllSearchMode + data: 1 + type: dword + state: present + when: rule_18_4_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.4.8 + - patch -# - name: "SCORED | 18.4.10 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters -# name: TcpMaxDataRetransmissions -# data: 3 -# type: dword -# when: rule_18_4_10 -# tags: -# - level2 -# - rule_18.4.10 -# - patch +- name: "SCORED | 18.4.9 | PATCH | (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ScreenSaverGracePeriod + data: 5 + type: string + state: present + when: rule_18_4_9 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.4.9 + - patch -# - name: "SCORED | 18.4.11 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters -# name: TcpMaxDataRetransmissions -# data: 3 -# type: dword -# when: rule_18_4_11 -# tags: -# - level2 -# - rule_18.4.11 -# - patch +- name: "SCORED | 18.4.10 | PATCH | (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters + name: TcpMaxDataRetransmissions + data: 3 + type: dword + when: rule_18_4_10 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.4.10 + - patch -# - name: "SCORED | 18.4.12 | PATCH | L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security -# name: WarningLevel -# data: 90 -# type: dword -# when: rule_18_4_12 -# tags: -# - level1 -# - level2 -# - rule_18.4.12 -# - patch +- name: "SCORED | 18.4.11 | PATCH | (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + name: TcpMaxDataRetransmissions + data: 3 + type: dword + when: rule_18_4_11 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.4.11 + - patch + +- name: "SCORED | 18.4.12 | PATCH | (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security + name: WarningLevel + data: 90 + type: dword + when: rule_18_4_12 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.4.12 + - patch # - name: "SCORED | 18.5.4.1 | PATCH | L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only" @@ -470,127 +464,130 @@ # - rule_18.5.4.1 # - patch -# - name: "SCORED | 18.5.4.2 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient -# name: EnableMulticast -# data: 0 -# type: dword -# when: -# - rule_18_5_4_2 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_18.5.4.2 -# - patch +- name: "SCORED | 18.5.4.1 | PATCH | (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient + name: EnableMulticast + data: 0 + type: dword + when: + - rule_18_5_4_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.5.4.2 + - patch -# - name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System -# name: EnableFontProviders -# data: 0 -# type: dword -# when: rule_18_5_5_1 -# tags: -# - level2 -# - rule_18.5.5.1 -# - patch +- name: "SCORED | 18.5.5.1 | PATCH | (L2) Ensure 'Enable Font Providers' is set to 'Disabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: EnableFontProviders + data: 0 + type: dword + when: rule_18_5_5_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.5.1 + - patch -# - name: "SCORED | 18.5.8.1 | PATCH | L1 Ensure Enable insecure guest logons is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation -# name: AllowInsecureGuestAuth -# data: 0 -# type: dword -# when: rule_18_5_8_1 -# tags: -# - level1 -# - level2 -# - rule_18.5.8.1 -# - patch +- name: "SCORED | 18.5.8.1 | PATCH | (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation + name: AllowInsecureGuestAuth + data: 0 + type: dword + when: rule_18_5_8_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.5.8.1 + - patch -# - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" -# block: -# - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd -# name: AllowLLTDIOOndomain -# data: 0 -# type: dword +- name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" + block: + - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | AllowLLTDIOOndomain" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowLLTDIOOndomain + data: 0 + type: dword -# - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd -# name: AllowLLTDIOOnPublicNet -# data: 0 -# type: dword - -# - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd -# name: EnableLLTDIO -# data: 0 -# type: dword - -# - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd -# name: ProhibitLLTDIOOnPrivateNet -# data: 0 -# type: dword -# when: rule_18_5_9_1 -# tags: -# - level2 -# - rule_18.5.9.1 -# - patch - -# - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled" -# block: -# - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd -# name: AllowRspndrOnDomain -# data: 0 -# type: dword - -# - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd -# name: AllowRspndrOnPublicNet -# data: 0 -# type: dword - -# - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd -# name: EnableRspndr -# data: 0 -# type: dword + - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | AllowLLTDIOOnPublicNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowLLTDIOOnPublicNet + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | EnableLLTDIO" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: EnableLLTDIO + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | ProhibitLLTDIOOnPrivateNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: ProhibitLLTDIOOnPrivateNet + data: 0 + type: dword + when: rule_18_5_9_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.9.1 + - patch -# - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Lltd -# name: ProhibitRspndrOnPrivateNet -# data: 0 -# type: dword -# when: rule_18_5_9_2 -# tags: -# - level2 -# - rule_18.5.9.2 -# - patch +- name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" + block: + - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | AllowRspndrOnDomain" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowRspndrOnDomain + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | AllowRspndrOnPublicNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowRspndrOnPublicNet + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | EnableRspndr" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: EnableRspndr + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | ProhibitRspndrOnPrivateNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: ProhibitRspndrOnPrivateNet + data: 0 + type: dword + when: rule_18_5_9_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.9.2 + - patch -# - name: "SCORED | 18.5.10.2 | PATCH | L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Peernet -# name: Disabled -# data: 1 -# type: dword -# when: rule_18_5_10_2 -# tags: -# - level2 -# - rule_18.5.10.2 -# - patch +- name: "SCORED | 18.5.10.2 | PATCH | (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Peernet + name: Disabled + data: 1 + type: dword + when: rule_18_5_10_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.10.2 + - patch # - name: "SCORED | 18.5.11.2 | PATCH | L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" # win_regedit: From 06cc3673916e7db0af43dff177d215da8e922a22 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 2 Feb 2021 15:58:20 -0500 Subject: [PATCH 08/12] finished updating section 18 to version 1.2.0 Signed-off-by: George Nalen --- defaults/main.yml | 163 +- tasks/section18.yml | 3544 +++++++++++++++++++++++-------------------- 2 files changed, 1970 insertions(+), 1737 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f82e027..f51163c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -243,7 +243,7 @@ rule_18_4_10: true rule_18_4_11: true rule_18_4_12: true rule_18_5_4_1: true -rule_18_5_4_2: true +# rule_18_5_4_2: true rule_18_5_5_1: true rule_18_5_8_1: true rule_18_5_9_1: true @@ -258,13 +258,17 @@ rule_18_5_20_1: true rule_18_5_20_2: true rule_18_5_21_1: true rule_18_5_21_2: true +rule_18_7_1_1: true rule_18_8_3_1: true rule_18_8_4_1: true +rule_18_8_4_2: true rule_18_8_5_1: true rule_18_8_5_2: true rule_18_8_5_3: true rule_18_8_5_4: true rule_18_8_5_5: true +rule_18_8_5_6: true +rule_18_8_5_7: true rule_18_8_14_1: true rule_18_8_21_2: true rule_18_8_21_3: true @@ -284,27 +288,44 @@ rule_18_8_22_1_11: true rule_18_8_22_1_12: true rule_18_8_22_1_13: true rule_18_8_25_1: true -rule_18_8_26_1: true +# rule_18_8_26_1: true rule_18_8_27_1: true -rule_18_8_27_2: true -rule_18_8_27_3: true -rule_18_8_27_4: true -rule_18_8_27_5: true -rule_18_8_27_6: true -rule_18_8_27_7: true +# rule_18_8_27_2: true +# rule_18_8_27_3: true +# rule_18_8_27_4: true +# rule_18_8_27_5: true +# rule_18_8_27_6: true +# rule_18_8_27_7: true rule_18_8_28_1: true -rule_18_8_33_6_2: true -rule_18_8_33_6_3: true -rule_18_8_33_6_4: true -rule_18_8_35_1: true +rule_18_8_28_2: true +rule_18_8_28_3: true +rule_18_8_28_4: true +rule_18_8_28_5: true +rule_18_8_28_6: true +rule_18_8_28_7: true +# rule_18_8_33_6_2: true +# rule_18_8_33_6_3: true +# rule_18_8_33_6_4: true +rule_18_8_34_6_1: true +rule_18_8_34_6_2: true +rule_18_8_34_6_3: true +# rule_18_8_35_1: true +rule_18_8_36_1: true rule_18_8_35_2: true rule_18_8_36_1: true rule_18_8_36_2: true -rule_18_8_44_5_1: true -rule_18_8_44_11_1: true -rule_18_8_46_1: true -rule_18_8_49_1_1: true -rule_18_8_49_1_2: true +rule_18_8_37_1: true +rule_18_8_37_2: true +# rule_18_8_44_5_1: true +# rule_18_8_44_11_1: true +# rule_18_8_46_1: true +rule_18_8_47_5_1: true +rule_18_8_47_11_1: true +# rule_18_8_49_1_1: true +rule_18_8_49_1: true +# rule_18_8_49_1_2: true +rule_18_8_52_1_1: true +rule_18_8_52_1_2: true rule_18_9_4_1: true rule_18_9_6_1: true rule_18_9_8_1: true @@ -320,7 +341,7 @@ rule_18_9_16_1: true rule_18_9_16_2: true rule_18_9_16_3: true rule_18_9_16_4: true -rule_18_9_16_5: true +# rule_18_9_16_5: true rule_18_9_26_1_1: true rule_18_9_26_1_2: true rule_18_9_26_2_1: true @@ -332,38 +353,67 @@ rule_18_9_26_4_2: true rule_18_9_30_2: true rule_18_9_30_3: true rule_18_9_30_4: true -rule_18_9_39_2: true +rule_18_9_39_1: true +# rule_18_9_39_2: true rule_18_9_43_1: true rule_18_9_44_1: true rule_18_9_52_1: true -rule_18_9_58_2_2: true -rule_18_9_58_3_2_1: true -rule_18_9_58_3_3_1: true -rule_18_9_58_3_3_2: true -rule_18_9_58_3_3_3: true -rule_18_9_58_3_3_4: true -rule_18_9_58_3_9_1: true -rule_18_9_58_3_9_2: true -rule_18_9_58_3_9_3: true -rule_18_9_58_3_10_1: true -rule_18_9_58_3_10_2: true -rule_18_9_58_3_11_1: true -rule_18_9_58_3_11_2: true -rule_18_9_59_1: true -rule_18_9_60_2: true -rule_18_9_60_3: true -rule_18_9_65_1: true -rule_18_9_76_3_1: true -rule_18_9_76_3_2: true -rule_18_9_76_7_1: true -rule_18_9_76_9_1: true -rule_18_9_76_10_1: true -rule_18_9_76_10_2: true -rule_18_9_76_13_1_1: true -rule_18_9_76_13_1_2: true -rule_18_9_76_13_3_1: true -rule_18_9_76_14: true -rule_18_9_79_1_1: true +# rule_18_9_58_2_2: true +# rule_18_9_58_3_2_1: true +# rule_18_9_58_3_3_1: true +# rule_18_9_58_3_3_2: true +# rule_18_9_58_3_3_3: true +# rule_18_9_58_3_3_4: true +# rule_18_9_58_3_9_1: true +# rule_18_9_58_3_9_2: true +# rule_18_9_58_3_9_3: true +# rule_18_9_58_3_10_1: true +# rule_18_9_58_3_10_2: true +# rule_18_9_58_3_11_1: true +# rule_18_9_58_3_11_2: true +rule_18_9_59_2_2: true +rule_18_9_59_3_2_1: true +rule_18_9_59_3_3_1: true +rule_18_9_59_3_3_2: true +rule_18_9_59_3_3_3: true +rule_18_9_59_3_3_4: true +# rule_18_9_59_1: true +rule_18_9_59_3_9_1: true +rule_18_9_59_3_9_2: true +rule_18_9_59_3_9_3: true +rule_18_9_59_3_9_4: true +rule_18_9_59_3_9_5: true +rule_18_9_59_3_10_1: true +rule_18_9_59_3_10_2: true +rule_18_9_59_3_11_1: true +rule_18_9_59_3_11_2: true +rule_18_9_60_1: true +# rule_18_9_60_2: true +# rule_18_9_60_3: true +rule_18_9_61_2: true +rule_18_9_61_3: true +# rule_18_9_65_1: true +rule_18_9_66_1: true +# rule_18_9_76_3_1: true +# rule_18_9_76_3_2: true +# rule_18_9_76_7_1: true +# rule_18_9_76_9_1: true +# rule_18_9_76_10_1: true +# rule_18_9_76_10_2: true +# rule_18_9_76_13_1_1: true +# rule_18_9_76_13_1_2: true +# rule_18_9_76_13_3_1: true +# rule_18_9_76_14: true +rule_18_9_77_3_1: true +rule_18_9_77_3_2: true +rule_18_9_77_7_1: true +rule_18_9_77_9_1: true +rule_18_9_77_10_1: true +rule_18_9_77_10_2: true +rule_18_9_77_13_3_1: true +rule_18_9_77_14: true +rule_18_9_77_15: true +# rule_18_9_79_1_1: true rule_18_9_80_1_1: true rule_18_9_84_1: true rule_18_9_84_2: true @@ -381,12 +431,19 @@ rule_18_9_97_2_2: true rule_18_9_97_2_3: true rule_18_9_97_2_4: true rule_18_9_98_1: true -rule_18_9_101_1_1: true -rule_18_9_101_1_2: true -rule_18_9_101_1_3: true -rule_18_9_101_2: true -rule_18_9_101_3: true -rule_18_9_101_4: true +rule_18_9_99_2_1: true +# rule_18_9_101_1_1: true +# rule_18_9_101_1_2: true +# rule_18_9_101_1_3: true +# rule_18_9_101_2: true +# rule_18_9_101_3: true +# rule_18_9_101_4: true +rule_18_9_102_1_1: true +rule_18_9_102_1_2: true +rule_18_9_102_1_3: true +rule_18_9_102_2: true +rule_18_9_102_3: true +rule_18_9_102_4: true # section19 rule_19_1_3_1: true diff --git a/tasks/section18.yml b/tasks/section18.yml index 3eca7a3..f18be32 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -589,617 +589,684 @@ - rule_18.5.10.2 - patch -# - name: "SCORED | 18.5.11.2 | PATCH | L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections -# name: NC_AllowNetBridge_NLA -# data: 0 -# type: dword -# when: rule_18_5_11_2 -# tags: -# - level1 -# - level2 -# - rule_18.5.11.2 -# - patch +- name: "SCORED | 18.5.11.2 | PATCH | (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + name: NC_AllowNetBridge_NLA + data: 0 + type: dword + when: rule_18_5_11_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.5.11.2 + - patch -# - name: "SCORED | 18.5.11.3 | PATCH | L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections -# name: NC_ShowSharedAccessUI -# data: 0 -# type: dword -# when: rule_18_5_11_3 -# tags: -# - level1 -# - level2 -# - rule_18.5.11.3 -# - patch +- name: "SCORED | 18.5.11.3 | PATCH | (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections + name: NC_ShowSharedAccessUI + data: 0 + type: dword + when: rule_18_5_11_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.5.11.3 + - patch -# - name: "SCORED | 18.5.11.4 | PATCH | L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections -# name: NC_StdDomainUserSetLocation -# data: 1 -# type: dword -# when: rule_18_5_11_4 -# tags: -# - level1 -# - level2 -# - rule_18.5.11.4 -# - patch +- name: "SCORED | 18.5.11.4 | PATCH | (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + name: NC_StdDomainUserSetLocation + data: 1 + type: dword + when: rule_18_5_11_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.5.11.4 + - patch -# - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" -# block: -# - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths -# name: "\\\\*\\NETLOGON" -# data: "RequireMutualAuthentication=1, RequireIntegrity=1" -# type: string -# - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths -# name: "\\\\*\\SYSVOL" -# data: "RequireMutualAuthentication=1, RequireIntegrity=1" -# type: string -# when: rule_18_5_14_1 -# tags: -# - level1 -# - level2 -# - rule_18.5.14.1 -# - patch +- name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'" + block: + - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' | Set NETLOGON" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + name: "\\\\*\\NETLOGON" + data: "RequireMutualAuthentication=1, RequireIntegrity=1" + type: string + - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' | Set SYSVOL" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + name: "\\\\*\\SYSVOL" + data: "RequireMutualAuthentication=1, RequireIntegrity=1" + type: string + when: rule_18_5_14_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.5.14.1 + - patch -# - name: "SCORED | 18.5.19.2.1 | PATCH | L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" -# win_regedit: -# path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters -# name: DisabledComponents -# data: 255 -# type: dword -# when: rule_18_5_19_2_1 -# tags: -# - level2 -# - rule_18.5.19.2.1 -# - patch +- name: "SCORED | 18.5.19.2.1 | PATCH | (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters + name: DisabledComponents + data: 255 + type: dword + when: rule_18_5_19_2_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.19.2.1 + - patch -# - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" -# block: -# - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars -# name: EnableRegistrars -# data: 0 -# type: dword - -# - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars -# name: DisableUPnPRegistrar -# data: 0 -# type: dword - -# - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars -# name: DisableInBand802DOT11Registrar -# data: 0 -# type: dword - -# - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars -# name: DisableFlashConfigRegistrar -# data: 0 -# type: dword - -# - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars -# name: DisableWPDRegistrar -# data: 0 -# type: dword -# when: rule_18_5_20_1 -# tags: -# - level2 -# - rule_18.5.20.1 -# - patch +- name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" + block: + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | EnableRegistrars" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: EnableRegistrars + data: 0 + type: dword -# - name: "SCORED | 18.5.20.2 | PATCH | L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui -# name: DisableWcnUi -# data: 1 -# type: dword -# when: rule_18_5_20_2 -# tags: -# - level2 -# - rule_18.5.20.2 -# - patch + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableUPnPRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableUPnPRegistrar + data: 0 + type: dword -# - name: "SCORED | 18.5.21.1 | PATCH | L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy -# name: fMinimizeConnections -# data: 1 -# type: dword -# when: rule_18_5_21_1 -# tags: -# - level1 -# - level2 -# - rule_18.5.21.1 -# - patch + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableInBand802DOT11Registrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableInBand802DOT11Registrar + data: 0 + type: dword -# - name: "SCORED | 18.5.21.2 | PATCH | L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy -# name: fBlockNonDomain -# data: 1 -# type: dword -# when: -# - rule_18_5_21_2 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level2 -# - rule_18.5.21.2 -# - patch + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableFlashConfigRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableFlashConfigRegistrar + data: 0 + type: dword -# - name: "SCORED | 18.8.3.1 | PATCH | L1 Ensure Include command line in process creation events is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit -# name: ProcessCreationIncludeCmdLine_Enabled -# data: 0 -# type: dword -# when: rule_18_8_3_1 -# tags: -# - level1 -# - level2 -# - rule_18.8.3.1 -# - patch + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableWPDRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableWPDRegistrar + data: 0 + type: dword + when: rule_18_5_20_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.20.1 + - patch +- name: "SCORED | 18.5.20.2 | PATCH | (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui + name: DisableWcnUi + data: 1 + type: dword + when: rule_18_5_20_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.20.2 + - patch -# - name: "SCORED | 18.8.4.1 | PATCH | L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation -# name: AllowProtectedCreds -# data: 1 -# type: dword -# when: rule_18_8_4_1 -# tags: -# - level1 -# - level2 -# - rule_18.8.4.1 -# - patch +- name: "SCORED | 18.5.21.1 | PATCH | (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 1 = Minimize simultaneous connections'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + name: fMinimizeConnections + data: 1 + type: dword + when: rule_18_5_21_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.5.21.1 + - patch -# - name: "SCORED | 18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled MS Only" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -# name: EnableVirtualizationBasedSecurity -# data: 1 -# type: dword -# when: -# - rule_18_8_5_1 -# - ansible_windows_domain_role == "Member server" -# tags: -# - rule_18.8.5.1 -# - patch +- name: "SCORED | 18.5.21.2 | PATCH | (L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + name: fBlockNonDomain + data: 1 + type: dword + when: + - rule_18_5_21_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level2-memberserver + - rule_18.5.21.2 + - patch -# - name: "SCORED | 18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection MS Only" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -# name: RequirePlatformSecurityFeatures -# data: 3 -# type: dword -# when: -# - rule_18_8_5_2 -# - ansible_windows_domain_role == "Member server" -# tags: -# - rule_18.8.5.2 -# - patch +- name: "SCORED | 18.7.1.1 | PATCH | (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled' (Scored)" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + name: NoCloudApplicationNotification + data: 1 + type: dword + when: + - rule_18_7_1_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.7.1.1 + - patch -# - name: "SCORED | 18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock MS Only" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -# name: HypervisorEnforcedCodeIntegrity -# data: 1 -# type: dword -# when: -# - rule_18_8_5_3 -# - ansible_windows_domain_role == "Member server" -# tags: -# - rule_18.8.5.3 -# - patch +- name: "SCORED | 18.8.3.1 | PATCH | (L1) Ensure 'Include command line in process creation events' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit + name: ProcessCreationIncludeCmdLine_Enabled + data: 0 + type: dword + when: rule_18_8_3_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.3.1 + - patch -# - name: "SCORED | 18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked MS Only" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -# name: HVCIMATRequired -# data: 1 -# type: dword -# when: -# - rule_18_8_5_4 -# - ansible_windows_domain_role == "Member server" -# tags: -# - rule_18.8.5.4 -# - patch +- name: "SCORED | 18.8.4.1 | PATCH | (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters + name: AllowEncryptionOracle + data: 0 + type: dword + when: + - rule_18_8_4_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.4.1 + - patch -# - name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -# name: LsaCfgFlags -# data: 1 -# type: dword -# when: -# - rule_18_8_5_5 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_18.8.5.5 -# - patch +- name: "SCORED | 18.8.4.2 | PATCH | (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation + name: AllowProtectedCreds + data: 1 + type: dword + when: rule_18_8_4_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.4.2 + - patch -# - name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard -# name: LsaCfgFlags -# data: 1 -# type: dword -# when: -# - rule_18_8_5_5 -# - ansible_windows_domain_role == "Member server" -# tags: -# - rule_18.8.5.5 -# - patch +- name: "SCORED | 18.8.5.1 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: EnableVirtualizationBasedSecurity + data: 1 + type: dword + when: + - rule_18_8_5_1 + - ansible_windows_domain_role == "Member server" + tags: + - nextgen-domaincontroller + - nextgen-memberserver + - rule_18.8.5.1 + - patch -# - name: "SCORED | 18.8.14.1 | PATCH | L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch -# name: DriverLoadPolicy -# data: 3 -# type: dword -# when: rule_18_8_14_1 -# tags: -# - level1 -# - level2 -# - rule_18.8.14.1 -# - patch +- name: "SCORED | 18.8.5.2 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: RequirePlatformSecurityFeatures + data: 3 + type: dword + when: + - rule_18_8_5_2 + - ansible_windows_domain_role == "Member server" + tags: + - nextgen-domaincontroller + - nextgen-memberserver + - rule_18.8.5.2 + - patch -# - name: "SCORED | 18.8.21.2 | PATCH | L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} -# name: NoBackgroundPolicy -# data: 0 -# type: dword -# when: rule_18_8_21_2 -# tags: -# - level1 -# - level2 -# - rule_18.8.21.2 -# - patch +- name: "SCORED | 18.8.5.3 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: HypervisorEnforcedCodeIntegrity + data: 1 + type: dword + when: + - rule_18_8_5_3 + tags: + - nextgen-domaincontroller + - nextgen-memberserver + - rule_18.8.5.3 + - patch -# - name: "SCORED | 18.8.21.3 | PATCH | L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} -# name: NoGPOListChanges -# data: 0 -# type: dword -# when: rule_18_8_21_3 -# tags: -# - level1 -# - level2 -# - rule_18.8.21.3 -# - patch +- name: "SCORED | 18.8.5.4 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: HVCIMATRequired + data: 1 + type: dword + when: + - rule_18_8_5_4 + tags: + - nextgen-domaincontroller + - nextgen-memberserver + - rule_18.8.5.4 + - patch -# - name: "SCORED | 18.8.21.4 | PATCH | L1 Ensure Continue experiences on this device is set to Disabled" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System -# name: EnableCdp -# data: 0 -# type: dword -# when: rule_18_8_21_4 -# tags: -# - level1 -# - level2 -# - rule_18.8.21.4 -# - patch - -# - name: "SCORED | 18.8.21.5 | PATCH | L1 Ensure Turn off background refresh of Group Policy is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy -# state: absent -# delete_key: yes -# when: rule_18_8_21_5 -# tags: -# - level1 -# - level2 -# - rule_18.8.21.5 -# - patch +- name: "SCORED | 18.8.5.5 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: LsaCfgFlags + data: 1 + type: dword + when: + - rule_18_8_5_5 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - nextgen-memberserver + - rule_18.8.5.5 + - patch -# - name: "SCORED | 18.8.22.1.1 | PATCH | L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers -# name: DisableWebPnPDownload -# data: 1 -# type: dword -# when: rule_18_8_22_1_1 -# tags: -# - level1 -# - level2 -# - rule_18.8.22.1.1 -# - patch +- name: "SCORED | 18.8.5.6 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only)" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: LsaCfgFlags + data: 0 + type: dword + when: + - rule_18_8_5_6 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - nextgen-domaincontroller + - rule_18.8.5.6 + - patch -# - name: "SCORED | 18.8.22.1.2 | PATCH | L2 Ensure Turn off handwriting personalization data sharing is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc -# name: PreventHandwritingDataSharing -# data: 1 -# type: dword -# when: rule_18_8_22_1_2 -# tags: -# - level2 -# - rule_18.8.22.1.2 -# - patch +- name: "SCORED | 18.8.5.7 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: ConfigureSystemGuardLaunch + data: 1 + type: dword + when: + - rule_18_8_5_7 + tags: + - nextgen-domaincontroller + - nextgen-memberserver + - rule_18.8.5.7 + - patch -# - name: "SCORED | 18.8.22.1.3 | PATCH | L2 Ensure Turn off handwriting recognition error reporting is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports -# name: PreventHandwritingErrorReports -# data: 1 -# type: dword -# when: rule_18_8_22_1_3 -# tags: -# - level2 -# - rule_18.8.22.1.3 -# - patch +- name: "SCORED | 18.8.14.1 | PATCH | (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" + win_regedit: + path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch + name: DriverLoadPolicy + data: 3 + type: dword + when: rule_18_8_14_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.14.1 + - patch -# - name: "SCORED | 18.8.22.1.4 | PATCH | L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard -# name: ExitOnMSICW -# data: 1 -# type: dword -# when: rule_18_8_22_1_4 -# tags: -# - level2 -# - rule_18.8.22.1.4 -# - patch +- name: "SCORED | 18.8.21.2 | PATCH | (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + name: NoBackgroundPolicy + data: 0 + type: dword + when: rule_18_8_21_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.2 + - patch -# - name: "SCORED | 18.8.22.1.5 | PATCH | L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer -# name: NoWebServices -# data: 1 -# type: dword -# when: rule_18_8_22_1_5 -# tags: -# - level1 -# - level2 -# - rule_18.8.22.1.5 -# - patch +- name: "SCORED | 18.8.21.3 | PATCH | (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE's" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + name: NoGPOListChanges + data: 0 + type: dword + when: rule_18_8_21_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.3 + - patch -# - name: "SCORED | 18.8.22.1.6 | PATCH | L2 Ensure Turn off printing over HTTP is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers -# name: DisableHTTPPrinting -# data: 1 -# type: dword -# when: rule_18_8_22_1_6 -# tags: -# - level1 -# - level2 -# - rule_18.8.22.1.6 -# - patch +- name: "SCORED | 18.8.21.4 | PATCH | (L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: EnableCdp + data: 0 + type: dword + when: rule_18_8_21_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.4 + - patch -# - name: "SCORED | 18.8.22.1.7 | PATCH | L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control -# name: NoRegistration -# data: 1 -# type: dword -# when: rule_18_8_22_1_7 -# tags: -# - level2 -# - rule_18.8.22.1.7 -# - patch +- name: "SCORED | 18.8.21.5 | PATCH | (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy + state: absent + delete_key: yes + when: rule_18_8_21_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.5 + - patch -# - name: "SCORED |18.8.22.1.8 | PATCH | L2 Ensure Turn off Search Companion content file updates is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Searchcompanion -# name: DisableContentFileUpdates -# data: 1 -# type: dword -# when: rule_18_8_22_1_8 -# tags: -# - level2 -# - rule_18.8.22.1.8 -# - patch +- name: "SCORED | 18.8.22.1.1 | PATCH | (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + name: DisableWebPnPDownload + data: 1 + type: dword + when: rule_18_8_22_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.22.1.1 + - patch -# - name: "SCORED | 18.8.22.1.9 | PATCH | L2 Ensure Turn off the Order Prints picture task is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer -# name: NoOnlinePrintsWizard -# data: 1 -# type: dword -# when: rule_18_8_22_1_9 -# tags: -# - level2 -# - rule_18.8.22.1.9 -# - patch +- name: "SCORED | 18.8.22.1.2 | PATCH | (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc + name: PreventHandwritingDataSharing + data: 1 + type: dword + when: rule_18_8_22_1_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.2 + - patch -# - name: "SCORED | 18.8.22.1.10 | PATCH | L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer -# name: NoPublishingWizard -# data: 1 -# type: dword -# when: rule_18_8_22_1_10 -# tags: -# - level2 -# - rule_18.8.22.1.10 -# - patch +- name: "SCORED | 18.8.22.1.3 | PATCH | (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports + name: PreventHandwritingErrorReports + data: 1 + type: dword + when: rule_18_8_22_1_3 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.3 + - patch -# - name: "SCORED | 18.8.22.1.11 | PATCH | L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Messenger\Client -# name: CEIP -# data: 2 -# type: dword -# when: rule_18_8_22_1_11 -# tags: -# - level2 -# - rule_18.8.22.1.11 -# - patch +- name: "SCORED | 18.8.22.1.4 | PATCH | (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard + name: ExitOnMSICW + data: 1 + type: dword + when: rule_18_8_22_1_4 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.4 + - patch -# - name: "SCORED | 18.8.22.1.12 | PATCH | L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows -# name: CEIPEnable -# data: 0 -# type: dword -# when: rule_18_8_22_1_12 -# tags: -# - level2 -# - rule_18.8.22.1.12 -# - patch +- name: "SCORED | 18.8.22.1.5 | PATCH | (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoWebServices + data: 1 + type: dword + when: rule_18_8_22_1_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.22.1.5 + - patch -# - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled" -# block: -# - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting -# name: Disabled -# data: 1 -# type: dword -# - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting -# name: DoReport -# data: 0 -# type: dword -# when: rule_18_8_22_1_13 -# tags: -# - level2 -# - rule_18.8.22.1.13 -# - patch +- name: "SCORED | 18.8.22.1.6 | PATCH | (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + name: DisableHTTPPrinting + data: 1 + type: dword + when: rule_18_8_22_1_6 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.6 + - patch -# - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic" -# block: -# - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -# name: DevicePKInitBehavior -# data: 0 -# type: dword -# - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters -# name: DevicePKInitEnabled -# data: 1 -# type: dword -# when: rule_18_8_25_1 -# tags: -# - level2 -# - rule_18.8.25.1 -# - patch +- name: "SCORED | 18.8.22.1.7 | PATCH | (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control + name: NoRegistration + data: 1 + type: dword + when: rule_18_8_22_1_7 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.7 + - patch -# - name: "SCORED | 18.8.26.1 | PATCH | L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Control Panel\International -# name: BlockUserInputMethodsForSignIn -# data: 1 -# type: dword -# when: rule_18_8_26_1 -# tags: -# - level2 -# - rule_18.8.26.1 -# - patch +- name: "SCORED |18.8.22.1.8 | PATCH | (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Searchcompanion + name: DisableContentFileUpdates + data: 1 + type: dword + when: rule_18_8_22_1_8 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.8 + - patch -# - name: "SCORED | 18.8.27.1 | PATCH | L1 Ensure Block user from showing account details on sign-in is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\System -# name: BlockUserFromShowingAccountDetailsOnSignin -# data: 1 -# type: dword -# when: rule_18_8_27_1 -# tags: -# - level1 -# - level2 -# - rule_18.8.27.1 -# - patch +- name: "SCORED | 18.8.22.1.9 | PATCH | (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoOnlinePrintsWizard + data: 1 + type: dword + when: rule_18_8_22_1_9 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.9 + - patch -# - name: "SCORED | 18.8.27.2 | PATCH | L1 Ensure Do not display network selection UI is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\System -# name: DontDisplayNetworkSelectionUI -# data: 1 -# type: dword -# when: rule_18_8_27_2 -# tags: -# - level1 -# - level2 -# - rule_18.8.27.2 -# - patch +- name: "SCORED | 18.8.22.1.10 | PATCH | (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoPublishingWizard + data: 1 + type: dword + when: rule_18_8_22_1_10 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.10 + - patch -# - name: "SCORED | 18.8.27.3 | PATCH | L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\System -# name: DontEnumerateConnectedUsers -# data: 1 -# type: dword -# when: rule_18_8_27_3 -# tags: -# - level1 -# - level2 -# - rule_18.8.27.3 -# - patch +- name: "SCORED | 18.8.22.1.11 | PATCH | (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Messenger\Client + name: CEIP + data: 2 + type: dword + when: rule_18_8_22_1_11 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.11 + - patch -# - name: "SCORED | 18.8.27.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\System -# name: EnumerateLocalUsers -# data: 0 -# type: dword -# when: rule_18_8_27_4 -# tags: -# - level1 -# - level2 -# - rule_18.8.27.4 -# - patch +- name: "SCORED | 18.8.22.1.12 | PATCH | (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows + name: CEIPEnable + data: 0 + type: dword + when: rule_18_8_22_1_12 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.12 + - patch -# - name: "SCORED | 18.8.27.5 | PATCH | L1 Ensure Turn off app notifications on the lock screen is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\System -# name: DisableLockScreenAppNotifications -# data: 1 -# type: dword -# when: rule_18_8_27_5 -# tags: -# - level1 -# - level2 -# - rule_18.8.27.5 -# - patch +- name: "SCORED | 18.8.22.1.13 | PATCH | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" + block: + - name: "SCORED | 18.8.22.1.13 | PATCH | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' | Windows Error Reporting" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting + name: Disabled + data: 1 + type: dword -# - name: "SCORED | 18.8.27.6 | PATCH | L1 Ensure Turn off picture password sign-in is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\System -# name: BlockDomainPicturePassword -# data: 1 -# type: dword -# when: rule_18_8_27_6 -# tags: -# - level1 -# - level2 -# - rule_18.8.27.6 -# - patch + - name: "SCORED | 18.8.22.1.13 | PATCH | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' | ErrorReporting" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting + name: DoReport + data: 0 + type: dword + when: rule_18_8_22_1_13 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.13 + - patch -# - name: "SCORED | 18.8.27.7 | PATCH | L1 Ensure Turn on convenience PIN sign-in is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\System -# name: AllowDomainPINLogon -# data: 0 -# type: dword -# when: rule_18_8_27_7 -# tags: -# - level1 -# - level2 -# - rule_18.8.27.7 -# - patch +- name: "SCORED | 18.8.25.1 | PATCH | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" + block: + - name: "SCORED | 18.8.25.1 | PATCH | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' | DevicePKInitBehavior" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + name: DevicePKInitBehavior + data: 0 + type: dword + + - name: "SCORED | 18.8.25.1 | PATCH | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' | DevicePKInitEnabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + name: DevicePKInitEnabled + data: 1 + type: dword + when: rule_18_8_25_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.25.1 + - patch + +- name: "SCORED | 18.8.27.1 | PATCH | (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Control Panel\International + name: BlockUserInputMethodsForSignIn + data: 1 + type: dword + when: rule_18_8_27_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.27.1 + - patch + +- name: "SCORED | 18.8.28.1 | PATCH | (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: BlockUserFromShowingAccountDetailsOnSignin + data: 1 + type: dword + when: rule_18_8_28_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.1 + - patch + +- name: "SCORED | 18.8.28.2 | PATCH | (L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DontDisplayNetworkSelectionUI + data: 1 + type: dword + when: rule_18_8_28_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.2 + - patch + +- name: "SCORED | 18.8.28.3 | PATCH | (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DontEnumerateConnectedUsers + data: 1 + type: dword + when: rule_18_8_28_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.3 + - patch + +- name: "SCORED | 18.8.28.4 | PATCH | (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: EnumerateLocalUsers + data: 0 + type: dword + when: + - rule_18_8_28_4 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-memberserver + - rule_18.8.28.4 + - patch + +- name: "SCORED | 18.8.28.5 | PATCH | (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DisableLockScreenAppNotifications + data: 1 + type: dword + when: rule_18_8_28_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.5 + - patch + +- name: "SCORED | 18.8.28.6 | PATCH | (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: BlockDomainPicturePassword + data: 1 + type: dword + when: rule_18_8_28_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.6 + - patch + +- name: "SCORED | 18.8.28.7 | PATCH | (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: AllowDomainPINLogon + data: 0 + type: dword + when: rule_18_8_28_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.7 + - patch # - name: "SCORED | | PATCH | L1 Ensure Untrusted Font Blocking is set to Enabled Block untrusted fonts and log events" # win_regedit: @@ -1214,339 +1281,359 @@ # - rule_18.8.28.1 # - patch -# - name: "SCORED | 18.8.33.6.2 | PATCH | L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 -# name: ACSettingIndex -# data: 0 -# type: dword -# when: rule_18_8_33_6_2 -# tags: -# - level2 -# - rule_18.8.33.6.2 -# - patch - -# - name: "SCORED | 18.8.33.6.3 | PATCH | L1 Ensure Require a password when a computer wakes on battery is set to Enabled" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -# name: DCSettingIndex -# data: 1 -# type: dword -# when: rule_18_8_33_6_3 -# tags: -# - level1 -# - level2 -# - rule_18.8.33.6.3 -# - patch +- name: "SCORED | 18.8.34.6.1 | PATCH | (L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 + name: DCSettingIndex + data: 0 + type: dword + when: rule_18_8_34_6_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.34.6.1 + - patch -# - name: "SCORED | 18.8.33.6.4 | PATCH | L1 Ensure Require a password when a computer wakes plugged in is set to Enabled" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 -# name: ACSettingIndex -# data: 1 -# type: dword -# when: rule_18_8_33_6_4 -# tags: -# - level1 -# - level2 -# - rule_18.8.33.6.4 -# - patch +- name: "SCORED | 18.8.34.6.2 | PATCH | (L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 + name: ACSettingIndex + data: 0 + type: dword + when: rule_18_8_34_6_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.34.6.2 + - patch -# - name: "SCORED | 18.8.35.1 | PATCH | L1 Ensure Configure Offer Remote Assistance is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: fAllowUnsolicited -# data: 0 -# type: dword -# when: rule_18_8_35_1 -# tags: -# - level1 -# - level2 -# - rule_18.8.35.1 -# - patch +- name: "SCORED | 18.8.34.6.3 | PATCH | (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + name: DCSettingIndex + data: 1 + type: dword + when: rule_18_8_34_6_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.34.6.3 + - patch -# - name: "SCORED | 18.8.35.2 | PATCH | L1 Ensure Configure Solicited Remote Assistance is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: fAllowToGetHelp -# data: 0 -# type: dword -# when: rule_18_8_35_2 -# tags: -# - level1 -# - level2 -# - rule_18.8.35.2 -# - patch +- name: "SCORED | 18.8.34.6.4 | PATCH | (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + name: ACSettingIndex + data: 1 + type: dword + when: rule_18_8_34_6_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.34.6.4 + - patch -# - name: "SCORED | 18.8.36.1 | PATCH | L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc -# name: EnableAuthEpResolution -# data: 1 -# type: dword -# when: -# - rule_18_8_36_1 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_18.8.36.1 -# - patch +- name: "SCORED | 18.8.36.1 | PATCH | (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fAllowUnsolicited + data: 0 + type: dword + when: rule_18_8_36_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.36.1 + - patch -# - name: "SCORED | 18.8.36.2 | PATCH | L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc -# name: RestrictRemoteClients -# data: 1 -# type: dword -# when: -# - rule_18_8_36_2 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level2 -# - rule_18.8.36.2 -# - patch +- name: "SCORED | 18.8.36.2 | PATCH | (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fAllowToGetHelp + data: 0 + type: dword + when: rule_18_8_36_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.36.2 + - patch -# - name: "SCORED | 18.8.44.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy -# name: DisableQueryRemoteServer -# data: 0 -# type: dword -# when: rule_18_8_44_5_1 -# tags: -# - level2 -# - rule_18.8.44.5.1 -# - patch +- name: "SCORED | 18.8.37.1 | PATCH | (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + name: EnableAuthEpResolution + data: 1 + type: dword + when: + - rule_18_8_37_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-memberserver + - rule_18.8.37.1 + - patch -# - name: "SCORED | 18.8.44.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} -# name: ScenarioExecutionEnabled -# data: 0 -# type: dword -# when: rule_18_8_44_11_1 -# tags: -# - level2 -# - rule_18.8.44.11.1 -# - patch +- name: "SCORED | 18.8.37.2 | PATCH | (L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + name: RestrictRemoteClients + data: 1 + type: dword + when: + - rule_18_8_37_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level2-memberserver + - rule_18.8.37.2 + - patch -# - name: "SCORED | 18.8.46.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo -# name: DisabledByGroupPolicy -# data: 1 -# type: dword -# when: rule_18_8_46_1 -# tags: -# - level2 -# - rule_18.8.46.1 -# - patch +- name: "SCORED | 18.8.47.5.1 | PATCH | (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy + name: DisableQueryRemoteServer + data: 0 + type: dword + when: rule_18_8_47_5_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.5.1 + - patch -# - name: "SCORED | 18.8.49.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient -# name: Enabled -# data: 1 -# type: dword -# when: rule_18_8_49_1_1 -# tags: -# - level2 -# - rule_18.8.49.1.1 -# - patch +- name: "SCORED | 18.8.47.11.1 | PATCH |(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} + name: ScenarioExecutionEnabled + data: 0 + type: dword + when: rule_18_8_47_11_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.11.1 + - patch -# - name: "SCORED | 18.8.49.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver -# name: Enabled -# data: 1 -# type: dword -# when: -# - rule_18_8_49_1_2 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level2 -# - rule_18.8.49.1.2 -# - patch +- name: "SCORED | 18.8.49.1 | PATCH | (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo + name: DisabledByGroupPolicy + data: 1 + type: dword + when: rule_18_8_49_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.49.1 + - patch -# - name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager -# name: AllowSharedLocalAppData -# data: 0 -# type: dword -# when: rule_18_9_4_1 -# tags: -# - level2 -# - rule_18.9.4.1 -# - patch +- name: "SCORED | 18.8.52.1.1 | PATCH | (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient + name: Enabled + data: 1 + type: dword + when: rule_18_8_52_1_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.52.1.1 + - patch -# - name: "SCORED | 18.9.6.1 | PATCH | L1 Ensure Allow Microsoft accounts to be optional is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: MSAOptional -# data: 1 -# type: dword -# when: rule_18_9_6_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.6.1 -# - patch +- name: "SCORED | 18.8.52.1.2 | PATCH | (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver + name: Enabled + data: 0 + type: dword + when: + - rule_18_8_52_1_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level2-memberserver + - rule_18.8.52.1.2 + - patch -# - name: "SCORED | 18.9.8.1 | PATCH | L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Explorer -# name: NoAutoplayfornonVolume -# data: 1 -# type: dword -# when: rule_18_9_8_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.8.1 -# - patch +- name: "SCORED | 18.9.4.1 | PATCH | (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager + name: AllowSharedLocalAppData + data: 0 + type: dword + when: rule_18_9_4_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.4.1 + - patch -# - name: "SCORED | 18.9.8.2 | PATCH | L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer -# name: NoAutorun -# data: 1 -# type: dword -# when: rule_18_9_8_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.8.2 -# - patch +- name: "SCORED | 18.9.6.1 | PATCH | (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: MSAOptional + data: 1 + type: dword + when: rule_18_9_6_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.6.1 + - patch -# - name: "SCORED | 18.9.8.3 | PATCH | L1 Ensure Turn off Autoplay is set to Enabled All drives" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer -# name: NoDriveTypeAutoRun -# data: 255 -# type: dword -# when: rule_18_9_8_3 -# tags: -# - level1 -# - level2 -# - rule_18.9.8.3 -# - patch +- name: "SCORED | 18.9.8.1 | PATCH | (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoAutoplayfornonVolume + data: 1 + type: dword + when: rule_18_9_8_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.8.1 + - patch -# - name: "SCORED | 18.9.10.1.1 | PATCH | L1 Ensure Configure enhanced anti-spoofing is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures -# name: EnhancedAntiSpoofing -# data: 1 -# type: dword -# when: rule_18_9_10_1_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.10.1.1 -# - patch +- name: "SCORED | 18.9.8.2 | PATCH | (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoAutorun + data: 1 + type: dword + when: rule_18_9_8_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.8.2 + - patch -# - name: "SCORED | 18.9.12.1 | PATCH | L2 Ensure Allow Use of Camera is set to Disabled" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Camera -# name: AllowCamera -# data: 1 -# type: dword -# when: rule_18_9_12_1 -# tags: -# - level2 -# - rule_18.9.12.1 -# - patch +- name: "SCORED | 18.9.8.3 | PATCH | (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoDriveTypeAutoRun + data: 255 + type: dword + when: rule_18_9_8_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.8.3 + - patch -# - name: "SCORED | 18.9.13.1 | PATCH | L1 Ensure Turn off Microsoft consumer experiences is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent -# name: DisableWindowsConsumerFeatures -# data: 1 -# type: dword -# when: rule_18_9_13_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.13.1 -# - patch +- name: "SCORED | 18.9.10.1.1 | PATCH | (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures + name: EnhancedAntiSpoofing + data: 1 + type: dword + when: rule_18_9_10_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.10.1.1 + - patch -# - name: "SCORED | 18.9.14.1 | PATCH | L1 Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect -# name: RequirePinForPairing -# data: 1 -# type: dword -# when: rule_18_9_14_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.14.1 -# - patch +- name: "SCORED | 18.9.12.1 | PATCH | (L2) Ensure 'Allow Use of Camera' is set to 'Disabled's" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Camera + name: AllowCamera + data: 1 + type: dword + when: rule_18_9_12_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.12.1 + - patch -# - name: "SCORED | 18.9.15.1 | PATCH | L1 Ensure Do not display the password reveal button is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Credui -# name: DisablePasswordReveal -# data: 1 -# type: dword -# when: rule_18_9_15_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.15.1 -# - patch +- name: "SCORED | 18.9.13.1 | PATCH | (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent + name: DisableWindowsConsumerFeatures + data: 1 + type: dword + when: rule_18_9_13_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.13.1 + - patch -# - name: "SCORED | 18.9.15.2 | PATCH | L1 Ensure Enumerate administrator accounts on elevation is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui -# name: EnumerateAdministrators -# data: 0 -# type: dword -# when: rule_18_9_15_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.15.2 -# - patch +- name: "SCORED | 18.9.14.1 | PATCH | (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect + name: RequirePinForPairing + data: 1 + type: dword + when: rule_18_9_14_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.14.1 + - patch -# - name: "SCORED | 18.9.16.1 | PATCH | L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection -# name: AllowTelemetry -# data: 0 -# type: dword -# when: rule_18_9_16_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.16.1 -# - patch +- name: "SCORED | 18.9.15.1 | PATCH | (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Credui + name: DisablePasswordReveal + data: 1 + type: dword + when: rule_18_9_15_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.15.1 + - patch -# - name: "SCORED | 18.9.16.2 | PATCH | L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection -# name: DisableEnterpriseAuthProxy -# data: 0 -# type: dword -# when: rule_18_9_16_2 -# tags: -# - level2 -# - rule_18.9.16.2 -# - patch +- name: "SCORED | 18.9.15.2 | PATCH | (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui + name: EnumerateAdministrators + data: 0 + type: dword + when: rule_18_9_15_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.15.2 + - patch + +- name: "SCORED | 18.9.16.1 | PATCH | (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: AllowTelemetry + data: 0 + type: dword + when: rule_18_9_16_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.16.1 + - patch + +- name: "SCORED | 18.9.16.2 | PATCH | (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: DisableEnterpriseAuthProxy + data: 0 + type: dword + when: rule_18_9_16_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.16.2 + - patch -# - name: "SCORED | 18.9.16.3 | PATCH | L1 Ensure Disable pre-release features or settings is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds -# name: EnableConfigFlighting -# data: 01 -# type: dword -# when: rule_18_9_16_3 -# tags: -# - level1 -# - level2 -# - rule_18.9.16.3 -# - patch +- name: "SCORED | 18.9.16.3 | PATCH | (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds + name: EnableConfigFlighting + data: 01 + type: dword + when: rule_18_9_16_3 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.16.3 + - patch # - name: "SCORED | 18.9.16.4 | PATCH | L1 Ensure Do not show feedback notifications is set to Enabled" # win_regedit: @@ -1561,514 +1648,567 @@ # - rule_18.9.16.4 # - patch -# - name: "SCORED | 18.9.16.5 | PATCH | L1 Ensure Toggle user control over Insider builds is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds -# name: AllowBuildPreview -# data: 0 -# type: dword -# when: rule_18_9_16_5 -# tags: -# - level1 -# - level2 -# - rule_18.9.16.5 -# - patch - -# - name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application -# name: Retention -# data: 0 -# type: dword -# when: rule_18_9_26_1_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.26.1.1 -# - patch +- name: "SCORED | 18.9.16.4 | PATCH | (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds + name: AllowBuildPreview + data: 0 + type: dword + when: rule_18_9_16_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.16.4 + - patch -# - name: "SCORED | 18.9.26.1.2 | PATCH | L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application -# name: MaxSize -# data: 65538 -# type: dword -# when: rule_18_9_26_1_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.26.1.2 -# - patch - -# - name: "SCORED | 18.9.26.2.1 | PATCH | L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security -# name: Retention -# data: 0 -# type: string -# when: rule_18_9_26_2_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.26.2.1 -# - patch - -# - name: "SCORED | 18.9.26.2.2 | PATCH | L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security -# name: MaxSize -# data: 196608 -# type: dword -# when: rule_18_9_26_2_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.26.2.2 -# - patch - -# - name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application -# name: Retention -# data: 0 -# type: string -# when: rule_18_9_26_3_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.26.3.1 -# - patch - -# - name: "SCORED | 18.9.26.3.2 | PATCH | L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup -# name: MaxSize -# data: 32768 -# type: dword -# when: rule_18_9_26_3_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.26.3.2 -# - patch - -# - name: "SCORED | 18.9.26.4.1 | PATCH | L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System -# name: Retention -# data: 0 -# type: string -# when: rule_18_9_26_4_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.26.4.1 -# - patch - -# - name: "SCORED | 18.9.26.4.2 | PATCH | L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System -# name: MaxSize -# data: 65538 -# type: dword -# when: rule_18_9_26_4_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.26.4.2 -# - patch - -# - name: "SCORED | 18.9.30.2 | PATCH | L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Explorer -# name: NoDataExecutionPrevention -# data: 0 -# type: dword -# when: rule_18_9_30_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.30.2 -# - patch - -# - name: "SCORED | 18.9.30.3 | PATCH | L1 Ensure Turn off heap termination on corruption is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Explorer -# name: NoHeapTerminationOnCorruption -# data: 0 -# type: dword -# when: rule_18_9_30_3 -# tags: -# - level1 -# - level2 -# - rule_18.9.30.3 -# - patch - -# - name: "SCORED | 18.9.30.4 | PATCH | L1 Ensure Turn off shell protocol protected mode is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer -# name: PreXPSP2ShellProtocolBehavior -# data: 0 -# type: dword -# when: rule_18_9_30_4 -# tags: -# - level1 -# - level2 -# - rule_18.9.30.4 -# - patch - -# - name: "SCORED | 18.9.39.2 | PATCH | L2 Ensure Turn off location is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors -# name: DisableLocation -# data: 1 -# type: dword -# when: rule_18_9_39_2 -# tags: -# - level2 -# - rule_18.9.39.2 -# - patch +- name: "SCORED | 18.9.26.1.1 | PATCH | (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application + name: Retention + data: 0 + type: dword + when: rule_18_9_26_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.1.1 + - patch -# - name: "SCORED | 18.9.43.1 | PATCH | L2 Ensure Allow Message Service Cloud Sync is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Messaging -# name: AllowMessageSync -# data: 0 -# type: dword -# when: rule_18_9_43_1 -# tags: -# - level2 -# - rule_18.9.43.1 -# - patch +- name: "SCORED | 18.9.26.1.2 | PATCH | (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application + name: MaxSize + data: 65538 + type: dword + when: rule_18_9_26_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.1.2 + - patch -# - name: "SCORED | 18.9.44.1 | PATCH | L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount -# name: DisableUserAuth -# data: 1 -# type: dword -# when: rule_18_9_44_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.44.1 -# - patch +- name: "SCORED | 18.9.26.2.1 | PATCH | (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: Retention + data: 0 + type: string + when: rule_18_9_26_2_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.2.1 + - patch -# - name: "SCORED | 18.9.52.1 | PATCH | L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive -# name: DisableFileSyncNGSC -# data: 1 -# type: dword -# when: rule_18_9_52_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.52.1 -# - patch +- name: "SCORED | 18.9.26.2.2 | PATCH | (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: MaxSize + data: 196608 + type: dword + when: rule_18_9_26_2_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.2.2 + - patch -# - name: "SCORED | 18.9.58.2.2 | PATCH | L1 Ensure Do not allow passwords to be saved is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: DisablePasswordSaving -# data: 1 -# type: dword -# when: rule_18_9_58_2_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.58.2.2 -# - patch +- name: "SCORED | 18.9.26.3.1 | PATCH | (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup + name: Retention + data: 0 + type: string + when: rule_18_9_26_3_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.3.1 + - patch -# - name: "SCORED | 18.9.58.3.2.1 | PATCH | L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: fSingleSessionPerUser -# data: 1 -# type: dword -# when: rule_18_9_58_3_2_1 -# tags: -# - level2 -# - rule_18.9.58.3.2.1 -# - patch +- name: "SCORED | 18.9.26.3.2 | PATCH | (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup + name: MaxSize + data: 32768 + type: dword + when: rule_18_9_26_3_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.3.2 + - patch -# - name: "SCORED | 18.9.58.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: fDisableCcm -# data: 1 -# type: dword -# when: rule_18_9_58_3_3_1 -# tags: -# - level2 -# - rule_18.9.58.3.3.1 -# - patch +- name: "SCORED | 18.9.26.4.1 | PATCH | (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: Retention + data: 0 + type: string + when: rule_18_9_26_4_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.4.1 + - patch -# - name: "SCORED | 18.9.58.3.3.2 | PATCH | L1 Ensure Do not allow drive redirection is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: fDisableCdm -# data: 1 -# type: dword -# when: rule_18_9_58_3_3_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.58.3.3.2 -# - patch +- name: "SCORED | 18.9.26.4.2 | PATCH | (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: MaxSize + data: 65538 + type: dword + when: rule_18_9_26_4_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.4.2 + - patch -# - name: "SCORED | 18.9.58.3.3.3 | PATCH | L2 Ensure Do not allow LPT port redirection is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: fDisableLPT -# data: 1 -# type: dword -# when: rule_18_9_58_3_3_3 -# tags: -# - level2 -# - rule_18.9.58.3.3.3 -# - patch +- name: "SCORED | 18.9.30.2 | PATCH | (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoDataExecutionPrevention + data: 0 + type: dword + when: rule_18_9_30_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.30.2 + - patch -# - name: "SCORED | 18.9.58.3.3.4 | PATCH | L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: fDisablePNPRedir -# data: 1 -# type: dword -# when: rule_18_9_58_3_3_4 -# tags: -# - level2 -# - rule_18.9.58.3.3.4 -# - patch +- name: "SCORED | 18.9.30.3 | PATCH | (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoHeapTerminationOnCorruption + data: 0 + type: dword + when: rule_18_9_30_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.30.3 + - patch -# - name: "SCORED | 18.9.58.3.9.1 | PATCH | L1 Ensure Always prompt for password upon connection is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: fPromptForPassword -# data: 1 -# type: dword -# when: rule_18_9_58_3_9_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.58.3.9.1 -# - patch +- name: "SCORED | 18.9.30.4 | PATCH | (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: PreXPSP2ShellProtocolBehavior + data: 0 + type: dword + when: rule_18_9_30_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.30.4 + - patch -# - name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: fEncryptRPCTraffic -# data: 1 -# type: dword -# when: rule_18_9_58_3_9_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.58.3.9.2 -# - audit +- name: "SCORED | 18.9.39.1 | PATCH | (L2) Ensure 'Turn off location' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors + name: DisableLocation + data: 1 + type: dword + when: rule_18_9_39_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.39.1 + - patch -# - name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services -# name: fEncryptRPCTraffic -# data: 1 -# type: dword -# when: rule_18_9_58_3_9_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.58.3.9.2 -# - patch +- name: "SCORED | 18.9.43.1 | PATCH | (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Messaging + name: AllowMessageSync + data: 0 + type: dword + when: rule_18_9_43_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.43.1 + - patch -# - name: "SCORED | 18.9.58.3.9.3 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: MinEncryptionLevel -# data: 3 -# type: dword -# when: rule_18_9_58_3_9_3 -# tags: -# - level1 -# - level2 -# - rule_18.9.58.3.9.3 -# - patch +- name: "SCORED | 18.9.44.1 | PATCH | (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount + name: DisableUserAuth + data: 1 + type: dword + when: rule_18_9_44_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.44.1 + - patch -# - name: "SCORED | 18.9.58.3.10.1 | PATCH | L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: MaxIdleTime -# data: 3600000 -# type: dword -# when: rule_18_9_58_3_10_1 -# tags: -# - level2 -# - rule_18.9.58.3.10.1 -# - patch +- name: "SCORED | 18.9.52.1 | PATCH | (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive + name: DisableFileSyncNGSC + data: 1 + type: dword + when: rule_18_9_52_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.52.1 + - patch -# - name: "SCORED | 18.9.58.3.10.2 | PATCH | L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: MaxDisconnectionTime -# data: 28800000 -# type: dword -# when: rule_18_9_58_3_10_2 -# tags: -# - level2 -# - rule_18.9.58.3.10.2 -# - patch +- name: "SCORED | 18.9.59.2.2 | PATCH | (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DisablePasswordSaving + data: 1 + type: dword + when: rule_18_9_59_2_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.58.2.2 + - patch -# - name: "SCORED | 18.9.58.3.11.1 | PATCH | L1 Ensure Do not delete temp folders upon exit is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: DeleteTempDirsOnExit -# data: 1 -# type: dword -# when: rule_18_9_58_3_11_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.58.3.11.1 -# - patch +- name: "SCORED | 18.9.59.3.2.1 | PATCH | (L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fSingleSessionPerUser + data: 1 + type: dword + when: rule_18_9_59_3_2_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.2.1 + - patch -# - name: "SCORED | 18.9.58.3.11.2 | PATCH | L1 Ensure Do not use temporary folders per session is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: PerSessionTempDir -# data: 1 -# type: dword -# when: rule_18_9_58_3_11_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.58.3.11.2 -# - patch +- name: "SCORED | 18.9.59.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableCcm + data: 1 + type: dword + when: rule_18_9_59_3_3_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.1 + - patch -# - name: "SCORED | 18.9.59.1 | PATCH | L1 Ensure Prevent downloading of enclosures is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds -# name: DisableEnclosureDownload -# data: 1 -# type: dword -# when: rule_18_9_59_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.59.1 -# - patch +- name: "SCORED | 18.9.59.3.3.2 | PATCH | (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableCdm + data: 1 + type: dword + when: rule_18_9_59_3_3_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.3.2 + - patch -# - name: "SCORED | 18.9.60.2 | PATCH | L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search -# name: AllowCloudSearch -# data: 0 -# type: dword -# when: rule_18_9_60_2 -# tags: -# - level2 -# - rule_18.9.60.2 -# - patch +- name: "SCORED | 18.9.59.3.3.3 | PATCH | (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableLPT + data: 1 + type: dword + when: rule_18_9_59_3_3_3 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.3 + - patch -# - name: "SCORED | 18.9.60.3 | PATCH | L1 Ensure Allow indexing of encrypted files is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search -# name: AllowIndexingEncryptedStoresOrItems -# data: 0 -# type: dword -# when: rule_18_9_60_3 -# tags: -# - level1 -# - level2 -# - rule_18.9.60.3 -# - patch +- name: "SCORED | 18.9.59.3.3.4 | PATCH | (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisablePNPRedir + data: 1 + type: dword + when: rule_18_9_59_3_3_4 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.4 + - patch -# - name: "SCORED | 18.9.65.1 | PATCH | L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform -# name: NoGenTicket -# data: 1 -# type: dword -# when: rule_18_9_65_1 -# tags: -# - level2 -# - rule_18.9.65.1 -# - patch +- name: "SCORED | 18.9.59.3.9.1 | PATCH | (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fPromptForPassword + data: 1 + type: dword + when: rule_18_9_59_3_9_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.1 + - patch -# - name: "SCORED | 18.9.76.3.1 | PATCH | L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet -# name: LocalSettingOverrideSpynetReporting -# data: 0 -# type: dword -# when: rule_18_9_76_3_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.76.3.1 -# - patch +- name: "SCORED | 18.9.59.3.9.2 | PATCH | (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fEncryptRPCTraffic + data: 1 + type: dword + when: rule_18_9_59_3_9_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.2 + - patch -# - name: "SCORED | 18.9.76.3.2 | PATCH | L2 Ensure Join Microsoft MAPS is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet -# name: SpynetReporting -# data: 0 -# type: dword -# when: rule_18_9_76_3_2 -# tags: -# - level2 -# - rule_18.9.76.3.2 -# - patch +- name: "SCORED | 18.9.59.3.9.3 | PATCH | (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + name: SecurityLayer + data: 2 + type: dword + when: + - rule_18_9_59_3_9_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.3 + - patch -# - name: "SCORED | 18.9.76.7.1 | PATCH | L1 Ensure Turn on behavior monitoring is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection -# name: DisableBehaviorMonitoring -# data: 0 -# type: dword -# when: rule_18_9_76_7_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.76.7.1 -# - patch +- name: "SCORED | 18.9.59.3.9.4 | PATCH | (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + win_regedit: + patch: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + name: UserAuthentication + data: 1 + type: dword + when: + - rule_18_9_59_3_9_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.4 + - patch -# - name: "SCORED | 18.9.76.9.1 | PATCH | L2 Ensure Configure Watson events is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting -# name: DisableGenericRePorts -# data: 1 -# type: dword -# when: rule_18_9_76_9_1 -# tags: -# - level2 -# - rule_18.9.76.9.1 -# - patch +- name: "SCORED | 18.9.59.3.9.5 | PATCH | (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MinEncryptionLevel + data: 3 + type: dword + when: rule_18_9_59_3_9_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.5 + - patch -# - name: "SCORED | 18.9.76.10.1 | PATCH | L1 Ensure Scan removable drives is set to Enabled" +# - name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" # win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan -# name: DisableRemovableDriveScanning -# data: 0 +# path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services +# name: fEncryptRPCTraffic +# data: 1 # type: dword -# when: rule_18_9_76_10_1 +# when: rule_18_9_58_3_9_2 # tags: # - level1 # - level2 -# - rule_18.9.76.10.1 +# - rule_18.9.58.3.9.2 # - patch -# - name: "SCORED | 18.9.76.10.2 | PATCH | L1 Ensure Turn on e-mail scanning is set to Enabled" +# - name: "SCORED | 18.9.58.3.9.3 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" # win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan -# name: DisableEmailScanning -# data: 0 +# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services +# name: MinEncryptionLevel +# data: 3 # type: dword -# when: rule_18_9_76_10_2 +# when: rule_18_9_58_3_9_3 # tags: # - level1 # - level2 -# - rule_18.9.76.10.2 +# - rule_18.9.58.3.9.3 # - patch +- name: "SCORED | 18.9.59.3.10.1 | PATCH | (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxIdleTime + data: 3600000 + type: dword + when: rule_18_9_59_3_10_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.10.1 + - patch + +- name: "SCORED | 18.9.59.3.10.2 | PATCH | (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxDisconnectionTime + data: 28800000 + type: dword + when: rule_18_9_59_3_10_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.10.2 + - patch + +- name: "SCORED | 18.9.59.3.11.1 | PATCH | (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DeleteTempDirsOnExit + data: 1 + type: dword + when: rule_18_9_59_3_11_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.11.1 + - patch + +- name: "SCORED | 18.9.59.3.11.2 | PATCH | (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: PerSessionTempDir + data: 1 + type: dword + when: rule_18_9_59_3_11_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.11.2 + - patch + +- name: "SCORED | 18.9.60.1 | PATCH | (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds + name: DisableEnclosureDownload + data: 1 + type: dword + when: rule_18_9_60_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.60.1 + - patch + +- name: "SCORED | 18.9.61.2 | PATCH | (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowCloudSearch + data: 0 + type: dword + when: rule_18_9_61_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.61.2 + - patch + +- name: "SCORED | 18.9.61.3 | PATCH | (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowIndexingEncryptedStoresOrItems + data: 0 + type: dword + when: rule_18_9_61_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.61.3 + - patch + +- name: "SCORED | 18.9.66.1 | PATCH | (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform + name: NoGenTicket + data: 1 + type: dword + when: rule_18_9_66_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.66.1 + - patch + +- name: "SCORED | 18.9.77.3.1 | PATCH | (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: LocalSettingOverrideSpynetReporting + data: 0 + type: dword + when: rule_18_9_77_3_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.3.1 + - patch + +- name: "SCORED | 18.9.77.3.2 | PATCH | (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: SpynetReporting + data: 0 + type: dword + when: rule_18_9_77_3_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.77.3.2 + - patch + +- name: "SCORED | 18.9.77.7.1 | PATCH | (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableBehaviorMonitoring + data: 0 + type: dword + when: rule_18_9_77_7_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.7.1 + - patch + +- name: "SCORED | 18.9.77.9.1 | PATCH | (L2) Ensure 'Configure Watson events' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting + name: DisableGenericRePorts + data: 1 + type: dword + when: rule_18_9_77_9_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.77.9.1 + - patch + +- name: "SCORED | 18.9.77.10.1 | PATCH | (L1) Ensure 'Scan removable drives' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableRemovableDriveScanning + data: 0 + type: dword + when: rule_18_9_77_10_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.10.1 + - patch + +- name: "SCORED | 18.9.77.10.2 | PATCH | (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableEmailScanning + data: 0 + type: dword + when: rule_18_9_77_10_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.10.2 + - patch + # - name: "SCORED | 18.9.76.13.1.1 | PATCH | L1 Ensure Configure Attack Surface Reduction rules is set to Enabled" # win_regedit: # path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR @@ -2107,31 +2247,45 @@ # - rule_18.9.76.13.1.2 # - patch -# - name: "SCORED | 18.9.76.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection -# name: ExploitGuard_ASR_Rules -# data: 1 -# type: dword -# when: rule_18_9_76_13_3_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.76.13.3.1 -# - patch +- name: "SCORED | 18.9.77.13.3.1 | PATCH | (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + name: EnableNetworkProtection + data: 1 + type: dword + when: rule_18_9_77_13_3_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.13.3.1 + - patch -# - name: "SCORED | 18.9.76.14 | PATCH | L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Defender -# name: DisableAntiSpyware -# data: 0 -# type: dword -# when: rule_18_9_76_14 -# tags: -# - level1 -# - level2 -# - rule_18.9.76.14 -# - patch +- name: "SCORED | 18.9.77.14 | PA | (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender + name: PUAProtection + data: 1 + type: dword + when: + - rule_18_9_77_14 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.14 + - patch + +- name: "SCORED | 18.9.77.15 | PATCH | (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender + name: DisableAntiSpyware + data: 0 + type: dword + when: rule_18_9_77_15 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.15 + - patch # - name: "SCORED | 18.9.79.1.1 | PATCH | L1 Ensure Prevent users from modifying settings is set to Enabled" # win_regedit: @@ -2146,342 +2300,364 @@ # - rule_18.9.79.1.1 # - patch -# - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" -# block: -# - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\System -# name: EnableSmartScreen -# data: 1 -# type: dword -# - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\System -# name: ShellSmartScreenLevel -# data: Block -# type: string -# when: rule_18_9_80_1_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.80.1.1 -# - patch +- name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" + block: + - name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | EnableSmartScreen" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: EnableSmartScreen + data: 1 + type: dword -# - name: "SCORED | 18.9.84.1 | PATCH | L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace -# name: AllowSuggestedAppsInWindowsInkWorkspace -# data: 0 -# type: dword -# when: rule_18_9_84_1 -# tags: -# - level2 -# - rule_18.9.84.1 -# - patch + - name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | ShellSmartScreenLevel" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: ShellSmartScreenLevel + data: Block + type: string + when: rule_18_9_80_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.80.1.1 + - patch -# - name: "SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace -# name: AllowWindowsInkWorkspace -# data: 1 -# type: dword -# when: rule_18_9_84_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.84.2 -# - patch +- name: "SCORED | 18.9.84.1 | PATCH | (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace + name: AllowSuggestedAppsInWindowsInkWorkspace + data: 0 + type: dword + when: rule_18_9_84_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.84.1 + - patch + +- name: "SCORED | 18.9.84.2 | PATCH | (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace + name: AllowWindowsInkWorkspace + data: 1 + type: dword + when: rule_18_9_84_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.84.2 + - patch + +- name: "SCORED | 18.9.85.1 | PATCH | (L1) Ensure 'Allow user control over installs' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: EnableUserControl + data: 0 + type: dword + when: rule_18_9_85_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.85.1 + - patch + +- name: "SCORED | 18.9.85.2 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + when: rule_18_9_85_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.85.2 + - patch + +- name: "SCORED | 18.9.85.3 | PATCH | (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: SafeForScripting + data: 0 + type: dword + when: rule_18_9_85_3 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.85.3 + - patch + +- name: "SCORED | 18.9.86.1 | PATCH | (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableAutomaticRestartSignOn + data: 1 + type: dword + when: rule_18_9_86_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.86.1 + - patch + +- name: "SCORED | 18.9.95.1 | PATCH | (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging + name: EnableScriptBlockLogging + data: 1 + type: dword + when: rule_18_9_95_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.95.1 + - patch -# - name: "SCORED | 18.9.85.1 | PATCH | L1 Ensure Allow user control over installs is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Installer -# name: EnableUserControl -# data: 0 -# type: dword -# when: rule_18_9_85_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.85.1 -# - patch +- name: "SCORED | 18.9.95.2 | PATCH | (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription + name: EnableTranscripting + data: 0 + type: dword + when: rule_18_9_95_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.95.2 + - patch -# - name: "SCORED | 18.9.85.2 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Installer -# name: AlwaysInstallElevated -# data: 0 -# type: dword -# when: rule_18_9_85_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.85.2 -# - patch +- name: "SCORED | 18.9.97.1.1 | PATCH | (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowBasic + data: 0 + type: dword + when: rule_18_9_97_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.1.1 + - patch -# - name: "SCORED | 18.9.85.3 | PATCH | L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Installer -# name: SafeForScripting -# data: 0 -# type: dword -# when: rule_18_9_85_3 -# tags: -# - level2 -# - rule_18.9.85.3 -# - patch +- name: "SCORED | 18.9.97.1.2 | PATCH | (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowUnencryptedTraffic + data: 0 + type: dword + when: rule_18_9_97_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.1.2 + - patch -# - name: "SCORED | 18.9.86.1 | PATCH | L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: DisableAutomaticRestartSignOn -# data: 1 -# type: dword -# when: rule_18_9_86_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.86.1 -# - patch +- name: "SCORED | 18.9.97.1.3 | PATCH | (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowDigest + data: 0 + type: dword + when: rule_18_9_97_1_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.1.3 + - patch -# - name: "SCORED | 18.9.95.1 | PATCH | L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging -# name: EnableScriptBlockLogging -# data: 1 -# type: dword -# when: rule_18_9_95_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.95.1 -# - patch +- name: "SCORED | 18.9.97.2.1 | PATCH | (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowBasic + data: 0 + type: dword + when: rule_18_9_97_2_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.2.1 + - patch -# - name: "SCORED | 18.9.95.2 | PATCH | L1 Ensure Turn on PowerShell Transcription is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription -# name: EnableTranscripting -# data: 1 -# type: dword -# when: rule_18_9_95_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.95.2 -# - patch +#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +- name: "SCORED | 18.9.97.2.2 | PATCH | (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowAutoConfig + data: 1 + type: dword + when: + - rule_18_9_97_2_2 + - is_implemented + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.97.2.2 + - patch -# - name: "SCORED | 18.9.97.1.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client -# name: AllowBasic -# data: 0 -# type: dword -# when: rule_18_9_97_1_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.97.1.1 -# - patch +- name: "SCORED | 18.9.97.2.3 | PATCH | (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowUnencryptedTraffic + data: 0 + type: dword + when: rule_18_9_97_2_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.2.3 + - patch -# - name: "SCORED | 18.9.97.1.2 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client -# name: AllowUnencryptedTraffic -# data: 0 -# type: dword -# when: rule_18_9_97_1_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.97.1.2 -# - patch +- name: "SCORED | 18.9.97.2.4 | PATCH | (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: DisableRunAs + data: 1 + type: dword + when: rule_18_9_97_2_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.2.4 + - patch -# - name: "SCORED | 18.9.97.1.3 | PATCH | L1 Ensure Disallow Digest authentication is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client -# name: AllowDigest -# data: 0 -# type: dword -# when: rule_18_9_97_1_3 -# tags: -# - level1 -# - level2 -# - rule_18.9.97.1.3 -# - patch +#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +- name: "SCORED | 18.9.98.1 | PATCH | (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs + name: AllowRemoteShellAccess + data: 1 + type: dword + when: + - rule_18_9_98_1 + - is_implemented + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.98.1 + - patch -# - name: "SCORED | 18.9.97.2.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service -# name: AllowBasic -# data: 0 -# type: dword -# when: rule_18_9_97_2_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.97.2.1 -# - patch +- name: "SCORED | 18.9.99.2.1 | PATCH | (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + name: DisallowExploitProtectionOverride + data: 1 + type: dword + when: rule_18_9_99_2_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.99.2.1 + - patch -# #This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -# - name: "SCORED | 18.9.97.2.2 | PATCH | L2 Ensure Allow remote server management through WinRM is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service -# name: AllowAutoConfig -# data: 1 -# type: dword -# when: -# - rule_18_9_97_2_2 -# - is_implemented -# tags: -# - level2 -# - rule_18.9.97.2.2 -# - patch +- name: "SCORED | 18.9.102.1.1 | PATCH | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'" + block: + - name: "SCORED | 18.9.102.1.1 | PATCH | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' | ManagePreviewBuilds" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuilds + data: 1 + type: dword -# - name: "SCORED | 18.9.97.2.3 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service -# name: AllowUnencryptedTraffic -# data: 0 -# type: dword -# when: rule_18_9_97_2_3 -# tags: -# - level1 -# - level2 -# - rule_18.9.97.2.3 -# - patch + - name: "SCORED | 18.9.102.1.1 | PATCH | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' | ManagePreviewBuilds" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuildsPolicyValue + data: 0 + type: dword + when: rule_18_9_102_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.1 + - patch -# - name: "SCORED | 18.9.97.2.4 | PATCH | L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service -# name: DisableRunAs -# data: 1 -# type: dword -# when: rule_18_9_97_2_4 -# tags: -# - level1 -# - level2 -# - rule_18.9.97.2.4 -# - patch +- name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" + block: + - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | DeferFeatureUpdates" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: DeferFeatureUpdates + data: 1 + type: dword -# #This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -# - name: "SCORED | 18.9.98.1 | PATCH | L2 Ensure Allow Remote Shell Access is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs -# name: AllowRemoteShellAccess -# data: 1 -# type: dword -# when: -# - rule_18_9_98_1 -# - is_implemented -# tags: -# - level2 -# - rule_18.9.98.1 -# - patch + - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | DeferFeatureUpdatesPeriodInDays" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: DeferFeatureUpdatesPeriodInDays + data: 180 + type: dword -# - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds" -# block: -# - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -# name: ManagePreviewBuilds -# data: 1 -# type: dword -# - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -# name: ManagePreviewBuildsPolicyValue -# data: 0 -# type: dword -# when: rule_18_9_101_1_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.101.1.1 -# - patch + - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | BranchReadinessLevel" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: BranchReadinessLevel + data: 16 + type: dword + when: rule_18_9_102_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.2 + - patch -# - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" -# block: -# - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -# name: DeferFeatureUpdates -# data: 1 -# type: dword -# - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -# name: DeferFeatureUpdatesPeriodInDays -# data: 180 -# type: dword -# - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate -# name: BranchReadinessLevel -# data: 16 -# type: dword -# when: rule_18_9_101_1_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.101.1.2 -# - patch +- name: "SCORED | 18.9.102.1.3 | PATCH | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'" + block: + - name: "SCORED | 18.9.102.1.3 | PATCH | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' | DeferQualityUpdates" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + name: DeferQualityUpdates + data: 1 + type: dword -# - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days" -# block: -# - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -# name: DeferQualityUpdates -# data: 1 -# type: dword -# - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" -# win_regedit: -# path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -# name: DeferQualityUpdatesPeriodInDays -# data: 0 -# type: dword -# when: rule_18_9_101_1_3 -# tags: -# - level1 -# - level2 -# - rule_18.9.101.1.3 -# - patch + - name: "SCORED | 18.9.102.1.3 | PATCH | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' | DeferQualityUpdatesPeriodInDays" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + name: DeferQualityUpdatesPeriodInDays + data: 0 + type: dword + when: rule_18_9_102_1_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.3 + - patch -# - name: "SCORED | 18.9.101.2 | PATCH | L1 Ensure Configure Automatic Updates is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au -# name: NoAutoUpdate -# data: 0 -# type: dword -# when: rule_18_9_101_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.101.2 -# - patch +- name: "SCORED | 18.9.102.2 | PATCH | (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoUpdate + data: 0 + type: dword + when: rule_18_9_102_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.101.2 + - patch -# - name: "SCORED | 18.9.101.3 | PATCH | L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au -# name: ScheduledInstallDay -# data: 0 -# type: dword -# when: rule_18_9_101_3 -# tags: -# - level1 -# - level2 -# - rule_18.9.101.3 -# - patch +- name: "SCORED | 18.9.102.3 | PATCH | (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: ScheduledInstallDay + data: 0 + type: dword + when: rule_18_9_102_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.3 + - patch -# - name: "SCORED | 18.9.101.4 | PATCH | L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au -# name: NoAutoRebootWithLoggedOnUsers -# data: 0 -# type: dword -# when: rule_18_9_101_4 -# tags: -# - level1 -# - level2 -# - rule_18.9.101.4 -# - patch +- name: "SCORED | 18.9.102.4 | PATCH | (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoRebootWithLoggedOnUsers + data: 0 + type: dword + when: rule_18_9_102_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.4 + - patch From 2081daf3a6b32bf3ac68970cc29b859fe6c6ba01 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 2 Feb 2021 17:00:37 -0500 Subject: [PATCH 09/12] finished updating section 19 to version 1.2.0 Signed-off-by: George Nalen --- defaults/main.yml | 9 ++- tasks/section19.yml | 169 ++++++++++++++++++++++++-------------------- 2 files changed, 100 insertions(+), 78 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index f51163c..31a2f30 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -451,7 +451,8 @@ rule_19_1_3_2: true rule_19_1_3_3: true rule_19_1_3_4: true rule_19_5_1_1: true -rule_19_6_5_1_1: true +# rule_19_6_5_1_1: true +rule_19_6_6_1_1: true rule_19_7_4_1: true rule_19_7_4_2: true rule_19_7_7_1: true @@ -459,8 +460,10 @@ rule_19_7_7_2: true rule_19_7_7_3: true rule_19_7_7_4: true rule_19_7_26_1: true -rule_19_7_40_1: true -rule_19_7_44_2_1: true +# rule_19_7_40_1: true +rule_19_7_41_1: true +# rule_19_7_44_2_1: true +rule_19_7_45_2_1: true # This SID is the same for standalone, member, domain controller for 'Administrators' group diff --git a/tasks/section19.yml b/tasks/section19.yml index 198b3fb..1eb28e1 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -1,13 +1,14 @@ --- -- name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" +- name: "SCORED | 19.1.3.1 | PATCH | (L1) Ensure 'Enable screen saver' is set to 'Enabled'" block: - - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + - name: "SCORED | 19.1.3.1 | PATCH | (L1) Ensure 'Enable screen saver' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive data: 1 type: string - - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + + - name: "SCORED | 19.1.3.1 | PATCH |(L1) Ensure 'Enable screen saver' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive @@ -15,20 +16,21 @@ type: string when: rule_19_1_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.1 - patch -- name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" +- name: "SCORED | 19.1.3.2 | PATCH | (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'" block: - - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + - name: "SCORED | 19.1.3.2 | PATCH | (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: SCRNSAVE.EXE data: scrnsave.scr type: string - - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + + - name: "SCORED | 19.1.3.2 | PATCH | (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: SCRNSAVE.EXE @@ -36,20 +38,21 @@ type: string when: rule_19_1_3_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.2 - patch -- name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" +- name: "SCORED | 19.1.3.3 | PATCH | (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" block: - - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + - name: "SCORED | 19.1.3.3 | PATCH | (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure data: 1 type: string - - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + + - name: "SCORED | 19.1.3.3 | PATCH | (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure @@ -57,20 +60,21 @@ type: string when: rule_19_1_3_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.3 - patch -- name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" +- name: "SCORED | 19.1.3.4 | PATCH | (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" block: - - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + - name: "SCORED | 19.1.3.4 | PATCH | (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut data: 900 type: string - - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + + - name: "SCORED | 19.1.3.4 | PATCH | (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut @@ -78,20 +82,21 @@ type: string when: rule_19_1_3_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.4 - patch -- name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" +- name: "SCORED | 19.5.1.1 | PATCH | (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" block: - - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + - name: "SCORED | 19.5.1.1 | PATCH | (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen data: 1 type: dword - - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + + - name: "SCORED | 19.5.1.1 | PATCH | (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen @@ -99,40 +104,43 @@ type: dword when: rule_19_5_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.5.1.1 - patch -- name: "SCORED | 19.6.5.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" +- name: "SCORED | 19.6.6.1.1 | PATCH | (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" block: - - name: "SCORED | 19.6.5.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + - name: "SCORED | 19.6.6.1.1 | PATCH | (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback data: 1 type: dword - - name: "SCORED | 19.6.5.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + + - name: "SCORED | 19.6.6.1.1 | PATCH | (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback data: 1 type: dword - when: rule_19_6_5_1_1 + when: rule_19_6_6_1_1 tags: - - level2 - - rule_19.6.5.1.1 + - level2-domaincontroller + - level2-memberserver + - rule_19.6.6.1.1 - patch -- name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" +- name: "SCORED | 19.7.4.1 | PATCH | (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" block: - - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + - name: "SCORED | 19.7.4.1 | PATCH | (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation data: 3 type: dword - - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + + - name: "SCORED | 19.7.4.1 | PATCH | (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" win_regedit: path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation @@ -140,20 +148,21 @@ type: dword when: rule_19_7_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.4.1 - patch -- name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" +- name: "SCORED | 19.7.4.2 | PATCH | (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" block: - - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + - name: "SCORED | 19.7.4.2 | PATCH | (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus data: 3 type: dword - - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + + - name: "SCORED | 19.7.4.2 | PATCH | (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus @@ -161,20 +170,21 @@ type: dword when: rule_19_7_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.4.2 - patch -- name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" +- name: "SCORED | 19.7.7.1 | PATCH | (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" block: - - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + - name: "SCORED | 19.7.7.1 | PATCH | (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword - - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + + - name: "SCORED | 19.7.7.1 | PATCH | (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight @@ -182,20 +192,21 @@ type: dword when: rule_19_7_7_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.7.1 - patch -- name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" +- name: "SCORED | 19.7.7.2 | PATCH | (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" block: - - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + - name: "SCORED | 19.7.7.2 | PATCH | (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword - - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + + - name: "SCORED | 19.7.7.2 | PATCH | (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions @@ -203,20 +214,21 @@ type: dword when: rule_19_7_7_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.7.2 - patch -- name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" +- name: "SCORED | 19.7.7.3 | PATCH | (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" block: - - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + - name: "SCORED | 19.7.7.3 | PATCH | (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword - - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + + - name: "SCORED | 19.7.7.3 | PATCH | (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData @@ -224,19 +236,21 @@ type: dword when: rule_19_7_7_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_19.7.7.3 - patch -- name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" +- name: "SCORED | 19.7.7.4 | PATCH | (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" block: - - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + - name: "SCORED | 19.7.7.4 | PATCH | (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword - - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + + - name: "SCORED | 19.7.7.4 | PATCH | (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures @@ -244,19 +258,21 @@ type: dword when: rule_19_7_7_4 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_19.7.7.4 - patch -- name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" +- name: "SCORED | 19.7.26.1 | PATCH | (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" block: - - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + - name: "SCORED | 19.7.26.1 | PATCH | (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword - - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + + - name: "SCORED | 19.7.26.1 | PATCH | (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing @@ -264,49 +280,52 @@ type: dword when: rule_19_7_26_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.26.1 - patch -- name: "SCORED | 19.7.40.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" +- name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" block: - - name: "SCORED | 19.7.40.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + - name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword - - name: "SCORED | 19.7.40.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + + - name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword - when: rule_19_7_40_1 + when: rule_19_7_41_1 tags: - level1 - level2 - - rule_19.7.40.1 + - rule_19.7.41.1 - patch -- name: "SCORED | 19.7.44.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" +- name: "SCORED | 19.7.45.2.1 | PATCH | (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" block: - - name: "SCORED | 19.7.44.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + - name: "SCORED | 19.7.45.2.1 | PATCH | (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword - - name: "SCORED | 19.7.44.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + + - name: "SCORED | 19.7.45.2.1 | PATCH | (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword - when: rule_19_7_44_2_1 + when: rule_19_7_45_2_1 tags: - - level2 - - rule_19.7.44.2.1 + - level2-domaincontroller + - level2-memberserver + - rule_19.7.45.2.1 - patch From 597e8a3c665647635429d63fdaa4d87d4023df3d Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 3 Feb 2021 11:47:28 -0500 Subject: [PATCH 10/12] completed adding section 9 Signed-off-by: George Nalen --- defaults/main.yml | 58 +++++++ tasks/section09.yml | 362 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 420 insertions(+) create mode 100644 tasks/section09.yml diff --git a/defaults/main.yml b/defaults/main.yml index 31a2f30..2e52d0c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -176,6 +176,34 @@ rule_2_3_17_6: true rule_2_3_17_7: true rule_2_3_17_8: true +# section9 +rule_9_1_1: true +rule_9_1_2: true +rule_9_1_3: true +rule_9_1_4: true +rule_9_1_5: true +rule_9_1_6: true +rule_9_1_7: true +rule_9_1_8: true +rule_9_2_1: true +rule_9_2_2: true +rule_9_2_3: true +rule_9_2_4: true +rule_9_2_5: true +rule_9_2_6: true +rule_9_2_7: true +rule_9_2_8: true +rule_9_3_1: true +rule_9_3_2: true +rule_9_3_3: true +rule_9_3_4: true +rule_9_3_5: true +rule_9_3_6: true +rule_9_3_7: true +rule_9_3_8: true +rule_9_3_9: true +rule_9_3_10: true + # section17 rule_17_1_1: true rule_17_1_2: true @@ -503,3 +531,33 @@ sys_maxsize: 32768 legalnoticecaption: "DoD Notice and Consent Banner" + +# 9.1.5 +# domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log +# This is a variable to give some leway on where to store these log files +domain_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\domainfw.log' + +# 9.1.6 +# domain_firewall_log_size is the size of the log file generated +# To conform to CIS standards the value should be 16,384 or greater. Value is in KB +domain_firewall_log_size: 16,384 + +# 9.2.5 +# private_firewall_log_path is the path to the private firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\privatefw.log +# This is a variable to give some leway on where to store these log files +private_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\privatefw.log' + +# 9.2.6 +# private_firewall_log_size is the size of the log file +# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB +private_firewall_log_size: 16,384 + +# 9.3.7 +# public_firewall_log_path is the path to the public firewall log file. The control suggests %SystemRoot%\System32\logfiles\firewall\publicfw.log +# This is a variable to give some leway on where to store these log files +public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' + +# 9.3.8 +# public_firewall_log_size is the size of the log file +# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB +public_firewall_log_size: 16,384 \ No newline at end of file diff --git a/tasks/section09.yml b/tasks/section09.yml new file mode 100644 index 0000000..10a8b49 --- /dev/null +++ b/tasks/section09.yml @@ -0,0 +1,362 @@ +--- +- name: "SCORED | 9.1.1 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: EnableFirewall + data: 1 + type: dword + when: + - rule_9_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.1 + - patch + +- name: "SCORED | 9.1.2 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DefaultInboundAction + data: 1 + type: dword + when: + - rule_9_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.2 + - patch + +- name: "SCORED | 9.1.3 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DefaultOutboundAction + data: 0 + type: dword + when: + - rule_9_1_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.3 + - patch + +- name: "SCORED | 9.1.4 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DisableNotifications + data: 0 + type: dword + when: + - rule_9_1_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.4 + - patch + +# title has slashes switched +- name: "SCORED | 9.1.5 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFilePath + data: '{{ domain_firewall_log_path }}' + type: string + when: + - rule_9_1_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.5 + - patch + +- name: "SCORED | 9.1.6 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFileSize + data: '{{ domain_firewall_log_size }}' + type: dword + when: + - rule_9_1_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.6 + - patch + +- name: "SCORED | 9.1.7 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword + when: + - rule_9_1_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.7 + - patch + +- name: "SCORED | 9.1.8 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword + when: + - rule_9_1_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.8 + - patch + +- name: "SCORED | 9.2.1 | PATCH | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + win_firewall: + state: enabled + profile: Private + when: + - rule_9_2_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.1 + - patch + +- name: "SCORED | 9.2.2 | PATCH | (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DefaultInboundAction + data: 1 + type: dword + when: + - rule_9_2_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.2 + - patch + +- name: "SCORED | 9.2.3 | PATCH | (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DefaultOutboundAction + data: 0 + type: dword + when: + - rule_9_2_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.3 + - patch + +- name: "SCORED | 9.2.4 | PATCH | (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DisableNotifications + data: 0 + type: dword + when: + - rule_9_2_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.4 + - patch + +# title has slashes switched +- name: "SCORED | 9.2.5 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFilePath + data: '{{ private_firewall_log_path }}' + type: string + when: + - rule_9_2_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.5 + - patch + +- name: "SCORED | 9.2.6 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFileSize + data: '{{ private_firewall_log_size }}' + type: dword + when: + - rule_9_2_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.6 + - patch + +- name: "SCORED | 9.2.7 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword + when: + - rule_9_2_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.7 + - patch + +- name: "SCORED | 9.2.8 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword + when: + - rule_9_2_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.8 + - patch + +- name: "SCORED | 9.3.1 | PATCH | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + win_firewall: + state: enabled + profile: Public + when: + - rule_9_3_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.1 + - patch + +- name: "SCORED | 9.3.2 | PATCH | (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DefaultInboundAction + data: 1 + type: dword + when: + - rule_9_3_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.2 + - patch + +- name: "SCORED | 9.3.3 | PATCH | (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DefaultOutboundAction + data: 0 + type: dword + when: + - rule_9_3_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.3 + - patch + +- name: "SCORED | 9.3.4 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DisableNotifications + data: 0 + type: dword + when: + - rule_9_3_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.4 + - patch + +- name: "SCORED | 9.3.5 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: AllowLocalPolicyMerge + data: 0 + type: dword + when: + - rule_9_3_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.5 + - patch + +- name: "SCORED | 9.3.6 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: AllowLocalIPsecPolicyMerge + data: 0 + type: dword + when: + - rule_9_3_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.6 + - patch + +- name: "SCORED | 9.3.7 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFilePath + data: '{{ public_firewall_log_path }}' + type: string + when: + - rule_9_3_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.7 + - patch + +- name: "SCORED | 9.3.8 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFileSize + data: '{{ public_firewall_log_size }}' + type: dword + when: + - rule_9_3_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.8 + - patch + +- name: "SCORED | 9.3.9 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword + when: + - rule_9_3_9 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.9 + - patch + +- name: "SCORED | 9.3.10 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword + when: + - rule_9_3_10 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.10 + - patch From 785f737d8b49afbd9c0daae54f82a6bc29a0999a Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 5 Feb 2021 14:55:42 -0500 Subject: [PATCH 11/12] Finalized updates for version 1.2.0 Signed-off-by: George Nalen --- README.md | 2 +- defaults/main.yml | 62 ++--------------- tasks/main.yml | 6 ++ tasks/section02.yml | 11 +-- tasks/section09.yml | 2 + tasks/section17.yml | 143 ++++++++++++++------------------------- tasks/section18.yml | 160 +++++++------------------------------------- 7 files changed, 96 insertions(+), 290 deletions(-) diff --git a/README.md b/README.md index 5b80abe..2641969 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Windows Server 2016 CIS Configure a Windows Server 2016 system to be CIS compliant. -This role is based on CIS Microsoft Windows Server 2016 RTM: [Version 1.1.0 Rel 1607 released on October 21, 2018] (https://workbench.cisecurity.org/benchmarks/835). +This role is based on CIS Microsoft Windows Server 2016 RTM: [Version 1.2.0 Rel 1607 released on May 27, 2020] (https://learn.cisecurity.org/l/799323/2020-07-10/zx1v). Requirements ------------ diff --git a/defaults/main.yml b/defaults/main.yml index 2e52d0c..23994ff 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,7 @@ --- section01_patch: yes section02_patch: yes +section09_patch: yes section17_patch: yes section18_patch: yes section19_patch: yes @@ -40,6 +41,7 @@ is_implemented: false #set to false to skip long running tasks long_running: false +win_skip_for_test: true # These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules. # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group @@ -271,7 +273,7 @@ rule_18_4_10: true rule_18_4_11: true rule_18_4_12: true rule_18_5_4_1: true -# rule_18_5_4_2: true +rule_18_5_4_2: true rule_18_5_5_1: true rule_18_5_8_1: true rule_18_5_9_1: true @@ -316,14 +318,7 @@ rule_18_8_22_1_11: true rule_18_8_22_1_12: true rule_18_8_22_1_13: true rule_18_8_25_1: true -# rule_18_8_26_1: true rule_18_8_27_1: true -# rule_18_8_27_2: true -# rule_18_8_27_3: true -# rule_18_8_27_4: true -# rule_18_8_27_5: true -# rule_18_8_27_6: true -# rule_18_8_27_7: true rule_18_8_28_1: true rule_18_8_28_2: true rule_18_8_28_3: true @@ -331,27 +326,17 @@ rule_18_8_28_4: true rule_18_8_28_5: true rule_18_8_28_6: true rule_18_8_28_7: true -# rule_18_8_33_6_2: true -# rule_18_8_33_6_3: true -# rule_18_8_33_6_4: true rule_18_8_34_6_1: true rule_18_8_34_6_2: true rule_18_8_34_6_3: true -# rule_18_8_35_1: true -rule_18_8_36_1: true -rule_18_8_35_2: true +rule_18_8_34_6_4: true rule_18_8_36_1: true rule_18_8_36_2: true rule_18_8_37_1: true rule_18_8_37_2: true -# rule_18_8_44_5_1: true -# rule_18_8_44_11_1: true -# rule_18_8_46_1: true rule_18_8_47_5_1: true rule_18_8_47_11_1: true -# rule_18_8_49_1_1: true rule_18_8_49_1: true -# rule_18_8_49_1_2: true rule_18_8_52_1_1: true rule_18_8_52_1_2: true rule_18_9_4_1: true @@ -369,7 +354,6 @@ rule_18_9_16_1: true rule_18_9_16_2: true rule_18_9_16_3: true rule_18_9_16_4: true -# rule_18_9_16_5: true rule_18_9_26_1_1: true rule_18_9_26_1_2: true rule_18_9_26_2_1: true @@ -382,30 +366,15 @@ rule_18_9_30_2: true rule_18_9_30_3: true rule_18_9_30_4: true rule_18_9_39_1: true -# rule_18_9_39_2: true rule_18_9_43_1: true rule_18_9_44_1: true rule_18_9_52_1: true -# rule_18_9_58_2_2: true -# rule_18_9_58_3_2_1: true -# rule_18_9_58_3_3_1: true -# rule_18_9_58_3_3_2: true -# rule_18_9_58_3_3_3: true -# rule_18_9_58_3_3_4: true -# rule_18_9_58_3_9_1: true -# rule_18_9_58_3_9_2: true -# rule_18_9_58_3_9_3: true -# rule_18_9_58_3_10_1: true -# rule_18_9_58_3_10_2: true -# rule_18_9_58_3_11_1: true -# rule_18_9_58_3_11_2: true rule_18_9_59_2_2: true rule_18_9_59_3_2_1: true rule_18_9_59_3_3_1: true rule_18_9_59_3_3_2: true rule_18_9_59_3_3_3: true rule_18_9_59_3_3_4: true -# rule_18_9_59_1: true rule_18_9_59_3_9_1: true rule_18_9_59_3_9_2: true rule_18_9_59_3_9_3: true @@ -416,22 +385,9 @@ rule_18_9_59_3_10_2: true rule_18_9_59_3_11_1: true rule_18_9_59_3_11_2: true rule_18_9_60_1: true -# rule_18_9_60_2: true -# rule_18_9_60_3: true rule_18_9_61_2: true rule_18_9_61_3: true -# rule_18_9_65_1: true rule_18_9_66_1: true -# rule_18_9_76_3_1: true -# rule_18_9_76_3_2: true -# rule_18_9_76_7_1: true -# rule_18_9_76_9_1: true -# rule_18_9_76_10_1: true -# rule_18_9_76_10_2: true -# rule_18_9_76_13_1_1: true -# rule_18_9_76_13_1_2: true -# rule_18_9_76_13_3_1: true -# rule_18_9_76_14: true rule_18_9_77_3_1: true rule_18_9_77_3_2: true rule_18_9_77_7_1: true @@ -441,7 +397,6 @@ rule_18_9_77_10_2: true rule_18_9_77_13_3_1: true rule_18_9_77_14: true rule_18_9_77_15: true -# rule_18_9_79_1_1: true rule_18_9_80_1_1: true rule_18_9_84_1: true rule_18_9_84_2: true @@ -460,12 +415,6 @@ rule_18_9_97_2_3: true rule_18_9_97_2_4: true rule_18_9_98_1: true rule_18_9_99_2_1: true -# rule_18_9_101_1_1: true -# rule_18_9_101_1_2: true -# rule_18_9_101_1_3: true -# rule_18_9_101_2: true -# rule_18_9_101_3: true -# rule_18_9_101_4: true rule_18_9_102_1_1: true rule_18_9_102_1_2: true rule_18_9_102_1_3: true @@ -479,7 +428,6 @@ rule_19_1_3_2: true rule_19_1_3_3: true rule_19_1_3_4: true rule_19_5_1_1: true -# rule_19_6_5_1_1: true rule_19_6_6_1_1: true rule_19_7_4_1: true rule_19_7_4_2: true @@ -488,9 +436,7 @@ rule_19_7_7_2: true rule_19_7_7_3: true rule_19_7_7_4: true rule_19_7_26_1: true -# rule_19_7_40_1: true rule_19_7_41_1: true -# rule_19_7_44_2_1: true rule_19_7_45_2_1: true diff --git a/tasks/main.yml b/tasks/main.yml index 15aa8fd..77748a6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -42,6 +42,12 @@ tags: - section02 +- name: Execute the section 9 tasks + import_tasks: section09.yml + when: section09_patch | bool + tags: + - section09 + - name: Execute the section 17 tasks import_tasks: section17.yml when: section17_patch | bool diff --git a/tasks/section02.yml b/tasks/section02.yml index 0f55b3e..e949a67 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -232,7 +232,7 @@ - rule_2.2.17 - patch -- name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE\Virtual Machines' (MS only)" +- name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE/Virtual Machines' (MS only)" win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -565,7 +565,7 @@ - rule_2.2.42 - patch -- name: "SCORED | 2.2.43 | PATCH | (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'" +- name: "SCORED | 2.2.43 | PATCH | (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE/WdiServiceHost'" win_user_right: name: SeSystemProfilePrivilege users: @@ -702,7 +702,9 @@ section: System Access key: newadministratorname value: GeorgeSharp - when: rule_2_3_1_5 + when: + - rule_2_3_1_5 + - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver @@ -714,7 +716,8 @@ section: System Access key: NewGuestName value: BobCooper - when: rule_2_3_1_6 + when: + - rule_2_3_1_6 tags: - level1-domaincontroller - level1-memberserver diff --git a/tasks/section09.yml b/tasks/section09.yml index 10a8b49..8bef659 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -285,6 +285,7 @@ type: dword when: - rule_9_3_5 + - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver @@ -305,6 +306,7 @@ - rule_9.3.6 - patch +# title has slashes switched - name: "SCORED | 9.3.7 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging diff --git a/tasks/section17.yml b/tasks/section17.yml index 9ae7b39..420d6c6 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -5,7 +5,7 @@ win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_1_1_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable @@ -18,8 +18,6 @@ changed_when: "'Failure' not in rule_17_1_1_audit.stdout" when: - rule_17_1_1 - - rule_17_1_1_audit is defined - - "'Success' not in rule_17_1_1_audit.stdout" tags: - level1-domaincontroller - level1-memberserver @@ -31,8 +29,8 @@ - name: "SCORED | 17.1.2 | audit | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Get current settings" win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_1_2_audit - check_mode: no changed_when: no + failed_when: false - name: "SCORED | 17.1.2 | PATCH | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Set for success" win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable @@ -55,8 +53,8 @@ - name: "SCORED | 17.1.3 | audit | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Get current settings" win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_1_3_audit - check_mode: no changed_when: no + failed_when: false - name: "SCORED | 17.1.3 | PATCH | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Set for success" win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable @@ -80,7 +78,7 @@ win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_1_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable @@ -93,9 +91,7 @@ changed_when: "'Failure' not in rule_17_2_1_audit.stdout" when: - rule_17_2_1 - - rule_17_2_1_audit is defined - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_2_1_audit.stdout" tags: - level1-domaincontroller - level1-memberserver @@ -108,7 +104,7 @@ win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_2_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.2.2 | PATCH | (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only) | Set success" win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable @@ -116,7 +112,6 @@ when: - rule_17_2_2 - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_2_audit is defined tags: - level1-domaincontroller - rule_17.2.2 @@ -128,14 +123,13 @@ win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_3_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.2.3 | PATCH | (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only) | Set success" win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable when: "'Success' not in rule_17_2_3_audit.stdout" when: - rule_17_2_3 - - rule_17_2_3_audit is defined - ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller @@ -148,14 +142,13 @@ win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_4_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.2.4 | PATCH | (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only) | Set success" win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable when: "'Success' not in rule_17_2_4_audit.stdout" when: - rule_17_2_4 - - rule_17_2_4_audit is defined - ansible_windows_domain_role == "Primary domain controller" tags: - level1-domaincontroller @@ -168,14 +161,13 @@ win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_5_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.2.5 | PATCH | (L1) Ensure 'Audit Security Group Management' is set to include 'Success' | Set success" win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable when: "'Success' not in rule_17_2_5_audit.stdout" when: - rule_17_2_5 - - rule_17_2_5_audit is defined tags: - level1-domaincontroller - level1-memberserver @@ -188,7 +180,7 @@ win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_2_6_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.2.6 | PATCH | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable @@ -201,7 +193,6 @@ changed_when: "'Failure' not in rule_17_2_6_audit.stdout" when: - rule_17_2_6 - - rule_17_2_6_audit is defined tags: - level1-domaincontroller - level1-memberserver @@ -214,7 +205,7 @@ win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_3_1_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.3.1 | PATCH | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Set failure" win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable @@ -222,7 +213,6 @@ when: "'Success' not in rule_17_3_1_audit.stdout" when: - rule_17_3_1 - - rule_17_3_1_audit is defined tags: - level1-domaincontroller - level1-memberserver @@ -235,7 +225,7 @@ win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_3_2_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.3.2 | PATCH | (L1) Ensure 'Audit Process Creation' is set to include 'Success' | Set success" win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable @@ -243,7 +233,6 @@ when: "'Success' not in rule_17_3_2_audit.stdout" when: - rule_17_3_2 - - rule_17_3_2_audit is defined tags: - level1-domaincontroller - level1-memberserver @@ -256,7 +245,7 @@ win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_4_1_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.4.1 | PATCH | (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only) | Set failure" win_shell: AuditPol /set /subcategory:"Directory Service Access" /failure:enable @@ -264,7 +253,6 @@ when: "'Success' not in rule_17_4_1_audit.stdout" when: - rule_17_4_1 - - rule_17_4_1_audit is defined tags: - level1-domaincontroller - rule_17.4.1 @@ -276,7 +264,7 @@ win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_4_2_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.4.2 | PATCH | (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only) | Set success" win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable @@ -285,7 +273,6 @@ when: - rule_17_4_2 - ansible_windows_domain_role == "Primary domain controller" - - rule_17_4_2_audit is defined tags: - level1-domaincontroller - rule_17.4.2 @@ -297,7 +284,7 @@ win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_5_1_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.5.1 | PATCH | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' | Set failure" win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable @@ -305,7 +292,6 @@ when: "'Failure' not in rule_17_5_1_audit.stdout" when: - rule_17_5_1 - - rule_17_5_1_audit is defined tags: - level1-domaincontroller - level1-memberserver @@ -318,15 +304,14 @@ win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_5_2_audit changed_when: no - ignore_errors: yes + failed_when: false - - name: "SCORED | 17.5.2 | PATCH | (L1) Ensure 'Audit Group Membership' is set to include 'Success'" | Set success" + - name: "SCORED | 17.5.2 | PATCH | (L1) Ensure 'Audit Group Membership' is set to include 'Success' | Set success" win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable - changed_when: "'Success' not in wn19_au_000170_audit.stdout" - when: "'Success' not in wn19_au_000170_audit.stdout" + changed_when: "'Success' not in rule_17_5_2_audit.stdout" + when: "'Success' not in rule_17_5_2_audit.stdout" when: - rule_17_5_2 - - wn19_au_000170_audit is defined tags: - level1-domaincontroller - level1-memberserver @@ -339,7 +324,7 @@ win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_5_3_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.5.3 | PATCH | (L1) Ensure 'Audit Logoff' is set to include 'Success' | Set success" win_shell: AuditPol /set /subcategory:"Logoff" /success:enable @@ -347,8 +332,6 @@ when: "'Success' not in rule_17_5_3_audit.stdout" when: - rule_17_5_3 - - rule_17_5_3_audit is defined - - "'Success' not in rule_17_5_3_audit.stdout" tags: - level1-domaincontroller - level1-memberserver @@ -361,22 +344,19 @@ win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_5_4_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Logon" /success:enable changed_when: "'Success' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" + when: "'Failure' not in rule_17_5_4_audit.stdout" - name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"Logon" /failure:enable changed_when: "'Failure' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" - when: rule_17_5_4 + when: "'Failure' not in rule_17_5_4_audit.stdout" + when: + - rule_17_5_4 tags: - level1-domaincontroller - level1-memberserver @@ -389,21 +369,17 @@ win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_5_5_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable changed_when: "'Success' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5_audit is defined - - "'Success' not in rule_17_5_5_audit.stdout" + when: "'Success' not in rule_17_5_5_audit.stdout" - name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable changed_when: "'Failure' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5_audit is defined - - "'Failure' not in rule_17_5_5_audit.stdout" + when: "'Failure' not in rule_17_5_5_audit.stdout" when: - rule_17_5_5 tags: @@ -418,7 +394,7 @@ win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_5_6_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.5.6 | PATCH | (L1) Ensure 'Audit Special Logon' is set to include 'Success' | Get current settings" win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable @@ -426,7 +402,6 @@ when: "'Success' not in rule_17_5_6_audit.stdout" when: - rule_17_5_6 - - rule_17_5_6_audit is defined tags: - level1-domaincontroller - level1-memberserver @@ -481,7 +456,7 @@ win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_6_4_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.6.4 | PATCH | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Set success" win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable @@ -506,7 +481,7 @@ win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_7_1_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.7.1 | PATCH | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' | Set success" win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable @@ -514,7 +489,6 @@ when: "'Success' not in rule_17_7_1_audit.stdout" when: - rule_17_7_1 - - rule_17_7_1_audit is defined tags: - level1-domaincontroller - level1-memberserver @@ -527,7 +501,7 @@ win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_7_2_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.7.2 | PATCH | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Set success" win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable @@ -547,7 +521,7 @@ win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_7_3_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.7.3 | PATCH | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Set success" win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable @@ -598,21 +572,17 @@ win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_8_1_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable changed_when: "'Success' not in rule_17_8_1_audit.stdout" - when: - - rule_17_8_1_audit is defined - - "'Success' not in rule_17_8_1_audit.stdout" + when: "'Success' not in rule_17_8_1_audit.stdout" - name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable changed_when: "'Failure' not in rule_17_8_1_audit.stdout" - when: - - rule_17_8_1_audit is defined - - "'Failure' not in rule_17_8_1_audit.stdout" + when: "'Failure' not in rule_17_8_1_audit.stdout" when: rule_17_8_1 tags: @@ -627,19 +597,17 @@ win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_9_1_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable changed_when: "'Success' not in rule_17_9_1_audit.stdout" - when: - - "'Success' not in rule_17_9_1_audit.stdout" + when: "'Success' not in rule_17_9_1_audit.stdout" + - name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable changed_when: "'Failure' not in rule_17_9_1_audit.stdout" - when: - - rule_17_9_1_audit is defined - - "'Failure' not in rule_17_9_1_audit.stdout" + when: "'Failure' not in rule_17_9_1_audit.stdout" when: rule_17_9_1 tags: @@ -654,20 +622,17 @@ win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_9_2_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable changed_when: "'Success' not in rule_17_9_2_audit.stdout" - when: - - rule_17_9_2_audit is defined - - "'Success' not in rule_17_9_2_audit.stdout" + when: "'Success' not in rule_17_9_2_audit.stdout" + - name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable changed_when: "'Failure' not in rule_17_9_2_audit.stdout" - when: - - rule_17_9_2_audit is defined - - "'Failure' not in rule_17_9_2_audit.stdout" + when: "'Failure' not in rule_17_9_2_audit.stdout" when: rule_17_9_2 tags: - level1-domaincontroller @@ -681,14 +646,12 @@ win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_9_3_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.9.3 | PATCH | (L1) Ensure 'Audit Security State Change' is set to include 'Success' Set success" win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable changed_when: "'Success' not in rule_17_9_3_audit.stdout" - when: - - rule_17_9_3_audit is defined - - "'Success' not in rule_17_9_3_audit.stdout" + when: "'Success' not in rule_17_9_3_audit.stdout" when: rule_17_9_3 tags: - level1-domaincontroller @@ -702,14 +665,12 @@ win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_9_4_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.9.4 | PATCH | (L1) Ensure 'Audit Security System Extension' is set to include 'Success' | Set success" win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable changed_when: "'Success' not in rule_17_9_4_audit.stdout" - when: - - rule_17_9_4_audit is defined - - "'Success' not in rule_17_9_4_audit.stdout" + when: "'Success' not in rule_17_9_4_audit.stdout" when: rule_17_9_4 tags: - level1-domaincontroller @@ -723,21 +684,17 @@ win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" register: rule_17_9_5_audit changed_when: no - ignore_errors: yes + failed_when: false - name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable changed_when: "'Success' not in rule_17_9_5_audit.stdout" - when: - - rule_17_9_5_audit is defined - - "'Success' not in rule_17_9_5_audit.stdout" + when: "'Success' not in rule_17_9_5_audit.stdout" - name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable changed_when: "'Failure' not in rule_17_9_5_audit.stdout" - when: - - rule_17_9_5_audit is defined - - "'Failure' not in rule_17_9_5_audit.stdout" + when: "'Failure' not in rule_17_9_5_audit.stdout" when: rule_17_9_5 tags: - level1-domaincontroller diff --git a/tasks/section18.yml b/tasks/section18.yml index f18be32..d0efd88 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -67,7 +67,7 @@ changed_when: no ignore_errors: yes - - name: "SCORED | 18.2.1 | PATCH | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only) + - name: "SCORED | 18.2.1 | PATCH | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" command: "echo true" when: - is_implemented @@ -448,22 +448,6 @@ - rule_18.4.12 - patch - -# - name: "SCORED | 18.5.4.1 | PATCH | L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only" -# win_regedit: -# path: HKLM:\System\CurrentControlSet\Services\NetBT\Parameters -# name: NodeType -# data: 2 -# type: dword -# when: -# - rule_18_5_4_1 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_18.5.4.1 -# - patch - - name: "SCORED | 18.5.4.1 | PATCH | (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient @@ -628,15 +612,15 @@ - rule_18.5.11.4 - patch -- name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares'" +- name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares'" block: - - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' | Set NETLOGON" + - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares' | Set NETLOGON" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\NETLOGON" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string - - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' | Set SYSVOL" + - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares' | Set SYSVOL" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\SYSVOL" @@ -1067,7 +1051,7 @@ - rule_18.8.22.1.8 - patch -- name: "SCORED | 18.8.22.1.9 | PATCH | (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'" +- name: "SCORED | 18.8.22.1.9 | PATCH | (L2) Ensure 'Turn off the Order Prints picture task' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoOnlinePrintsWizard @@ -1080,7 +1064,7 @@ - rule_18.8.22.1.9 - patch -- name: "SCORED | 18.8.22.1.10 | PATCH | (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'" +- name: "SCORED | 18.8.22.1.10 | PATCH | (L2) Ensure 'Turn off the Publish to Web task for files and folders' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoPublishingWizard @@ -1268,19 +1252,6 @@ - rule_18.8.28.7 - patch -# - name: "SCORED | | PATCH | L1 Ensure Untrusted Font Blocking is set to Enabled Block untrusted fonts and log events" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows NT\MitigationOptions -# name: MitigationOptions_FontBocking -# data: 0 -# type: dword -# when: rule_18_8_28_1 -# tags: -# - level1 -# - level2 -# - rule_18.8.28.1 -# - patch - - name: "SCORED | 18.8.34.6.1 | PATCH | (L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 @@ -1635,19 +1606,6 @@ - rule_18.9.16.3 - patch -# - name: "SCORED | 18.9.16.4 | PATCH | L1 Ensure Do not show feedback notifications is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection -# name: DoNotShowFeedbackNotifications -# data: 1 -# type: dword -# when: rule_18_9_16_4 -# tags: -# - level1 -# - level2 -# - rule_18.9.16.4 -# - patch - - name: "SCORED | 18.9.16.4 | PATCH | (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds @@ -1976,7 +1934,7 @@ - name: "SCORED | 18.9.59.3.9.4 | PATCH | (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" win_regedit: - patch: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services name: UserAuthentication data: 1 type: dword @@ -2001,32 +1959,6 @@ - rule_18.9.59.3.9.5 - patch -# - name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services -# name: fEncryptRPCTraffic -# data: 1 -# type: dword -# when: rule_18_9_58_3_9_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.58.3.9.2 -# - patch - -# - name: "SCORED | 18.9.58.3.9.3 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services -# name: MinEncryptionLevel -# data: 3 -# type: dword -# when: rule_18_9_58_3_9_3 -# tags: -# - level1 -# - level2 -# - rule_18.9.58.3.9.3 -# - patch - - name: "SCORED | 18.9.59.3.10.1 | PATCH | (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services @@ -2209,44 +2141,6 @@ - rule_18.9.77.10.2 - patch -# - name: "SCORED | 18.9.76.13.1.1 | PATCH | L1 Ensure Configure Attack Surface Reduction rules is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR -# name: ExploitGuard_ASR_Rules -# data: 1 -# type: dword -# when: rule_18_9_76_13_1_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.76.13.1.1 -# - patch - -# - name: "SCORED | 18.9.76.13.1.2 | PATCH | L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules -# name: "{{ item }}" -# data: 1 -# type: string # aka REG_SZ -# loop: -# - 26190899-1602-49e8-8b27-eb1d0a1ce869 -# - 3b576869-a4ec-4529-8536-b80a7769e899 -# - 5beb7efe-fd9a-4556-801d-275e5ffc04cc -# - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 -# - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -# - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -# - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -# - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -# - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 -# - d3e037e1-3eb8-44c8-a917-57927947596d -# - d4f940ab-401b-4efc-aadc-ad5f3c50688a -# when: rule_18_9_76_13_1_2 -# tags: -# - level1 -# - level2 -# - rule_18.9.76.13.1.2 -# - patch - - name: "SCORED | 18.9.77.13.3.1 | PATCH | (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection @@ -2287,19 +2181,6 @@ - rule_18.9.77.15 - patch -# - name: "SCORED | 18.9.79.1.1 | PATCH | L1 Ensure Prevent users from modifying settings is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection -# name: DisallowExploitProtectionOverride -# data: 1 -# type: dword -# when: rule_18_9_79_1_1 -# tags: -# - level1 -# - level2 -# - rule_18.9.79.1.1 -# - patch - - name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" block: - name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | EnableSmartScreen" @@ -2432,7 +2313,9 @@ name: AllowBasic data: 0 type: dword - when: rule_18_9_97_1_1 + when: + - rule_18_9_97_1_1 + - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver @@ -2445,7 +2328,9 @@ name: AllowUnencryptedTraffic data: 0 type: dword - when: rule_18_9_97_1_2 + when: + - rule_18_9_97_1_2 + - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver @@ -2471,7 +2356,9 @@ name: AllowBasic data: 0 type: dword - when: rule_18_9_97_2_1 + when: + - rule_18_9_97_2_1 + - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver @@ -2483,11 +2370,11 @@ win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowAutoConfig - data: 1 + data: 0 type: dword when: - rule_18_9_97_2_2 - - is_implemented + - not win_skip_for_test tags: - level2-domaincontroller - level2-memberserver @@ -2500,7 +2387,9 @@ name: AllowUnencryptedTraffic data: 0 type: dword - when: rule_18_9_97_2_3 + when: + - rule_18_9_97_2_3 + - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver @@ -2513,7 +2402,9 @@ name: DisableRunAs data: 1 type: dword - when: rule_18_9_97_2_4 + when: + - rule_18_9_97_2_4 + # - not win_skip_for_test tags: - level1-domaincontroller - level1-memberserver @@ -2525,11 +2416,12 @@ win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs name: AllowRemoteShellAccess - data: 1 + data: 0 type: dword when: - rule_18_9_98_1 - is_implemented + - not win_skip_for_test tags: - level2-domaincontroller - level2-memberserver From 86fa8b10cdb346589a8f0bfff25acadde32b28e1 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 5 Feb 2021 14:56:08 -0500 Subject: [PATCH 12/12] Finalized updates for version 1.2.0 Signed-off-by: George Nalen --- tasks/old_section01.yml | 194 --- tasks/old_section02.yml | 1549 ------------------------ tasks/old_section17.yml | 765 ------------ tasks/old_section18.yml | 2553 --------------------------------------- 4 files changed, 5061 deletions(-) delete mode 100644 tasks/old_section01.yml delete mode 100644 tasks/old_section02.yml delete mode 100644 tasks/old_section17.yml delete mode 100644 tasks/old_section18.yml diff --git a/tasks/old_section01.yml b/tasks/old_section01.yml deleted file mode 100644 index 214e782..0000000 --- a/tasks/old_section01.yml +++ /dev/null @@ -1,194 +0,0 @@ ---- -# - name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' -# assert: -# that: passwordhistorysize | int is version('24', '>=') -# fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" -# register: result -# changed_when: no -# ignore_errors: yes -# when: rule_1_1_1 -# tags: -# - level1 -# - rule_1.1.1 -# - audit - -# - name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" -# win_security_policy: -# section: System Access -# key: PasswordHistorySize -# value: "{{ passwordhistorysize }}" -# when: rule_1_1_1 -# tags: -# - level1 -# - level2 -# - rule_1.1.1 -# - patch - -# - name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" -# assert: -# that: maximumpasswordage | int is version('60', '<=') -# fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" -# register: result -# changed_when: no -# ignore_errors: yes -# when: rule_1_1_2 -# tags: -# - level1 -# - level2 -# - rule_1.1.2 -# - audit - -# - name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" -# win_security_policy: -# section: System Access -# key: MaximumPasswordAge -# value: "{{ maximumpasswordage }}" -# when: rule_1_1_2 -# tags: -# - level1 -# - level2 -# - rule_1.1.2 -# - patch - -# - name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" -# assert: -# that: minimumpasswordage is version('1', '>=') -# fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" -# register: result -# changed_when: no -# ignore_errors: yes -# when: rule_1_1_3 -# tags: -# - level1 -# - level2 -# - rule_1.1.3 -# - audit - -# - name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" -# win_security_policy: -# section: System Access -# key: MinimumPasswordAge -# value: "{{ minimumpasswordage }}" -# when: rule_1_1_3 -# tags: -# - level1 -# - level2 -# - rule_1.1.3 -# - patch - -# - name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" -# assert: -# that: minimumpasswordlength is version('14', '>=') -# fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" -# register: result -# changed_when: no -# ignore_errors: yes -# when: rule_1_1_4 -# tags: -# - level1 -# - level2 -# - rule_1.1.4 -# - audit - -# - name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" -# win_security_policy: -# section: System Access -# key: MinimumPasswordLength -# value: "{{ minimumpasswordlength }}" -# when: rule_1_1_4 -# tags: -# - level1 -# - level2 -# - rule_1.1.4 -# - patch - -# - name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled" -# win_security_policy: -# section: System Access -# key: PasswordComplexity -# value: 1 -# when: rule_1_1_5 -# tags: -# - level1 -# - level2 -# - rule_1.1.5 -# - patch - -# - name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled" -# win_security_policy: -# section: System Access -# key: ClearTextPassword -# value: "0" -# when: rule_1_1_6 -# tags: -# - level1 -# - level2 -# - rule_1.1.6 -# - patch - -# - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" -# assert: -# that: lockoutduration | int is version('15', '<=') -# fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" -# register: result -# changed_when: no -# ignore_errors: yes -# when: rule_1_2_1 -# tags: -# - level1 -# - level2 -# - rule_1.2.1 -# - audit - -# - name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" -# win_security_policy: -# section: System Access -# key: LockoutDuration -# value: "{{ lockoutduration }}" -# when: -# - rule_1_2_1 -# - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp -# tags: -# - level1 -# - level2 -# - rule_1.2.1 -# - patch - -# #This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable -# - name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" -# win_security_policy: -# section: System Access -# key: LockoutBadCount -# value: "{{ lockoutbadcount }}" -# when: rule_1_2_2 -# tags: -# - level1 -# - level2 -# - rule_1.2.2 -# - patch - -# - name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" -# assert: -# that: resetlockoutcount | int is version('15', '>=') -# fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" -# register: result -# changed_when: no -# ignore_errors: yes -# when: rule_1_2_3 -# tags: -# - level1 -# - level2 -# - rule_1.2.3 -# - audit - -# - name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" -# win_security_policy: -# section: System Access -# key: ResetLockoutCount -# value: "{{ resetlockoutcount }}" -# when: rule_1_2_3 -# tags: -# - level1 -# - level2 -# - rule_1.2.3 -# - patch diff --git a/tasks/old_section02.yml b/tasks/old_section02.yml deleted file mode 100644 index c9ad642..0000000 --- a/tasks/old_section02.yml +++ /dev/null @@ -1,1549 +0,0 @@ ---- -# - name: "SCORED | 2.2.1 | PATCH | L1 Ensure Access Credential Manager as a trusted caller is set to No One" -# win_user_right: -# name: SeTrustedCredManAccessPrivilege -# users: -# action: set -# when: rule_2_2_1 -# tags: -# - level1 -# - level2 -# - rule_2.2.1 -# - patch - -# - name: "SCORED | 2.2.2 & 2.2.3 | PATCH | L1 Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" -# win_user_right: -# name: SeNetworkLogonRight -# users: -# - Administrators -# - Authenticated Users -# action: set -# when: -# - rule_2_2_2 or rule_2_2_3 -# tags: -# - rule_2.2.2 -# - rule_2.2.3 -# - patch - -# - name: "SCORED | 2.2.4 | PATCH | L1 Ensure Act as part of the operating system is set to No One" -# win_user_right: -# name: SeTcbPrivilege -# users: -# action: set -# when: rule_2_2_4 -# tags: -# - level1 -# - level2 -# - rule_2.2.4 -# - patch - -# - name: "SCORED | 2.2.5 | PATCH | L1 Ensure Add workstations to domain is set to Administrators DC only" -# win_user_right: -# name: SeMachineAccountPrivilege -# users: Administrators -# action: set -# when: -# - rule_2_2_5 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.5 -# - patch - -# - name: "SCORED | 2.2.6 | PATCH | L1 Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" -# win_user_right: -# name: SeIncreaseQuotaPrivilege -# users: -# - Administrators -# - Local Service -# - Network Service -# action: set -# when: rule_2_2_6 -# tags: -# - level1 -# - level2 -# - rule_2.2.6 -# - patch - -# - name: "SCORED | 2.2.7 | PATCH | L1 Ensure Allow log on locally is set to Administrators" -# win_user_right: -# name: SeInteractiveLogonRight -# users: -# - Administrators -# action: set -# when: rule_2_2_7 -# tags: -# - level1 -# - level2 -# - rule_2.2.7 -# - patch - -# - name: "SCORED | 2.2.8 & 2.2.9 | PATCH | L1 Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" -# win_user_right: -# name: SeRemoteInteractiveLogonRight -# users: -# - Administrators -# - Remote Desktop Users -# action: set -# when: -# - rule_2_2_8 or rule_2_2_9 -# tags: -# - rule_2.2.8 -# - rule_2.2.9 -# - patch - -# - name: "SCORED | 2.2.10 | PATCH | L1 Ensure Back up files and directories is set to Administrators" -# win_user_right: -# name: SeBackupPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_10 -# tags: -# - level1 -# - level2 -# - rule_2.2.10 -# - patch - -# - name: "SCORED | 2.2.11 | PATCH | L1 Ensure Change the system time is set to Administrators LOCAL SERVICE" -# win_user_right: -# name: SeSystemTimePrivilege -# users: -# - Administrators -# - Local Service -# action: set -# when: rule_2_2_11 -# tags: -# - level1 -# - level2 -# - rule_2.2.11 -# - patch - -# - name: "SCORED | 2.2.12 | PATCH | L1 Ensure Change the time zone is set to Administrators LOCAL SERVICE" -# win_user_right: -# name: SeTimeZonePrivilege -# users: -# - Administrators -# - Local Service -# action: set -# when: rule_2_2_12 -# tags: -# - level1 -# - level2 -# - rule_2.2.12 -# - patch - -# - name: "SCORED | 2.2.13 | PATCH | L1 Ensure Create a pagefile is set to Administrators" -# win_user_right: -# name: SeCreatePagefilePrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_13 -# tags: -# - level1 -# - level2 -# - rule_2.2.13 -# - patch - -# - name: "SCORED | 2.2.14 | PATCH | L1 Ensure Create a token object is set to No One" -# win_user_right: -# name: SeCreateTokenPrivilege -# users: -# action: set -# when: rule_2_2_14 -# tags: -# - level1 -# - level2 -# - rule_2.2.14 -# - patch - -# - name: "SCORED | 2.2.15 | PATCH | L1 Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" -# win_user_right: -# name: SeCreateGlobalPrivilege -# users: -# - Administrators -# - Local Service -# - Network Service -# - Service -# action: set -# when: rule_2_2_15 -# tags: -# - level1 -# - level2 -# - rule_2.2.15 -# - patch - -# - name: "SCORED | 2.2.16 | PATCH | L1 Ensure Create permanent shared objects is set to No One" -# win_user_right: -# name: SeCreatePermanentPrivilege -# users: -# action: set -# when: rule_2_2_16 -# tags: -# - level1 -# - level2 -# - rule_2.2.16 -# - patch - -# - name: "SCORED | 2.2.17 | PATCH | L1 Ensure Create symbolic links is set to Administrators DC only" -# win_user_right: -# name: SeCreateSymbolicLinkPrivilege -# users: -# - Administrators -# action: set -# when: -# - rule_2_2_17 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.17 -# - patch - -# - name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" -# win_user_right: -# name: SeCreateSymbolicLinkPrivilege -# users: -# - Administrators -# - NT VIRTUAL MACHINE\Virtual Machines -# action: set -# when: -# - rule_2_2_18 -# - ansible_windows_domain_role == "Member server" -# tags: -# - level1 -# - level2 -# - rule_2.2.18 -# - patch - -# - name: "SCORED | 2.2.19 | PATCH | L1 Ensure Debug programs is set to Administrators" -# win_user_right: -# name: SeDebugPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_19 -# tags: -# - level1 -# - level2 -# - rule_2.2.19 -# - patch - -# #Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes -# - name: "SCORED | 2.2.20 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests DC only" -# win_user_right: -# name: SeDenyNetworkLogonRight -# users: -# - Guests -# action: set -# when: -# - rule_2_2_20 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.20 -# - patch - -# - name: "SCORED | 2.2.21 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" -# win_user_right: -# name: SeDenyNetworkLogonRight -# users: -# - Guests -# #- Local Account -# #- Administrators -# action: set -# when: -# - rule_2_2_21 -# - ansible_windows_domain_member -# tags: -# - level1 -# - level2 -# - rule_2.2.21 -# - patch - -# - name: "SCORED | 2.2.22 | PATCH | L1 Ensure Deny log on as a batch job to include Guests" -# win_user_right: -# name: SeDenyBatchLogonRight -# users: -# - Guests -# action: set -# when: rule_2_2_22 -# tags: -# - level1 -# - level2 -# - rule_2.2.22 -# - patch - -# - name: "SCORED | 2.2.23 | PATCH | L1 Ensure Deny log on as a service to include Guests" -# win_user_right: -# name: SeDenyServiceLogonRight -# users: -# - Guests -# action: set -# when: rule_2_2_23 -# tags: -# - level1 -# - level2 -# - rule_2.2.23 -# - patch - -# - name: "SCORED | 2.2.24 | PATCH | L1 Ensure Deny log on locally to include Guests" -# win_user_right: -# name: SeDenyInteractiveLogonRight -# users: -# - Guests -# action: set -# when: rule_2_2_24 -# tags: -# - level1 -# - level2 -# - rule_2.2.24 -# - patch - -# - name: "SCORED | 2.2.25 | PATCH | L1 Ensure Deny log on through Remote Desktop Services to include Guests DC only" -# win_user_right: -# name: SeDenyRemoteInteractiveLogonRight -# users: -# - Guests -# #- Local Account -# action: set -# when: -# - rule_2_2_25 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.25 -# - patch - -# - name: "SCORED | 2.2.26 | PATCH | L1 Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" -# win_user_right: -# name: SeDenyRemoteInteractiveLogonRight -# users: -# - Guests -# #- Local Account -# action: set -# when: -# - rule_2_2_26 -# - ansible_windows_domain_member -# tags: -# - level1 -# - level2 -# - rule_2.2.26 -# - patch - -# - name: "SCORED | 2.2.27 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" -# win_user_right: -# name: SeEnableDelegationPrivilege -# users: Administrators -# action: set -# when: -# - rule_2_2_27 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.27 -# - patch - -# - name: "SCORED | 2.2.28 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" -# win_user_right: -# name: SeEnableDelegationPrivilege -# users: -# action: set -# when: -# - rule_2_2_28 -# - ansible_windows_domain_member -# tags: -# - level1 -# - level2 -# - rule_2.2.28 -# - patch - -# - name: "SCORED | 2.2.29 | PATCH | L1 Ensure Force shutdown from a remote system is set to Administrators" -# win_user_right: -# name: SeRemoteShutdownPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_29 -# tags: -# - level1 -# - level2 -# - rule_2.2.29 -# - patch - -# - name: "SCORED | 2.2.30 | PATCH | L1 Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" -# win_user_right: -# name: SeAuditPrivilege -# users: -# - Local Service -# - Network Service -# action: set -# when: rule_2_2_30 -# tags: -# - level1 -# - level2 -# - rule_2.2.30 -# - patch - -# - name: "SCORED | 2.2.31 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" -# win_user_right: -# name: SeImpersonatePrivilege -# users: -# - Administrators -# - Local Service -# - Network Service -# - Service -# action: set -# when: -# - rule_2_2_31 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.31 -# - patch - -# - name: "SCORED | 2.2.32 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" -# win_user_right: -# name: SeImpersonatePrivilege -# users: -# - Administrators -# - IIS_IUSRS -# - Local Service -# - Network Service -# - Service -# action: set -# when: -# - rule_2_2_32 -# - ansible_windows_domain_member -# tags: -# - level1 -# - level2 -# - rule_2.2.32 -# - patch - -# - name: "SCORED | 2.2.33 | PATCH | L1 Ensure Increase scheduling priority is set to Administrators" -# win_user_right: -# name: SeIncreaseBasePriorityPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_33 -# tags: -# - level1 -# - level2 -# - rule_2.2.33 -# - patch - -# - name: "SCORED | 2.2.34 | PATCH | L1 Ensure Load and unload device drivers is set to Administrators" -# win_user_right: -# name: SeLoadDriverPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_34 -# tags: -# - level1 -# - level2 -# - rule_2.2.34 -# - patch - -# - name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" -# win_user_right: -# name: SeLockMemoryPrivilege -# users: -# action: set -# when: rule_2_2_35 -# tags: -# - level1 -# - level2 -# - rule_2.2.35 -# - patch - -# - name: "SCORED | 2.2.36 | PATCH | L2 Ensure Log on as a batch job is set to Administrators DC Only" -# win_user_right: -# name: SeBatchLogonRight -# users: Administrators -# action: set -# when: -# - rule_2_2_36 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.36 -# - patch - -# - name: "SCORED | 2.2.37 & 2.2.38 | PATCH | L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" -# win_user_right: -# name: SeSecurityPrivilege -# users: -# - Administrators -# action: set -# when: -# - rule_2_2_37 or rule_2_2_38 -# tags: -# - rule_2.2.37 -# - rule_2.2.38 -# - patch - -# - name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" -# win_user_right: -# name: SeReLabelPrivilege -# users: -# action: set -# when: rule_2_2_39 -# tags: -# - level1 -# - level2 -# - rule_2.2.39 -# - patch - -# - name: "SCORED | 2.2.40 | PATCH | L1 Ensure Modify firmware environment values is set to Administrators" -# win_user_right: -# name: SeSystemEnvironmentPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_40 -# tags: -# - level1 -# - level2 -# - rule_2.2.40 -# - patch - -# - name: "SCORED | 2.2.41 | PATCH | L1 Ensure Perform volume maintenance tasks is set to Administrators" -# win_user_right: -# name: SeManageVolumePrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_41 -# tags: -# - level1 -# - level2 -# - rule_2.2.41 -# - patch - -# - name: "SCORED | 2.2.42 | PATCH | L1 Ensure Profile single process is set to Administrators" -# win_user_right: -# name: SeProfileSingleProcessPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_42 -# tags: -# - level1 -# - level2 -# - rule_2.2.42 -# - patch - -# - name: "SCORED | 2.2.43 | PATCH | L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" -# win_user_right: -# name: SeSystemProfilePrivilege -# users: -# - Administrators -# - NT SERVICE\WdiServiceHost -# action: set -# when: rule_2_2_43 -# tags: -# - level1 -# - level2 -# - rule_2.2.43 -# - patch - -# - name: "SCORED | 2.2.44 | PATCH | L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" -# win_user_right: -# name: SeAssignPrimaryTokenPrivilege -# users: -# - LOCAL SERVICE -# - NETWORK SERVICE -# action: set -# when: rule_2_2_44 -# tags: -# - level1 -# - level2 -# - rule_2.2.44 -# - patch - -# - name: "SCORED | 2.2.45 | PATCH | L1 Ensure Restore files and directories is set to Administrators" -# win_user_right: -# name: SeRestorePrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_45 -# tags: -# - level1 -# - level2 -# - rule_2.2.45 -# - patch - -# - name: "SCORED | 2.2.46 | PATCH | L1 Ensure Shut down the system is set to Administrators" -# win_user_right: -# name: SeShutdownPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_46 -# tags: -# - level1 -# - level2 -# - rule_2.2.46 -# - patch - -# - name: "SCORED | 2.2.47 | PATCH | L1 Ensure Synchronize directory service data is set to No One DC only" -# win_user_right: -# name: SeSyncAgentPrivilege -# users: -# action: set -# when: -# - rule_2_2_47 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.47 -# - patch - -# - name: "SCORED | 2.2.48 | PATCH | L1 Ensure Take ownership of files or other objects is set to Administrators" -# win_user_right: -# name: SeTakeOwnershipPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_48 -# tags: -# - level1 -# - level2 -# - rule_2.2.48 -# - patch - -# - name: "SCORED | 2.3.1.1 | PATCH | L1 Ensure Accounts Administrator account status is set to Disabled MS only" -# win_security_policy: -# section: System Access -# key: EnableAdminAccount -# value: 0 -# when: -# - rule_2_3_1_1 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.1.1 -# - patch - -# - name: "SCORED | 2.3.1.2 | PATCH | L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: NoConnectedUser -# data: 3 -# type: dword -# when: rule_2_3_1_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.1.2 -# - patch - -# - name: "SCORED | 2.3.1.3 | PATCH | L1 Ensure Accounts Guest account status is set to Disabled MS only" -# win_security_policy: -# section: System Access -# key: EnableGuestAccount -# value: 0 -# when: rule_2_3_1_3 -# tags: -# - level1 -# - level2 -# - rule_2.3.1.3 -# - patch - -# - name: "SCORED | 2.3.1.4 | PATCH | L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: LimitBlankPasswordUse -# data: 1 -# type: dword -# when: rule_2_3_1_4 -# tags: -# - level1 -# - level2 -# - rule_2.3.1.4 -# - patch - -# - name: "SCORED | 2.3.1.5 | PATCH | L1 Configure Accounts Rename administrator account" -# win_security_policy: -# section: System Access -# key: newadministratorname -# value: GeorgeSharp -# when: rule_2_3_1_5 -# tags: -# - level1 -# - level2 -# - rule_2.3.1.5 -# - patch - -# - name: "SCORED | 2.3.1.6 | PATCH | L1 Configure Accounts Rename guest account" -# win_security_policy: -# section: System Access -# key: NewGuestName -# value: BobCooper -# when: rule_2_3_1_6 -# tags: -# - level1 -# - level2 -# - rule_2.3.1.6 -# - patch - -# - name: "SCORED | 2.3.2.1 | PATCH | L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: SCENoApplyLegacyAuditPolicy -# data: 1 -# type: dword -# when: rule_2_3_2_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.2.1 -# - patch - -# - name: "SCORED | 2.3.2.2 | PATCH | L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: CrashOnAuditFail -# data: 0 -# type: dword -# when: rule_2_3_2_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.2.2 -# - patch - -# - name: "SCORED | 2.3.4.1 | PATCH | L1 Ensure Devices Allowed to format and eject removable media is set to Administrators" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon -# name: AllocateDASD -# data: 0 -# type: string -# when: rule_2_3_4_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.4.1 -# - patch - -# - name: "SCORED | 2.3.4.2 | PATCH | L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers -# name: AddPrinterDrivers -# data: 1 -# type: dword -# when: rule_2_3_4_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.4.2 -# - patch - -# - name: "SCORED | 2.3.5.1 | PATCH | L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" -# win_regedit: -# path: HKLM:\System\CurrentControlSet\Control\Lsa -# name: SubmitControl -# data: 0 -# type: dword -# when: -# - rule_2_3_5_1 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.3.5.1 -# - patch - -# - name: "SCORED | 2.3.5.2 | PATCH | L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" -# win_regedit: -# path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters -# name: LDAPServerIntegrity -# data: 2 -# type: dword -# when: -# - rule_2_3_5_2 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.3.5.2 -# - patch - -# - name: "SCORED | 2.3.5.3 | PATCH | L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" -# win_regedit: -# path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters -# name: RefusePasswordChange -# data: 0 -# type: dword -# when: -# - rule_2_3_5_3 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.3.5.3 -# - patch - -# - name: "SCORED | 2.3.6.1 | PATCH | L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters -# name: RequireSignOrSeal -# data: 1 -# type: dword -# when: -# - rule_2_3_6_1 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.6.1 -# - patch - -# - name: "SCORED | 2.3.6.2 | PATCH | L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters -# name: sealsecurechannel -# data: 1 -# type: dword -# when: -# - rule_2_3_6_2 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.6.2 -# - patch - -# - name: "SCORED | 2.3.6.3 | PATCH | L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters -# name: signsecurechannel -# data: 1 -# type: dword -# when: -# - rule_2_3_6_3 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.6.3 -# - patch - -# - name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters -# name: disablepasswordchange -# data: 1 -# type: dword -# when: -# - rule_2_3_6_4 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.6.4 -# - patch - -# - name: "SCORED | 2.3.6.5 | PATCH | L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters -# name: MaximumPasswordAge -# data: 30 -# type: dword -# when: -# - rule_2_3_6_5 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.6.5 -# - patch - -# - name: "SCORED | 2.3.6.6 | PATCH | L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters -# name: RequireStrongKey -# data: 1 -# type: dword -# when: -# - rule_2_3_6_6 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.6.6 -# - patch - -# - name: "SCORED | 2.3.7.1 | PATCH | L1 Ensure Interactive logon Dont display last signed-in is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: DontDisplayLastUserName -# data: 1 -# type: dword -# when: rule_2_3_7_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.1 -# - patch - -# - name: "SCORED | 2.3.7.2 | PATCH | L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: DisableCAD -# data: 0 -# type: dword -# when: rule_2_3_7_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.2 -# - patch - -# - name: "SCORED | 2.3.7.3 | PATCH | L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: InactivityTimeoutSecs -# data: 900 -# type: dword -# when: rule_2_3_7_3 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.3 -# - patch - -# - name: "SCORED | 2.3.7.4 | PATCH | L1 Configure Interactive logon Message text for users attempting to log on" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: LegalNoticeText -# data: "{{ legalnoticetext }}" -# type: string -# when: rule_2_3_7_4 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.4 -# - patch - -# - name: "SCORED | 2.3.7.5 | PATCH | L1 Configure Interactive logon Message title for users attempting to log on" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: LegalNoticeCaption -# data: "{{ legalnoticecaption }}" -# type: string -# when: rule_2_3_7_5 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.5 -# - patch - -# - name: "SCORED | 2.3.7.6 | PATCH | L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon -# name: cachedlogonscount -# data: 1 -# type: string -# when: rule_2_3_7_6 -# tags: -# - level2 -# - rule_2.3.7.6 -# - patch - -# - name: "SCORED | 2.3.7.7 | PATCH | L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon -# name: PasswordExpiryWarning -# data: 14 -# type: dword -# when: rule_2_3_7_7 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.7 -# - patch - -# - name: "SCORED | 2.3.7.8 | PATCH | L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon -# name: ForceUnlockLogon -# data: 1 -# type: dword -# when: -# - rule_2_3_7_8 -# - ansible_windows_domain_role == "Member server" -# tags: -# - level1 -# - level2 -# - rule_2.3.7.8 -# - patch - -# - name: "SCORED | 2.3.7.9 | PATCH | L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon -# name: scremoveoption -# data: 1 -# type: string -# when: rule_2_3_7_9 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.9 -# - patch - -# - name: "SCORED | 2.3.8.1 | PATCH | L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters -# name: RequireSecuritySignature -# data: 1 -# type: dword -# when: rule_2_3_8_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.8.1 -# - patch - -# - name: "SCORED | 2.3.8.2 | PATCH | L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters -# name: EnableSecuritySignature -# data: 1 -# type: dword -# when: rule_2_3_8_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.8.2 -# - patch - -# - name: "SCORED | 2.3.8.3 | PATCH | L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters -# name: EnablePlainTextPassword -# data: 0 -# type: dword -# when: rule_2_3_8_3 -# tags: -# - level1 -# - level2 -# - rule_2.3.8.3 -# - patch - -# - name: "SCORED | 2.3.9.1 | PATCH | L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: autodisconnect -# data: 15 -# type: dword -# when: rule_2_3_9_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.9.1 -# - patch - -# - name: "SCORED | 2.3.9.2 | PATCH | L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: requiresecuritysignature -# data: 1 -# type: dword -# when: rule_2_3_9_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.9.2 -# - patch - -# - name: "SCORED | 2.3.9.3 | PATCH | L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: enablesecuritysignature -# data: 1 -# type: dword -# when: rule_2_3_9_3 -# tags: -# - level1 -# - level2 -# - rule_2.3.9.3 -# - patch - -# - name: "SCORED | 2.3.9.4 | PATCH | L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: enableforcedlogoff -# data: 1 -# type: dword -# when: rule_2_3_9_4 -# tags: -# - level1 -# - level2 -# - rule_2.3.9.4 -# - patch - -# - name: "SCORED | 2.3.9.5 | PATCH | L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: SMBServerNameHardeningLevel -# data: 1 -# type: dword -# when: -# - rule_2_3_9_5 -# - ansible_windows_domain_role == "Member server" -# tags: -# - level1 -# - level2 -# - rule_2.3.9.5 -# - patch - -# - name: "SCORED | 2.3.10.1 | PATCH | L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled" -# win_security_policy: -# section: System Access -# key: LSAAnonymousNameLookup -# value: 0 -# when: rule_2_3_10_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.1 -# - patch - -# - name: "SCORED | 2.3.10.2 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: RestrictAnonymousSAM -# data: 1 -# type: dword -# when: -# - rule_2_3_10_2 -# - ansible_windows_domain_role == "Member server" -# tags: -# - level1 -# - level2 -# - rule_2.3.10.2 -# - patch - -# - name: "SCORED | 2.3.10.3 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: RestrictAnonymous -# data: 1 -# type: dword -# when: -# - rule_2_3_10_3 -# - ansible_windows_domain_role == "Member server" -# tags: -# - level1 -# - level2 -# - rule_2.3.10.3 -# - patch - -# - name: "SCORED | 2.3.10.4 | PATCH | L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: DisableDomainCreds -# data: 1 -# type: dword -# when: rule_2_3_10_4 -# tags: -# - level2 -# - rule_2.3.10.4 -# - patch - -# - name: "SCORED | 2.3.10.5 | PATCH | L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: EveryoneIncludesAnonymous -# data: 0 -# type: dword -# when: rule_2_3_10_5 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.5 -# - patch - -# - name: "SCORED | 2.3.10.6 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously DC only" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: NullSessionPipes -# data: "" -# type: multistring -# when: -# - rule_2_3_10_6 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.3.10.6 -# - patch - -# - name: "SCORED | 2.3.10.7 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously MS only" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: NullSessionPipes -# data: "" -# type: multistring -# when: -# - rule_2_3_10_7 -# - ansible_windows_domain_role == "Member server" -# tags: -# - level1 -# - level2 -# - rule_2.3.10.7 -# - patch - -# - name: "SCORED | 2.3.10.8 | PATCH | L1 Configure Network access Remotely accessible registry paths" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths -# name: "Machine" -# data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] -# type: multistring -# when: rule_2_3_10_8 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.8 -# - patch - -# - name: "SCORED | 2.3.10.9 | PATCH | L1 Configure Network access Remotely accessible registry paths and sub-paths" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths -# name: "Machine" -# data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] -# type: multistring -# when: rule_2_3_10_9 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.9 -# - patch - -# - name: "SCORED | 2.3.10.10 | PATCH | L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: RestrictNullSessAccess -# data: 1 -# type: dword -# when: rule_2_3_10_10 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.10 -# - patch - -# - name: "SCORED | 2.3.10.11 | PATCH | L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" -# win_regedit: -# path: HKLM:\System\CurrentControlSet\Control\Lsa -# name: RestrictRemoteSAM -# data: "O:BAG:BAD:(A;;RC;;;BA)" -# type: string -# when: rule_2_3_10_11 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.11 -# - patch - -# - name: "SCORED | 2.3.10.12 | PATCH | L1 Ensure Network access Shares that can be accessed anonymously is set to None" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: NullSessionShares -# data: "" -# type: multistring -# when: rule_2_3_10_12 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.12 -# - patch - -# - name: "SCORED | 2.3.10.13 | PATCH | L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: ForceGuest -# data: 0 -# type: dword -# when: rule_2_3_10_13 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.13 -# - patch - -# - name: "SCORED | 2.3.11.1 | PATCH | L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: UseMachineId -# data: 1 -# type: dword -# when: rule_2_3_11_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.1 -# - patch - -# - name: "SCORED | 2.3.11.2 | PATCH | L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 -# name: allownullsessionfallback -# data: 0 -# type: dword -# when: rule_2_3_11_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.2 -# - patch - -# - name: "SCORED | 2.3.11.3 | PATCH | L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U -# name: AllowOnlineID -# data: 0 -# type: dword -# when: rule_2_3_11_3 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.3 -# - patch - -# - name: "SCORED | 2.3.11.4 | PATCH | L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters -# name: SupportedEncryptionTypes -# data: 2147483644 -# type: dword -# when: rule_2_3_11_4 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.4 -# - patch - -# - name: "SCORED | 2.3.11.5 | PATCH | L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: NoLMHash -# data: 1 -# type: dword -# when: rule_2_3_11_5 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.5 -# - patch - -# - name: "SCORED | 2.3.11.6 | PATCH | L1 Ensure Network security Force logoff when logon hours expire is set to Enabled" -# win_regedit: -# path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters -# name: EnableForcedLogOff -# data: 1 -# type: dword -# when: rule_2_3_11_6 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.6 -# - patch - -# - name: "SCORED | 2.3.11.7 | PATCH | L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: LMCompatibilityLevel -# data: 5 -# type: dword -# when: rule_2_3_11_7 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.7 -# - patch - -# - name: "SCORED | 2.3.11.8 | PATCH | L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Ldap -# name: LDAPClientIntegrity -# data: 1 -# type: dword -# when: rule_2_3_11_8 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.8 -# - patch - -# - name: "SCORED | 2.3.11.9 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 -# name: NTLMMinClientSec -# data: 537395200 -# type: dword -# when: rule_2_3_11_9 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.9 -# - patch - -# - name: "SCORED | 2.3.11.10 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 -# name: NTLMMinServerSec -# data: 537395200 -# type: dword -# when: rule_2_3_11_10 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.10 -# - patch - -# - name: "SCORED | 2.3.13.1 | PATCH | L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: ShutdownWithoutLogon -# data: 0 -# type: dword -# when: rule_2_3_13_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.13.1 -# - patch - -# - name: "SCORED | 2.3.15.1 | PATCH | L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel -# name: ObCaseInsensitive -# data: 1 -# type: dword -# when: rule_2_3_15_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.15.1 -# - patch - -# - name: "SCORED | 2.3.15.2 | PATCH | L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Session Manager -# name: ProtectionMode -# data: 1 -# type: dword -# when: rule_2_3_15_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.15.2 -# - patch - -# - name: "SCORED | 2.3.17.1 | PATCH | L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: FilterAdministratorToken -# data: 1 -# type: dword -# when: rule_2_3_17_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.1 -# - patch - -# - name: "SCORED | 2.3.17.2 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: EnableUIADesktopToggle -# data: 0 -# type: dword -# when: rule_2_3_17_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.2 -# - patch - -# - name: "SCORED | 2.3.17.3 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: ConsentPromptBehaviorAdmin -# data: 2 -# type: dword -# when: rule_2_3_17_3 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.3 -# - patch - -# - name: "SCORED | 2.3.17.4 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: ConsentPromptBehaviorUser -# data: 0 -# type: dword -# when: rule_2_3_17_4 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.4 -# - patch - -# - name: "SCORED | 2.3.17.5 | PATCH | L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: EnableInstallerDetection -# data: 1 -# type: dword -# when: rule_2_3_17_5 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.5 -# - patch - -# - name: "SCORED | 2.3.17.6 | PATCH | L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: EnableSecureUIAPaths -# data: 1 -# type: dword -# when: rule_2_3_17_6 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.6 -# - patch - -# - name: "SCORED | 2.3.17.7 | PATCH | L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: EnableLUA -# data: 1 -# type: dword -# when: rule_2_3_17_7 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.7 -# - patch - -# - name: "SCORED | 2.3.17.8 | PATCH | L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: PromptOnSecureDesktop -# data: 1 -# type: dword -# when: rule_2_3_17_8 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.8 -# - patch - -# - name: "SCORED | 2.3.17.9 | PATCH | L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: EnableVirtualization -# data: 1 -# type: dword -# when: rule_2_3_17_9 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.9 -# - patch diff --git a/tasks/old_section17.yml b/tasks/old_section17.yml deleted file mode 100644 index ab2d25b..0000000 --- a/tasks/old_section17.yml +++ /dev/null @@ -1,765 +0,0 @@ ---- -- name: "SCORED | 17.1.1 | AUDIT | L1 Ensure Audit Credential Validation is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_1_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_1_1 - tags: - - level1 - - level2 - - rule_17.1.1 - - audit - -- name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure" - block: - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable - when: "'Success' not in rule_17_1_1_audit.stdout" - changed_when: "'Success' not in rule_17_1_1_audit.stdout" - - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable - when: "'Failure' not in rule_17_1_1_audit.stdout" - changed_when: "'Failure' not in rule_17_1_1_audit.stdout" - when: - - rule_17_1_1 - - rule_17_1_1_audit is defined - - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_1_1_audit.stdout" - tags: - - level1 - - level2 - - rule_17.1.1 - - patch - -- name: "SCORED | 17.2.1 | AUDIT | L1 Ensure Audit Application Group Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_1 - tags: - - level1 - - level2 - - rule_17.2.1 - - audit - -- name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" - block: - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable - when: "'Success' not in rule_17_2_1_audit.stdout" - changed_when: "'Success' not in rule_17_2_1_audit.stdout" - - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable - when: "'Failure' not in rule_17_2_1_audit.stdout" - changed_when: "'Failure' not in rule_17_2_1_audit.stdout" - when: - - rule_17_2_1 - - rule_17_2_1_audit is defined - - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_2_1_audit.stdout" - tags: - - level1 - - level2 - - rule_17.2.1 - - patch - -- name: "SCORED | 17.2.2 | AUDIT | L1 Ensure Audit Computer Account Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_2_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_2_2 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_17.2.2 - - audit - -- name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable - when: - - rule_17_2_2 - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_2_audit is defined - - "'Success' not in rule_17_2_2_audit.stdout" - changed_when: "'Success' not in rule_17_2_2_audit.stdout" - tags: - - level1 - - level2 - - rule_17.2.2 - - patch - -- name: "SCORED | 17.2.3 | AUDIT | L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only" - win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_3_audit - changed_when: no - ignore_errors: yes - when: - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_3 - tags: - - rule_17.2.3 - - audit - -- name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only" - win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable - when: - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_3 - - rule_17_2_3_audit is defined - - "'Success' not in rule_17_2_3_audit.stdout" - changed_when: "'Success' not in rule_17_2_3_audit.stdout" - tags: - - rule_17.2.3 - - patch - -- name: "SCORED | 17.2.4 | AUDIT | L1 Ensure Audit Other Account Management Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_4 - tags: - - level1 - - level2 - - rule_17.2.4 - - audit - -- name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable - when: - - rule_17_2_4 - - rule_17_2_4_audit is defined - - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_2_4_audit.stdout" - changed_when: "'Success' not in rule_17_2_4_audit.stdout" - tags: - - level1 - - level2 - - rule_17.2.4 - - patch - -- name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_5 - tags: - - level1 - - level2 - - rule_17.2.5 - - audit - -- name: "SCORED | 17.2.5 | PATCH | L1 Ensure Audit Security Group Management is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable - when: - - rule_17_2_5 - - rule_17_2_5_audit is defined - - "'Success' not in rule_17_2_5_audit.stdout" - tags: - - level1 - - level2 - - rule_17.2.5 - - patch - -- name: "SCORED | 17.2.6 | AUDIT | L1 Ensure Audit User Account Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_6_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_6 - tags: - - level1 - - level2 - - rule_17.2.6 - - audit - -- name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure" - block: - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable - when: "'Success' not in rule_17_2_6_audit.stdout" - changed_when: "'Success' not in rule_17_2_6_audit.stdout" - - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable - when: "'Failure' not in rule_17_2_6_audit.stdout" - changed_when: "'Failure' not in rule_17_2_6_audit.stdout" - when: - - rule_17_2_6 - - rule_17_2_6_audit is defined - tags: - - level1 - - level2 - - rule_17.2.6 - - patch - -- name: "SCORED | 17.3.1 | AUDIT | L1 Ensure Audit PNP Activity is set to Success" - win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_3_1 - tags: - - level1 - - level2 - - rule_17.3.1 - - audit - -- name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to Success" - win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable - changed_when: "'Success' not in rule_17_3_1_audit.stdout" - when: - - rule_17_3_1 - - rule_17_3_1_audit is defined - - "'Success' not in rule_17_3_1_audit.stdout" - tags: - - level1 - - level2 - - rule_17.3.1 - - patch - -- name: "SCORED | 17.3.2 | AUDIT | L1 Ensure Audit Process Creation is set to Success" - win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_3_2 - tags: - - level1 - - level2 - - rule_17.3.2 - - audit - -- name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to Success" - win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable - changed_when: "'Success' not in rule_17_3_2_audit.stdout" - when: - - rule_17_3_2 - - rule_17_3_2_audit is defined - - "'Success' not in rule_17_3_2_audit.stdout" - tags: - - level1 - - level2 - - rule_17.3.2 - - patch - -- name: "SCORED | 17.4.1 | AUDIT | L1 Ensure Audit Directory Service Access is set to Success and Failure DC only" - win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_4_1 - tags: - - rule_17.4.1 - - audit - -- name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to Success and Failure DC only" - win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable - changed_when: "'Success' not in rule_17_4_1_audit.stdout" - when: - - rule_17_4_1 - - rule_17_4_1_audit is defined - - "'Success' not in rule_17_4_1_audit.stdout" - tags: - - rule_17.4.1 - - patch - -- name: "SCORED | 17.4.2 | AUDIT | L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only" - win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_2_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_17.4.2 - - audit - -- name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only" - win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable - changed_when: "'Success' not in rule_17_4_2_audit.stdout" - when: - - rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_4_2_audit is defined - - "'Success' not in rule_17_4_2_audit.stdout" - tags: - - rule_17.4.2 - - patch - -- name: "SCORED | 17.5.1 | AUDIT | L1 Ensure Audit Account Lockout is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_1 - tags: - - level1 - - level2 - - rule_17.5.1 - - audit - -- name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable - changed_when: "'Failure' not in rule_17_5_1_audit.stdout" - when: - - rule_17_5_1 - - rule_17_5_1_audit is defined - - "'Failure' not in rule_17_5_1_audit.stdout" - tags: - - level1 - - level2 - - rule_17.5.1 - - patch - -- name: "SCORED | 17.5.2 | AUDIT | L1 Ensure Audit Group Membership is set to Success" - win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_2 - tags: - - level1 - - level2 - - rule_17.5.2 - - audit - -- name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to Success" - win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable - changed_when: "'Success' not in wn19_au_000170_audit.stdout" - when: - - rule_17_5_2 - - wn19_au_000170_audit is defined - - "'Success' not in wn19_au_000170_audit.stdout" - tags: - - level1 - - level2 - - rule_17.5.2 - - patch - -- name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to Success" - win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_3 - tags: - - level1 - - level2 - - rule_17.5.3 - - audit - -- name: "SCORED | 17.5.3 | PATCH | L1 Ensure Audit Logoff is set to Success" - win_shell: AuditPol /set /subcategory:"Logoff" /success:enable - changed_when: "'Success' not in rule_17_5_3_audit.stdout" - when: - - rule_17_5_3 - - rule_17_5_3_audit is defined - - "'Success' not in rule_17_5_3_audit.stdout" - tags: - - level1 - - level2 - - rule_17.5.3 - - patch - -- name: "SCORED | 17.5.4 | AUDIT | L1 Ensure Audit Logon is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_4 - tags: - - level1 - - level2 - - rule_17.5.4 - - audit - -- name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure" - block: - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Logon" /success:enable - changed_when: "'Success' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" - - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Logon" /failure:enable - changed_when: "'Failure' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" - when: rule_17_5_4 - tags: - - level1 - - level2 - - rule_17.5.4 - - patch - -- name: "SCORED | 17.5.5 | AUDIT | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_5_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_5_5 - tags: - - level1 - - level2 - - rule_17.5.5 - - audit - -- name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" - block: - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable - changed_when: "'Success' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5_audit is defined - - "'Success' not in rule_17_5_5_audit.stdout" - - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable - changed_when: "'Failure' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5_audit is defined - - "'Failure' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5 - tags: - - level1 - - level2 - - rule_17.5.5 - - patch - -- name: "SCORED | 17.5.6 | AUDIT | L1 Ensure Audit Special Logon is set to Success" - win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_6_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_6 - tags: - - level1 - - level2 - - rule_17.5.6 - - audit - -- name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to Success" - win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable - changed_when: "'Success' not in rule_17_5_6_audit.stdout" - when: - - rule_17_5_6 - - rule_17_5_6_audit is defined - - "'Success' not in rule_17_5_6_audit.stdout" - tags: - - level1 - - level2 - - rule_17.5.6 - - patch - -- name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Other Object Access Events is set to Success and Failure" - win_audit_policy_system: - subcategory: Other Object Access Events - audit_type: success, failure - when: rule_17_6_1 - tags: - - level1 - - level2 - - rule_17.6.1 - - patch - -- name: "SCORED | 17.6.2 | AUDIT | L1 Ensure Audit Removable Storage is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_6_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_6_2 - tags: - - level1 - - level2 - - rule_17.6.2 - - audit - -- name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable - changed_when: "'Success' not in rule_17_6_2_audit.stdout" - when: - - rule_17_6_2 - - rule_17_6_2_audit is defined - - "'Success' not in rule_17_6_2_audit.stdout" - tags: - - level1 - - level2 - - rule_17.6.2 - - patch - -- name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_1 - tags: - - level1 - - level2 - - rule_17.7.1 - - audit - -- name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_1_audit.stdout" - when: - - rule_17_7_1 - - rule_17_7_1_audit is defined - - "'Success' not in rule_17_7_1_audit.stdout" - tags: - - level1 - - level2 - - rule_17.7.1 - - patch - -- name: "SCORED | 17.7.2 | AUDIT | L1 Ensure Audit Authentication Policy Change is set to Success" - win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_2 - tags: - - level1 - - level2 - - rule_17.7.2 - - audit - -- name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to Success" - win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_2_audit.stdout" - when: - - rule_17_7_2 - - rule_17_7_2_audit is defined - - "'Success' not in rule_17_7_2_audit.stdout" - tags: - - level1 - - level2 - - rule_17.7.2 - - patch - -- name: "SCORED | 17.7.3 | AUDIT | L1 Ensure Audit Authorization Policy Change is set to Success" - win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_3 - tags: - - level1 - - level2 - - rule_17.7.3 - - audit - -- name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to Success" - win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_3_audit.stdout" - when: - - rule_17_7_3 - - rule_17_7_3_audit is defined - - "'Success' not in rule_17_7_3_audit.stdout" - tags: - - level1 - - level2 - - rule_17.7.3 - - patch - -- name: "SCORED | 17.8.1 | AUDIT | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_8_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_8_1 - tags: - - level1 - - level2 - - rule_17.8.1 - - audit - -- name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" - block: - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable - changed_when: "'Success' not in rule_17_8_1_audit.stdout" - when: - - rule_17_8_1_audit is defined - - "'Success' not in rule_17_8_1_audit.stdout" - - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable - changed_when: "'Failure' not in rule_17_8_1_audit.stdout" - when: - - rule_17_8_1_audit is defined - - "'Failure' not in rule_17_8_1_audit.stdout" - - when: rule_17_8_1 - tags: - - level1 - - level2 - - rule_17.8.1 - - patch - -- name: "SCORED | 17.9.1 | AUDIT | L1 Ensure Audit IPsec Driver is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_1 - tags: - - level1 - - level2 - - rule_17.9.1 - - audit - -- name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure" - block: - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable - changed_when: "'Success' not in rule_17_9_1_audit.stdout" - when: - - rule_17_9_1_audit is defined - - "'Success' not in rule_17_9_1_audit.stdout" - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable - changed_when: "'Failure' not in rule_17_9_1_audit.stdout" - when: - - rule_17_9_1_audit is defined - - "'Failure' not in rule_17_9_1_audit.stdout" - - when: rule_17_9_1 - tags: - - level1 - - level2 - - rule_17.9.1 - - patch - -- name: "SCORED | 17.9.2 | AUDIT | L1 Ensure Audit Other System Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_2 - tags: - - level1 - - level2 - - rule_17.9.2 - - audit - -- name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure" - block: - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable - changed_when: "'Success' not in rule_17_9_2_audit.stdout" - when: - - rule_17_9_2_audit is defined - - "'Success' not in rule_17_9_2_audit.stdout" - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable - changed_when: "'Failure' not in rule_17_9_2_audit.stdout" - when: - - rule_17_9_2_audit is defined - - "'Failure' not in rule_17_9_2_audit.stdout" - when: rule_17_9_2 - tags: - - level1 - - level2 - - rule_17.9.2 - - patch - -- name: "SCORED | 17.9.3 | AUDIT | L1 Ensure Audit Security State Change is set to Success" - win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_3 - tags: - - level1 - - level2 - - rule_17.9.3 - - audit - -- name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to Success" - win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable - changed_when: "'Success' not in rule_17_9_3_audit.stdout" - when: - - rule_17_9_3 - - rule_17_9_3_audit is defined - - "'Success' not in rule_17_9_3_audit.stdout" - tags: - - level1 - - level2 - - rule_17.9.3 - - patch - -- name: "SCORED | 17.9.4 | AUDIT | L1 Ensure Audit Security System Extension is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_4 - tags: - - level1 - - level2 - - rule_17.9.4 - - audit - -- name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable - changed_when: "'Success' not in rule_17_9_4_audit.stdout" - when: - - rule_17_9_4 - - rule_17_9_4_audit is defined - - "'Success' not in rule_17_9_4_audit.stdout" - tags: - - level1 - - level2 - - rule_17.9.4 - - patch - -- name: "SCORED | 17.9.5 | AUDIT | L1 Ensure Audit System Integrity is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_5 - tags: - - level1 - - level2 - - rule_17.9.5 - - audit - -- name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure" - block: - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable - changed_when: "'Success' not in rule_17_9_5_audit.stdout" - when: - - rule_17_9_5_audit is defined - - "'Success' not in rule_17_9_5_audit.stdout" - - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable - changed_when: "'Failure' not in rule_17_9_5_audit.stdout" - when: - - rule_17_9_5_audit is defined - - "'Failure' not in rule_17_9_5_audit.stdout" - when: rule_17_9_5 - tags: - - level1 - - level2 - - rule_17.9.5 - - patch - diff --git a/tasks/old_section18.yml b/tasks/old_section18.yml deleted file mode 100644 index 98a58e8..0000000 --- a/tasks/old_section18.yml +++ /dev/null @@ -1,2553 +0,0 @@ ---- -#one of the settings in the file render the server unreachable from ansible with this message "the specified credentials were rejected by the server" -- name: "SCORED | 18.1.1.1 | PATCH | L1 Ensure Prevent enabling lock screen camera is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Personalization - name: NoLockScreenCamera - data: 1 - type: dword - when: rule_18_1_1_1 - tags: - - level1 - - level2 - - rule_18.1.1.1 - - patch - -- name: "SCORED | 18.1.1.2 | PATCH | L1 Ensure Prevent enabling lock screen slide show is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Personalization - name: NoLockScreenSlideshow - data: 1 - type: dword - when: rule_18_1_1_2 - tags: - - level1 - - level2 - - rule_18.1.1.2 - - patch - -- name: "SCORED | 18.1.2.2 | AUDIT | L1 Ensure Allow input personalization is set to Disabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_1_2_2 - tags: - - level1 - - level2 - - rule_18.1.2.2 - - audit - -- name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow input personalization is set to Disabled" - command: "echo true" - when: - - is_implemented - - rule_18_1_2_2 - tags: - - level1 - - level2 - - rule_18.1.2.2 - - patch - -- name: "SCORED | 18.1.3 | AUDIT | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_1_3 - tags: - - level2 - - rule_18.1.3 - - audit - -- name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" - when: - - is_implemented - - rule_18_1_3 - tags: - - level2 - - rule_18.1.3 - - patch - -- name: "SCORED | 18.2.1 | AUDIT | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.1 - - audit - -- name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.1 - - patch - -- name: "SCORED | 18.2.2 | AUDIT | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.2 - - audit - -- name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.2 - - patch - -- name: "SCORED | 18.2.3 | AUDIT | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.3 - - audit - -- name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.3 - - patch - -- name: "SCORED | 18.2.4 | AUDIT | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.4 - - audit - -- name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.4 - - patch - -- name: "SCORED | 18.2.5 | AUDIT | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.5 - - audit - -- name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.5 - - patch - -- name: "SCORED | 18.2.6 | AUDIT | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.6 - - audit - -- name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.6 - - patch - -- name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.3.1 - - audit - -- name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" - when: - - is_implemented - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.3.1 - - patch - -- name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_2 - tags: - - level1 - - level2 - - rule_18.3.2 - - audit - -- name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" - command: "echo true" - when: - - is_implemented - - rule_18_3_2 - tags: - - level1 - - level2 - - rule_18.3.2 - - patch - -- name: "SCORED | 18_3_3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters - name: SMB1 - data: 0 - type: dword - state: present - notify: reboot_windows - when: rule_18_3_3 - tags: - - level1 - - level2 - - rule_18.3.3 - - patch - -- name: "SCORED | 18_3_4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel - name: DisableExceptionChainValidation - data: 1 - type: dword - state: present - when: rule_18_3_4 - tags: - - level1 - - level2 - - rule_18.3.4 - - patch - -- name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_5 - tags: - - level1 - - level2 - - rule_18.3.5 - - audit - -- name: "SCORED | 18.3.5 | PATCH | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" - command: "echo true" - when: - - is_implemented - - rule_18_3_5 - tags: - - level1 - - level2 - - rule_18.3.5 - - patch - -- name: "SCORED | 18.3.6 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest - state: present - value: UseLogonCredential - data: 0 - datatype: dword - when: rule_18_3_6 - tags: - - level1 - - level2 - - rule_18.3.6 - - patch - -- name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - state: present - value: AutoAdminLogon - data: 0 - datatype: dword - when: rule_18_4_1 - tags: - - level1 - - level2 - - rule_18.4.1 - - patch - -- name: "SCORED | 18.4.2 | PATCH | L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters - state: present - value: DisableIPSourceRouting - data: 2 - datatype: dword - when: rule_18_4_2 - tags: - - level1 - - level2 - - rule_18.4.2 - - patch - -- name: "SCORED | 18.4.3 | PATCH | L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present - value: DisableIPSourceRouting - data: 2 - datatype: dword - when: rule_18_4_3 - tags: - - level1 - - level2 - - rule_18.4.3 - - patch - -- name: "SCORED | 18.4.4 | PATCH | L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present - value: EnableICMPRedirect - data: 0 - datatype: dword - when: rule_18_4_4 - tags: - - level1 - - level2 - - rule_18.4.4 - - patch - -- name: "SCORED | 18.4.5 | PATCH | L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present - value: KeepAliveTime - data: 300000 - datatype: dword - when: rule_18_4_5 - tags: - - level2 - - rule_18.4.5 - - patch - -- name: "SCORED | 18.4.6 | PATCH | L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters - state: present - name: NoNameReleaseOnDemand - data: 1 - type: dword - when: rule_18_4_6 - tags: - - level1 - - level2 - - rule_18.4.6 - - patch - -- name: "SCORED | 18.4.7 | PATCH | L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - state: present - name: PerformRouterDiscovery - data: 0 - type: dword - when: rule_18_4_7 - tags: - - level2 - - rule_18.4.7 - - patch - -- name: "SCORED | 18.4.8 | PATCH | L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager - name: SafeDllSearchMode - data: 1 - type: dword - state: present - when: rule_18_4_8 - tags: - - level1 - - level2 - - rule_18.4.8 - - patch - -- name: "SCORED | 18.4.9 | PATCH | L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ScreenSaverGracePeriod - data: 5 - type: string - state: present - when: rule_18_4_9 - tags: - - level1 - - level2 - - rule_18.4.9 - - patch - -- name: "SCORED | 18.4.10 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters - name: TcpMaxDataRetransmissions - data: 3 - type: dword - when: rule_18_4_10 - tags: - - level2 - - rule_18.4.10 - - patch - -- name: "SCORED | 18.4.11 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - name: TcpMaxDataRetransmissions - data: 3 - type: dword - when: rule_18_4_11 - tags: - - level2 - - rule_18.4.11 - - patch - -- name: "SCORED | 18.4.12 | PATCH | L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security - name: WarningLevel - data: 90 - type: dword - when: rule_18_4_12 - tags: - - level1 - - level2 - - rule_18.4.12 - - patch - - -- name: "SCORED | 18.5.4.1 | PATCH | L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NetBT\Parameters - name: NodeType - data: 2 - type: dword - when: - - rule_18_5_4_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.5.4.1 - - patch - -- name: "SCORED | 18.5.4.2 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient - name: EnableMulticast - data: 0 - type: dword - when: - - rule_18_5_4_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.5.4.2 - - patch - -- name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System - name: EnableFontProviders - data: 0 - type: dword - when: rule_18_5_5_1 - tags: - - level2 - - rule_18.5.5.1 - - patch - -- name: "SCORED | 18.5.8.1 | PATCH | L1 Ensure Enable insecure guest logons is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation - name: AllowInsecureGuestAuth - data: 0 - type: dword - when: rule_18_5_8_1 - tags: - - level1 - - level2 - - rule_18.5.8.1 - - patch - -- name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" - block: - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowLLTDIOOndomain - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowLLTDIOOnPublicNet - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: EnableLLTDIO - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: ProhibitLLTDIOOnPrivateNet - data: 0 - type: dword - when: rule_18_5_9_1 - tags: - - level2 - - rule_18.5.9.1 - - patch - -- name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled" - block: - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowRspndrOnDomain - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowRspndrOnPublicNet - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: EnableRspndr - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: ProhibitRspndrOnPrivateNet - data: 0 - type: dword - when: rule_18_5_9_2 - tags: - - level2 - - rule_18.5.9.2 - - patch - -- name: "SCORED | 18.5.10.2 | PATCH | L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Peernet - name: Disabled - data: 1 - type: dword - when: rule_18_5_10_2 - tags: - - level2 - - rule_18.5.10.2 - - patch - -- name: "SCORED | 18.5.11.2 | PATCH | L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections - name: NC_AllowNetBridge_NLA - data: 0 - type: dword - when: rule_18_5_11_2 - tags: - - level1 - - level2 - - rule_18.5.11.2 - - patch - -- name: "SCORED | 18.5.11.3 | PATCH | L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections - name: NC_ShowSharedAccessUI - data: 0 - type: dword - when: rule_18_5_11_3 - tags: - - level1 - - level2 - - rule_18.5.11.3 - - patch - -- name: "SCORED | 18.5.11.4 | PATCH | L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections - name: NC_StdDomainUserSetLocation - data: 1 - type: dword - when: rule_18_5_11_4 - tags: - - level1 - - level2 - - rule_18.5.11.4 - - patch - -- name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" - block: - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths - name: "\\\\*\\NETLOGON" - data: "RequireMutualAuthentication=1, RequireIntegrity=1" - type: string - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths - name: "\\\\*\\SYSVOL" - data: "RequireMutualAuthentication=1, RequireIntegrity=1" - type: string - when: rule_18_5_14_1 - tags: - - level1 - - level2 - - rule_18.5.14.1 - - patch - -- name: "SCORED | 18.5.19.2.1 | PATCH | L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters - name: DisabledComponents - data: 255 - type: dword - when: rule_18_5_19_2_1 - tags: - - level2 - - rule_18.5.19.2.1 - - patch - -- name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" - block: - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: EnableRegistrars - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableUPnPRegistrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableInBand802DOT11Registrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableFlashConfigRegistrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableWPDRegistrar - data: 0 - type: dword - when: rule_18_5_20_1 - tags: - - level2 - - rule_18.5.20.1 - - patch - -- name: "SCORED | 18.5.20.2 | PATCH | L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui - name: DisableWcnUi - data: 1 - type: dword - when: rule_18_5_20_2 - tags: - - level2 - - rule_18.5.20.2 - - patch - -- name: "SCORED | 18.5.21.1 | PATCH | L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy - name: fMinimizeConnections - data: 1 - type: dword - when: rule_18_5_21_1 - tags: - - level1 - - level2 - - rule_18.5.21.1 - - patch - -- name: "SCORED | 18.5.21.2 | PATCH | L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy - name: fBlockNonDomain - data: 1 - type: dword - when: - - rule_18_5_21_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level2 - - rule_18.5.21.2 - - patch - -- name: "SCORED | 18.8.3.1 | PATCH | L1 Ensure Include command line in process creation events is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit - name: ProcessCreationIncludeCmdLine_Enabled - data: 0 - type: dword - when: rule_18_8_3_1 - tags: - - level1 - - level2 - - rule_18.8.3.1 - - patch - - -- name: "SCORED | 18.8.4.1 | PATCH | L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation - name: AllowProtectedCreds - data: 1 - type: dword - when: rule_18_8_4_1 - tags: - - level1 - - level2 - - rule_18.8.4.1 - - patch - -- name: "SCORED | 18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: EnableVirtualizationBasedSecurity - data: 1 - type: dword - when: - - rule_18_8_5_1 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.1 - - patch - -- name: "SCORED | 18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: RequirePlatformSecurityFeatures - data: 3 - type: dword - when: - - rule_18_8_5_2 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.2 - - patch - -- name: "SCORED | 18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: HypervisorEnforcedCodeIntegrity - data: 1 - type: dword - when: - - rule_18_8_5_3 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.3 - - patch - -- name: "SCORED | 18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: HVCIMATRequired - data: 1 - type: dword - when: - - rule_18_8_5_4 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.4 - - patch - -- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: LsaCfgFlags - data: 1 - type: dword - when: - - rule_18_8_5_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_18.8.5.5 - - patch - -- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: LsaCfgFlags - data: 1 - type: dword - when: - - rule_18_8_5_5 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.5 - - patch - -- name: "SCORED | 18.8.14.1 | PATCH | L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" - win_regedit: - path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch - name: DriverLoadPolicy - data: 3 - type: dword - when: rule_18_8_14_1 - tags: - - level1 - - level2 - - rule_18.8.14.1 - - patch - -- name: "SCORED | 18.8.21.2 | PATCH | L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} - name: NoBackgroundPolicy - data: 0 - type: dword - when: rule_18_8_21_2 - tags: - - level1 - - level2 - - rule_18.8.21.2 - - patch - -- name: "SCORED | 18.8.21.3 | PATCH | L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} - name: NoGPOListChanges - data: 0 - type: dword - when: rule_18_8_21_3 - tags: - - level1 - - level2 - - rule_18.8.21.3 - - patch - -- name: "SCORED | 18.8.21.4 | PATCH | L1 Ensure Continue experiences on this device is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System - name: EnableCdp - data: 0 - type: dword - when: rule_18_8_21_4 - tags: - - level1 - - level2 - - rule_18.8.21.4 - - patch - -- name: "SCORED | 18.8.21.5 | PATCH | L1 Ensure Turn off background refresh of Group Policy is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy - state: absent - delete_key: yes - when: rule_18_8_21_5 - tags: - - level1 - - level2 - - rule_18.8.21.5 - - patch - -- name: "SCORED | 18.8.22.1.1 | PATCH | L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers - name: DisableWebPnPDownload - data: 1 - type: dword - when: rule_18_8_22_1_1 - tags: - - level1 - - level2 - - rule_18.8.22.1.1 - - patch - -- name: "SCORED | 18.8.22.1.2 | PATCH | L2 Ensure Turn off handwriting personalization data sharing is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc - name: PreventHandwritingDataSharing - data: 1 - type: dword - when: rule_18_8_22_1_2 - tags: - - level2 - - rule_18.8.22.1.2 - - patch - -- name: "SCORED | 18.8.22.1.3 | PATCH | L2 Ensure Turn off handwriting recognition error reporting is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports - name: PreventHandwritingErrorReports - data: 1 - type: dword - when: rule_18_8_22_1_3 - tags: - - level2 - - rule_18.8.22.1.3 - - patch - -- name: "SCORED | 18.8.22.1.4 | PATCH | L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard - name: ExitOnMSICW - data: 1 - type: dword - when: rule_18_8_22_1_4 - tags: - - level2 - - rule_18.8.22.1.4 - - patch - -- name: "SCORED | 18.8.22.1.5 | PATCH | L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoWebServices - data: 1 - type: dword - when: rule_18_8_22_1_5 - tags: - - level1 - - level2 - - rule_18.8.22.1.5 - - patch - -- name: "SCORED | 18.8.22.1.6 | PATCH | L2 Ensure Turn off printing over HTTP is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers - name: DisableHTTPPrinting - data: 1 - type: dword - when: rule_18_8_22_1_6 - tags: - - level1 - - level2 - - rule_18.8.22.1.6 - - patch - -- name: "SCORED | 18.8.22.1.7 | PATCH | L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control - name: NoRegistration - data: 1 - type: dword - when: rule_18_8_22_1_7 - tags: - - level2 - - rule_18.8.22.1.7 - - patch - -- name: "SCORED |18.8.22.1.8 | PATCH | L2 Ensure Turn off Search Companion content file updates is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Searchcompanion - name: DisableContentFileUpdates - data: 1 - type: dword - when: rule_18_8_22_1_8 - tags: - - level2 - - rule_18.8.22.1.8 - - patch - -- name: "SCORED | 18.8.22.1.9 | PATCH | L2 Ensure Turn off the Order Prints picture task is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoOnlinePrintsWizard - data: 1 - type: dword - when: rule_18_8_22_1_9 - tags: - - level2 - - rule_18.8.22.1.9 - - patch - -- name: "SCORED | 18.8.22.1.10 | PATCH | L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoPublishingWizard - data: 1 - type: dword - when: rule_18_8_22_1_10 - tags: - - level2 - - rule_18.8.22.1.10 - - patch - -- name: "SCORED | 18.8.22.1.11 | PATCH | L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Messenger\Client - name: CEIP - data: 2 - type: dword - when: rule_18_8_22_1_11 - tags: - - level2 - - rule_18.8.22.1.11 - - patch - -- name: "SCORED | 18.8.22.1.12 | PATCH | L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows - name: CEIPEnable - data: 0 - type: dword - when: rule_18_8_22_1_12 - tags: - - level2 - - rule_18.8.22.1.12 - - patch - -- name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled" - block: - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting - name: Disabled - data: 1 - type: dword - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting - name: DoReport - data: 0 - type: dword - when: rule_18_8_22_1_13 - tags: - - level2 - - rule_18.8.22.1.13 - - patch - -- name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic" - block: - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters - name: DevicePKInitBehavior - data: 0 - type: dword - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters - name: DevicePKInitEnabled - data: 1 - type: dword - when: rule_18_8_25_1 - tags: - - level2 - - rule_18.8.25.1 - - patch - -- name: "SCORED | 18.8.26.1 | PATCH | L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Control Panel\International - name: BlockUserInputMethodsForSignIn - data: 1 - type: dword - when: rule_18_8_26_1 - tags: - - level2 - - rule_18.8.26.1 - - patch - -- name: "SCORED | 18.8.27.1 | PATCH | L1 Ensure Block user from showing account details on sign-in is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: BlockUserFromShowingAccountDetailsOnSignin - data: 1 - type: dword - when: rule_18_8_27_1 - tags: - - level1 - - level2 - - rule_18.8.27.1 - - patch - -- name: "SCORED | 18.8.27.2 | PATCH | L1 Ensure Do not display network selection UI is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DontDisplayNetworkSelectionUI - data: 1 - type: dword - when: rule_18_8_27_2 - tags: - - level1 - - level2 - - rule_18.8.27.2 - - patch - -- name: "SCORED | 18.8.27.3 | PATCH | L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DontEnumerateConnectedUsers - data: 1 - type: dword - when: rule_18_8_27_3 - tags: - - level1 - - level2 - - rule_18.8.27.3 - - patch - -- name: "SCORED | 18.8.27.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: EnumerateLocalUsers - data: 0 - type: dword - when: rule_18_8_27_4 - tags: - - level1 - - level2 - - rule_18.8.27.4 - - patch - -- name: "SCORED | 18.8.27.5 | PATCH | L1 Ensure Turn off app notifications on the lock screen is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DisableLockScreenAppNotifications - data: 1 - type: dword - when: rule_18_8_27_5 - tags: - - level1 - - level2 - - rule_18.8.27.5 - - patch - -- name: "SCORED | 18.8.27.6 | PATCH | L1 Ensure Turn off picture password sign-in is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: BlockDomainPicturePassword - data: 1 - type: dword - when: rule_18_8_27_6 - tags: - - level1 - - level2 - - rule_18.8.27.6 - - patch - -- name: "SCORED | 18.8.27.7 | PATCH | L1 Ensure Turn on convenience PIN sign-in is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: AllowDomainPINLogon - data: 0 - type: dword - when: rule_18_8_27_7 - tags: - - level1 - - level2 - - rule_18.8.27.7 - - patch - -- name: "SCORED | | PATCH | L1 Ensure Untrusted Font Blocking is set to Enabled Block untrusted fonts and log events" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\MitigationOptions - name: MitigationOptions_FontBocking - data: 0 - type: dword - when: rule_18_8_28_1 - tags: - - level1 - - level2 - - rule_18.8.28.1 - - patch - -- name: "SCORED | 18.8.33.6.2 | PATCH | L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 - name: ACSettingIndex - data: 0 - type: dword - when: rule_18_8_33_6_2 - tags: - - level2 - - rule_18.8.33.6.2 - - patch - -- name: "SCORED | 18.8.33.6.3 | PATCH | L1 Ensure Require a password when a computer wakes on battery is set to Enabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 - name: DCSettingIndex - data: 1 - type: dword - when: rule_18_8_33_6_3 - tags: - - level1 - - level2 - - rule_18.8.33.6.3 - - patch - -- name: "SCORED | 18.8.33.6.4 | PATCH | L1 Ensure Require a password when a computer wakes plugged in is set to Enabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 - name: ACSettingIndex - data: 1 - type: dword - when: rule_18_8_33_6_4 - tags: - - level1 - - level2 - - rule_18.8.33.6.4 - - patch - -- name: "SCORED | 18.8.35.1 | PATCH | L1 Ensure Configure Offer Remote Assistance is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fAllowUnsolicited - data: 0 - type: dword - when: rule_18_8_35_1 - tags: - - level1 - - level2 - - rule_18.8.35.1 - - patch - -- name: "SCORED | 18.8.35.2 | PATCH | L1 Ensure Configure Solicited Remote Assistance is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fAllowToGetHelp - data: 0 - type: dword - when: rule_18_8_35_2 - tags: - - level1 - - level2 - - rule_18.8.35.2 - - patch - -- name: "SCORED | 18.8.36.1 | PATCH | L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc - name: EnableAuthEpResolution - data: 1 - type: dword - when: - - rule_18_8_36_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.8.36.1 - - patch - -- name: "SCORED | 18.8.36.2 | PATCH | L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc - name: RestrictRemoteClients - data: 1 - type: dword - when: - - rule_18_8_36_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level2 - - rule_18.8.36.2 - - patch - -- name: "SCORED | 18.8.44.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy - name: DisableQueryRemoteServer - data: 0 - type: dword - when: rule_18_8_44_5_1 - tags: - - level2 - - rule_18.8.44.5.1 - - patch - -- name: "SCORED | 18.8.44.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} - name: ScenarioExecutionEnabled - data: 0 - type: dword - when: rule_18_8_44_11_1 - tags: - - level2 - - rule_18.8.44.11.1 - - patch - -- name: "SCORED | 18.8.46.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo - name: DisabledByGroupPolicy - data: 1 - type: dword - when: rule_18_8_46_1 - tags: - - level2 - - rule_18.8.46.1 - - patch - -- name: "SCORED | 18.8.49.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient - name: Enabled - data: 1 - type: dword - when: rule_18_8_49_1_1 - tags: - - level2 - - rule_18.8.49.1.1 - - patch - -- name: "SCORED | 18.8.49.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver - name: Enabled - data: 1 - type: dword - when: - - rule_18_8_49_1_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level2 - - rule_18.8.49.1.2 - - patch - -- name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager - name: AllowSharedLocalAppData - data: 0 - type: dword - when: rule_18_9_4_1 - tags: - - level2 - - rule_18.9.4.1 - - patch - -- name: "SCORED | 18.9.6.1 | PATCH | L1 Ensure Allow Microsoft accounts to be optional is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: MSAOptional - data: 1 - type: dword - when: rule_18_9_6_1 - tags: - - level1 - - level2 - - rule_18.9.6.1 - - patch - -- name: "SCORED | 18.9.8.1 | PATCH | L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoAutoplayfornonVolume - data: 1 - type: dword - when: rule_18_9_8_1 - tags: - - level1 - - level2 - - rule_18.9.8.1 - - patch - -- name: "SCORED | 18.9.8.2 | PATCH | L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoAutorun - data: 1 - type: dword - when: rule_18_9_8_2 - tags: - - level1 - - level2 - - rule_18.9.8.2 - - patch - -- name: "SCORED | 18.9.8.3 | PATCH | L1 Ensure Turn off Autoplay is set to Enabled All drives" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoDriveTypeAutoRun - data: 255 - type: dword - when: rule_18_9_8_3 - tags: - - level1 - - level2 - - rule_18.9.8.3 - - patch - -- name: "SCORED | 18.9.10.1.1 | PATCH | L1 Ensure Configure enhanced anti-spoofing is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures - name: EnhancedAntiSpoofing - data: 1 - type: dword - when: rule_18_9_10_1_1 - tags: - - level1 - - level2 - - rule_18.9.10.1.1 - - patch - -- name: "SCORED | 18.9.12.1 | PATCH | L2 Ensure Allow Use of Camera is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Camera - name: AllowCamera - data: 1 - type: dword - when: rule_18_9_12_1 - tags: - - level2 - - rule_18.9.12.1 - - patch - -- name: "SCORED | 18.9.13.1 | PATCH | L1 Ensure Turn off Microsoft consumer experiences is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent - name: DisableWindowsConsumerFeatures - data: 1 - type: dword - when: rule_18_9_13_1 - tags: - - level1 - - level2 - - rule_18.9.13.1 - - patch - -- name: "SCORED | 18.9.14.1 | PATCH | L1 Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect - name: RequirePinForPairing - data: 1 - type: dword - when: rule_18_9_14_1 - tags: - - level1 - - level2 - - rule_18.9.14.1 - - patch - -- name: "SCORED | 18.9.15.1 | PATCH | L1 Ensure Do not display the password reveal button is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Credui - name: DisablePasswordReveal - data: 1 - type: dword - when: rule_18_9_15_1 - tags: - - level1 - - level2 - - rule_18.9.15.1 - - patch - -- name: "SCORED | 18.9.15.2 | PATCH | L1 Ensure Enumerate administrator accounts on elevation is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui - name: EnumerateAdministrators - data: 0 - type: dword - when: rule_18_9_15_2 - tags: - - level1 - - level2 - - rule_18.9.15.2 - - patch - -- name: "SCORED | 18.9.16.1 | PATCH | L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: AllowTelemetry - data: 0 - type: dword - when: rule_18_9_16_1 - tags: - - level1 - - level2 - - rule_18.9.16.1 - - patch - -- name: "SCORED | 18.9.16.2 | PATCH | L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: DisableEnterpriseAuthProxy - data: 0 - type: dword - when: rule_18_9_16_2 - tags: - - level2 - - rule_18.9.16.2 - - patch - -- name: "SCORED | 18.9.16.3 | PATCH | L1 Ensure Disable pre-release features or settings is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds - name: EnableConfigFlighting - data: 01 - type: dword - when: rule_18_9_16_3 - tags: - - level1 - - level2 - - rule_18.9.16.3 - - patch - -- name: "SCORED | 18.9.16.4 | PATCH | L1 Ensure Do not show feedback notifications is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: DoNotShowFeedbackNotifications - data: 1 - type: dword - when: rule_18_9_16_4 - tags: - - level1 - - level2 - - rule_18.9.16.4 - - patch - -- name: "SCORED | 18.9.16.5 | PATCH | L1 Ensure Toggle user control over Insider builds is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds - name: AllowBuildPreview - data: 0 - type: dword - when: rule_18_9_16_5 - tags: - - level1 - - level2 - - rule_18.9.16.5 - - patch - -- name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application - name: Retention - data: 0 - type: dword - when: rule_18_9_26_1_1 - tags: - - level1 - - level2 - - rule_18.9.26.1.1 - - patch - -- name: "SCORED | 18.9.26.1.2 | PATCH | L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application - name: MaxSize - data: 65538 - type: dword - when: rule_18_9_26_1_2 - tags: - - level1 - - level2 - - rule_18.9.26.1.2 - - patch - -- name: "SCORED | 18.9.26.2.1 | PATCH | L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: Retention - data: 0 - type: string - when: rule_18_9_26_2_1 - tags: - - level1 - - level2 - - rule_18.9.26.2.1 - - patch - -- name: "SCORED | 18.9.26.2.2 | PATCH | L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: MaxSize - data: 196608 - type: dword - when: rule_18_9_26_2_2 - tags: - - level1 - - level2 - - rule_18.9.26.2.2 - - patch - -- name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application - name: Retention - data: 0 - type: string - when: rule_18_9_26_3_1 - tags: - - level1 - - level2 - - rule_18.9.26.3.1 - - patch - -- name: "SCORED | 18.9.26.3.2 | PATCH | L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup - name: MaxSize - data: 32768 - type: dword - when: rule_18_9_26_3_2 - tags: - - level1 - - level2 - - rule_18.9.26.3.2 - - patch - -- name: "SCORED | 18.9.26.4.1 | PATCH | L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: Retention - data: 0 - type: string - when: rule_18_9_26_4_1 - tags: - - level1 - - level2 - - rule_18.9.26.4.1 - - patch - -- name: "SCORED | 18.9.26.4.2 | PATCH | L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: MaxSize - data: 65538 - type: dword - when: rule_18_9_26_4_2 - tags: - - level1 - - level2 - - rule_18.9.26.4.2 - - patch - -- name: "SCORED | 18.9.30.2 | PATCH | L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoDataExecutionPrevention - data: 0 - type: dword - when: rule_18_9_30_2 - tags: - - level1 - - level2 - - rule_18.9.30.2 - - patch - -- name: "SCORED | 18.9.30.3 | PATCH | L1 Ensure Turn off heap termination on corruption is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoHeapTerminationOnCorruption - data: 0 - type: dword - when: rule_18_9_30_3 - tags: - - level1 - - level2 - - rule_18.9.30.3 - - patch - -- name: "SCORED | 18.9.30.4 | PATCH | L1 Ensure Turn off shell protocol protected mode is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: PreXPSP2ShellProtocolBehavior - data: 0 - type: dword - when: rule_18_9_30_4 - tags: - - level1 - - level2 - - rule_18.9.30.4 - - patch - -- name: "SCORED | 18.9.39.2 | PATCH | L2 Ensure Turn off location is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors - name: DisableLocation - data: 1 - type: dword - when: rule_18_9_39_2 - tags: - - level2 - - rule_18.9.39.2 - - patch - -- name: "SCORED | 18.9.43.1 | PATCH | L2 Ensure Allow Message Service Cloud Sync is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Messaging - name: AllowMessageSync - data: 0 - type: dword - when: rule_18_9_43_1 - tags: - - level2 - - rule_18.9.43.1 - - patch - -- name: "SCORED | 18.9.44.1 | PATCH | L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount - name: DisableUserAuth - data: 1 - type: dword - when: rule_18_9_44_1 - tags: - - level1 - - level2 - - rule_18.9.44.1 - - patch - -- name: "SCORED | 18.9.52.1 | PATCH | L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive - name: DisableFileSyncNGSC - data: 1 - type: dword - when: rule_18_9_52_1 - tags: - - level1 - - level2 - - rule_18.9.52.1 - - patch - -- name: "SCORED | 18.9.58.2.2 | PATCH | L1 Ensure Do not allow passwords to be saved is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DisablePasswordSaving - data: 1 - type: dword - when: rule_18_9_58_2_2 - tags: - - level1 - - level2 - - rule_18.9.58.2.2 - - patch - -- name: "SCORED | 18.9.58.3.2.1 | PATCH | L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fSingleSessionPerUser - data: 1 - type: dword - when: rule_18_9_58_3_2_1 - tags: - - level2 - - rule_18.9.58.3.2.1 - - patch - -- name: "SCORED | 18.9.58.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCcm - data: 1 - type: dword - when: rule_18_9_58_3_3_1 - tags: - - level2 - - rule_18.9.58.3.3.1 - - patch - -- name: "SCORED | 18.9.58.3.3.2 | PATCH | L1 Ensure Do not allow drive redirection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCdm - data: 1 - type: dword - when: rule_18_9_58_3_3_2 - tags: - - level1 - - level2 - - rule_18.9.58.3.3.2 - - patch - -- name: "SCORED | 18.9.58.3.3.3 | PATCH | L2 Ensure Do not allow LPT port redirection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableLPT - data: 1 - type: dword - when: rule_18_9_58_3_3_3 - tags: - - level2 - - rule_18.9.58.3.3.3 - - patch - -- name: "SCORED | 18.9.58.3.3.4 | PATCH | L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisablePNPRedir - data: 1 - type: dword - when: rule_18_9_58_3_3_4 - tags: - - level2 - - rule_18.9.58.3.3.4 - - patch - -- name: "SCORED | 18.9.58.3.9.1 | PATCH | L1 Ensure Always prompt for password upon connection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fPromptForPassword - data: 1 - type: dword - when: rule_18_9_58_3_9_1 - tags: - - level1 - - level2 - - rule_18.9.58.3.9.1 - - patch - -- name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fEncryptRPCTraffic - data: 1 - type: dword - when: rule_18_9_58_3_9_2 - tags: - - level1 - - level2 - - rule_18.9.58.3.9.2 - - audit - -- name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services - name: fEncryptRPCTraffic - data: 1 - type: dword - when: rule_18_9_58_3_9_2 - tags: - - level1 - - level2 - - rule_18.9.58.3.9.2 - - patch - -- name: "SCORED | 18.9.58.3.9.3 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MinEncryptionLevel - data: 3 - type: dword - when: rule_18_9_58_3_9_3 - tags: - - level1 - - level2 - - rule_18.9.58.3.9.3 - - patch - -- name: "SCORED | 18.9.58.3.10.1 | PATCH | L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxIdleTime - data: 3600000 - type: dword - when: rule_18_9_58_3_10_1 - tags: - - level2 - - rule_18.9.58.3.10.1 - - patch - -- name: "SCORED | 18.9.58.3.10.2 | PATCH | L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxDisconnectionTime - data: 28800000 - type: dword - when: rule_18_9_58_3_10_2 - tags: - - level2 - - rule_18.9.58.3.10.2 - - patch - -- name: "SCORED | 18.9.58.3.11.1 | PATCH | L1 Ensure Do not delete temp folders upon exit is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DeleteTempDirsOnExit - data: 1 - type: dword - when: rule_18_9_58_3_11_1 - tags: - - level1 - - level2 - - rule_18.9.58.3.11.1 - - patch - -- name: "SCORED | 18.9.58.3.11.2 | PATCH | L1 Ensure Do not use temporary folders per session is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: PerSessionTempDir - data: 1 - type: dword - when: rule_18_9_58_3_11_2 - tags: - - level1 - - level2 - - rule_18.9.58.3.11.2 - - patch - -- name: "SCORED | 18.9.59.1 | PATCH | L1 Ensure Prevent downloading of enclosures is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds - name: DisableEnclosureDownload - data: 1 - type: dword - when: rule_18_9_59_1 - tags: - - level1 - - level2 - - rule_18.9.59.1 - - patch - -- name: "SCORED | 18.9.60.2 | PATCH | L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowCloudSearch - data: 0 - type: dword - when: rule_18_9_60_2 - tags: - - level2 - - rule_18.9.60.2 - - patch - -- name: "SCORED | 18.9.60.3 | PATCH | L1 Ensure Allow indexing of encrypted files is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowIndexingEncryptedStoresOrItems - data: 0 - type: dword - when: rule_18_9_60_3 - tags: - - level1 - - level2 - - rule_18.9.60.3 - - patch - -- name: "SCORED | 18.9.65.1 | PATCH | L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform - name: NoGenTicket - data: 1 - type: dword - when: rule_18_9_65_1 - tags: - - level2 - - rule_18.9.65.1 - - patch - -- name: "SCORED | 18.9.76.3.1 | PATCH | L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: LocalSettingOverrideSpynetReporting - data: 0 - type: dword - when: rule_18_9_76_3_1 - tags: - - level1 - - level2 - - rule_18.9.76.3.1 - - patch - -- name: "SCORED | 18.9.76.3.2 | PATCH | L2 Ensure Join Microsoft MAPS is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: SpynetReporting - data: 0 - type: dword - when: rule_18_9_76_3_2 - tags: - - level2 - - rule_18.9.76.3.2 - - patch - -- name: "SCORED | 18.9.76.7.1 | PATCH | L1 Ensure Turn on behavior monitoring is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableBehaviorMonitoring - data: 0 - type: dword - when: rule_18_9_76_7_1 - tags: - - level1 - - level2 - - rule_18.9.76.7.1 - - patch - -- name: "SCORED | 18.9.76.9.1 | PATCH | L2 Ensure Configure Watson events is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting - name: DisableGenericRePorts - data: 1 - type: dword - when: rule_18_9_76_9_1 - tags: - - level2 - - rule_18.9.76.9.1 - - patch - -- name: "SCORED | 18.9.76.10.1 | PATCH | L1 Ensure Scan removable drives is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableRemovableDriveScanning - data: 0 - type: dword - when: rule_18_9_76_10_1 - tags: - - level1 - - level2 - - rule_18.9.76.10.1 - - patch - -- name: "SCORED | 18.9.76.10.2 | PATCH | L1 Ensure Turn on e-mail scanning is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableEmailScanning - data: 0 - type: dword - when: rule_18_9_76_10_2 - tags: - - level1 - - level2 - - rule_18.9.76.10.2 - - patch - -- name: "SCORED | 18.9.76.13.1.1 | PATCH | L1 Ensure Configure Attack Surface Reduction rules is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR - name: ExploitGuard_ASR_Rules - data: 1 - type: dword - when: rule_18_9_76_13_1_1 - tags: - - level1 - - level2 - - rule_18.9.76.13.1.1 - - patch - -- name: "SCORED | 18.9.76.13.1.2 | PATCH | L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - name: "{{ item }}" - data: 1 - type: string # aka REG_SZ - loop: - - 26190899-1602-49e8-8b27-eb1d0a1ce869 - - 3b576869-a4ec-4529-8536-b80a7769e899 - - 5beb7efe-fd9a-4556-801d-275e5ffc04cc - - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - - d3e037e1-3eb8-44c8-a917-57927947596d - - d4f940ab-401b-4efc-aadc-ad5f3c50688a - when: rule_18_9_76_13_1_2 - tags: - - level1 - - level2 - - rule_18.9.76.13.1.2 - - patch - -- name: "SCORED | 18.9.76.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - name: ExploitGuard_ASR_Rules - data: 1 - type: dword - when: rule_18_9_76_13_3_1 - tags: - - level1 - - level2 - - rule_18.9.76.13.3.1 - - patch - -- name: "SCORED | 18.9.76.14 | PATCH | L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender - name: DisableAntiSpyware - data: 0 - type: dword - when: rule_18_9_76_14 - tags: - - level1 - - level2 - - rule_18.9.76.14 - - patch - -- name: "SCORED | 18.9.79.1.1 | PATCH | L1 Ensure Prevent users from modifying settings is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - name: DisallowExploitProtectionOverride - data: 1 - type: dword - when: rule_18_9_79_1_1 - tags: - - level1 - - level2 - - rule_18.9.79.1.1 - - patch - -- name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" - block: - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: EnableSmartScreen - data: 1 - type: dword - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: ShellSmartScreenLevel - data: Block - type: string - when: rule_18_9_80_1_1 - tags: - - level1 - - level2 - - rule_18.9.80.1.1 - - patch - -- name: "SCORED | 18.9.84.1 | PATCH | L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace - name: AllowSuggestedAppsInWindowsInkWorkspace - data: 0 - type: dword - when: rule_18_9_84_1 - tags: - - level2 - - rule_18.9.84.1 - - patch - -- name: "SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace - name: AllowWindowsInkWorkspace - data: 1 - type: dword - when: rule_18_9_84_2 - tags: - - level1 - - level2 - - rule_18.9.84.2 - - patch - -- name: "SCORED | 18.9.85.1 | PATCH | L1 Ensure Allow user control over installs is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: EnableUserControl - data: 0 - type: dword - when: rule_18_9_85_1 - tags: - - level1 - - level2 - - rule_18.9.85.1 - - patch - -- name: "SCORED | 18.9.85.2 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword - when: rule_18_9_85_2 - tags: - - level1 - - level2 - - rule_18.9.85.2 - - patch - -- name: "SCORED | 18.9.85.3 | PATCH | L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: SafeForScripting - data: 0 - type: dword - when: rule_18_9_85_3 - tags: - - level2 - - rule_18.9.85.3 - - patch - -- name: "SCORED | 18.9.86.1 | PATCH | L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DisableAutomaticRestartSignOn - data: 1 - type: dword - when: rule_18_9_86_1 - tags: - - level1 - - level2 - - rule_18.9.86.1 - - patch - -- name: "SCORED | 18.9.95.1 | PATCH | L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging - name: EnableScriptBlockLogging - data: 1 - type: dword - when: rule_18_9_95_1 - tags: - - level1 - - level2 - - rule_18.9.95.1 - - patch - -- name: "SCORED | 18.9.95.2 | PATCH | L1 Ensure Turn on PowerShell Transcription is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription - name: EnableTranscripting - data: 1 - type: dword - when: rule_18_9_95_2 - tags: - - level1 - - level2 - - rule_18.9.95.2 - - patch - -- name: "SCORED | 18.9.97.1.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowBasic - data: 0 - type: dword - when: rule_18_9_97_1_1 - tags: - - level1 - - level2 - - rule_18.9.97.1.1 - - patch - -- name: "SCORED | 18.9.97.1.2 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowUnencryptedTraffic - data: 0 - type: dword - when: rule_18_9_97_1_2 - tags: - - level1 - - level2 - - rule_18.9.97.1.2 - - patch - -- name: "SCORED | 18.9.97.1.3 | PATCH | L1 Ensure Disallow Digest authentication is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowDigest - data: 0 - type: dword - when: rule_18_9_97_1_3 - tags: - - level1 - - level2 - - rule_18.9.97.1.3 - - patch - -- name: "SCORED | 18.9.97.2.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowBasic - data: 0 - type: dword - when: rule_18_9_97_2_1 - tags: - - level1 - - level2 - - rule_18.9.97.2.1 - - patch - -#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "SCORED | 18.9.97.2.2 | PATCH | L2 Ensure Allow remote server management through WinRM is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowAutoConfig - data: 1 - type: dword - when: - - rule_18_9_97_2_2 - - is_implemented - tags: - - level2 - - rule_18.9.97.2.2 - - patch - -- name: "SCORED | 18.9.97.2.3 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowUnencryptedTraffic - data: 0 - type: dword - when: rule_18_9_97_2_3 - tags: - - level1 - - level2 - - rule_18.9.97.2.3 - - patch - -- name: "SCORED | 18.9.97.2.4 | PATCH | L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: DisableRunAs - data: 1 - type: dword - when: rule_18_9_97_2_4 - tags: - - level1 - - level2 - - rule_18.9.97.2.4 - - patch - -#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "SCORED | 18.9.98.1 | PATCH | L2 Ensure Allow Remote Shell Access is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs - name: AllowRemoteShellAccess - data: 1 - type: dword - when: - - rule_18_9_98_1 - - is_implemented - tags: - - level2 - - rule_18.9.98.1 - - patch - -- name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds" - block: - - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuilds - data: 1 - type: dword - - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuildsPolicyValue - data: 0 - type: dword - when: rule_18_9_101_1_1 - tags: - - level1 - - level2 - - rule_18.9.101.1.1 - - patch - -- name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" - block: - - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdates - data: 1 - type: dword - - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdatesPeriodInDays - data: 180 - type: dword - - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: BranchReadinessLevel - data: 16 - type: dword - when: rule_18_9_101_1_2 - tags: - - level1 - - level2 - - rule_18.9.101.1.2 - - patch - -- name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days" - block: - - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - name: DeferQualityUpdates - data: 1 - type: dword - - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - name: DeferQualityUpdatesPeriodInDays - data: 0 - type: dword - when: rule_18_9_101_1_3 - tags: - - level1 - - level2 - - rule_18.9.101.1.3 - - patch - -- name: "SCORED | 18.9.101.2 | PATCH | L1 Ensure Configure Automatic Updates is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoUpdate - data: 0 - type: dword - when: rule_18_9_101_2 - tags: - - level1 - - level2 - - rule_18.9.101.2 - - patch - -- name: "SCORED | 18.9.101.3 | PATCH | L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: ScheduledInstallDay - data: 0 - type: dword - when: rule_18_9_101_3 - tags: - - level1 - - level2 - - rule_18.9.101.3 - - patch - -- name: "SCORED | 18.9.101.4 | PATCH | L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoRebootWithLoggedOnUsers - data: 0 - type: dword - when: rule_18_9_101_4 - tags: - - level1 - - level2 - - rule_18.9.101.4 - - patch -