Skip to content

Commit

Permalink
Merge pull request #1 from ansible-lockdown/georgenalen
Browse files Browse the repository at this point in the history
Updated for CIS v1.2.0 changes
Signed-off-by: George Nalen <georgen@mindpointgroup.com>
georgenalen authored Feb 5, 2021
2 parents d592895 + 86fa8b1 commit a597795
Showing 9 changed files with 2,403 additions and 2,003 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -3,7 +3,7 @@ Windows Server 2016 CIS

Configure a Windows Server 2016 system to be CIS compliant.

This role is based on CIS Microsoft Windows Server 2016 RTM: [Version 1.1.0 Rel 1607 released on October 21, 2018] (https://workbench.cisecurity.org/benchmarks/835).
This role is based on CIS Microsoft Windows Server 2016 RTM: [Version 1.2.0 Rel 1607 released on May 27, 2020] (https://learn.cisecurity.org/l/799323/2020-07-10/zx1v).

Requirements
------------
184 changes: 127 additions & 57 deletions defaults/main.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
section01_patch: yes
section02_patch: yes
section09_patch: yes
section17_patch: yes
section18_patch: yes
section19_patch: yes
@@ -40,6 +41,7 @@ is_implemented: false
#set to false to skip long running tasks
long_running: false

win_skip_for_test: true

# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules.
# PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group
@@ -175,10 +177,39 @@ rule_2_3_17_5: true
rule_2_3_17_6: true
rule_2_3_17_7: true
rule_2_3_17_8: true
rule_2_3_17_9: true

# section9
rule_9_1_1: true
rule_9_1_2: true
rule_9_1_3: true
rule_9_1_4: true
rule_9_1_5: true
rule_9_1_6: true
rule_9_1_7: true
rule_9_1_8: true
rule_9_2_1: true
rule_9_2_2: true
rule_9_2_3: true
rule_9_2_4: true
rule_9_2_5: true
rule_9_2_6: true
rule_9_2_7: true
rule_9_2_8: true
rule_9_3_1: true
rule_9_3_2: true
rule_9_3_3: true
rule_9_3_4: true
rule_9_3_5: true
rule_9_3_6: true
rule_9_3_7: true
rule_9_3_8: true
rule_9_3_9: true
rule_9_3_10: true

# section17
rule_17_1_1: true
rule_17_1_2: true
rule_17_1_3: true
rule_17_2_1: true
rule_17_2_2: true
rule_17_2_3: true
@@ -197,9 +228,13 @@ rule_17_5_5: true
rule_17_5_6: true
rule_17_6_1: true
rule_17_6_2: true
rule_17_6_3: true
rule_17_6_4: true
rule_17_7_1: true
rule_17_7_2: true
rule_17_7_3: true
rule_17_7_4: true
rule_17_7_5: true
rule_17_8_1: true
rule_17_9_1: true
rule_17_9_2: true
@@ -224,6 +259,7 @@ rule_18_3_3: true
rule_18_3_4: true
rule_18_3_5: true
rule_18_3_6: true
rule_18_3_7: true
rule_18_4_1: true
rule_18_4_2: true
rule_18_4_3: true
@@ -252,13 +288,17 @@ rule_18_5_20_1: true
rule_18_5_20_2: true
rule_18_5_21_1: true
rule_18_5_21_2: true
rule_18_7_1_1: true
rule_18_8_3_1: true
rule_18_8_4_1: true
rule_18_8_4_2: true
rule_18_8_5_1: true
rule_18_8_5_2: true
rule_18_8_5_3: true
rule_18_8_5_4: true
rule_18_8_5_5: true
rule_18_8_5_6: true
rule_18_8_5_7: true
rule_18_8_14_1: true
rule_18_8_21_2: true
rule_18_8_21_3: true
@@ -278,27 +318,27 @@ rule_18_8_22_1_11: true
rule_18_8_22_1_12: true
rule_18_8_22_1_13: true
rule_18_8_25_1: true
rule_18_8_26_1: true
rule_18_8_27_1: true
rule_18_8_27_2: true
rule_18_8_27_3: true
rule_18_8_27_4: true
rule_18_8_27_5: true
rule_18_8_27_6: true
rule_18_8_27_7: true
rule_18_8_28_1: true
rule_18_8_33_6_2: true
rule_18_8_33_6_3: true
rule_18_8_33_6_4: true
rule_18_8_35_1: true
rule_18_8_35_2: true
rule_18_8_28_2: true
rule_18_8_28_3: true
rule_18_8_28_4: true
rule_18_8_28_5: true
rule_18_8_28_6: true
rule_18_8_28_7: true
rule_18_8_34_6_1: true
rule_18_8_34_6_2: true
rule_18_8_34_6_3: true
rule_18_8_34_6_4: true
rule_18_8_36_1: true
rule_18_8_36_2: true
rule_18_8_44_5_1: true
rule_18_8_44_11_1: true
rule_18_8_46_1: true
rule_18_8_49_1_1: true
rule_18_8_49_1_2: true
rule_18_8_37_1: true
rule_18_8_37_2: true
rule_18_8_47_5_1: true
rule_18_8_47_11_1: true
rule_18_8_49_1: true
rule_18_8_52_1_1: true
rule_18_8_52_1_2: true
rule_18_9_4_1: true
rule_18_9_6_1: true
rule_18_9_8_1: true
@@ -314,7 +354,6 @@ rule_18_9_16_1: true
rule_18_9_16_2: true
rule_18_9_16_3: true
rule_18_9_16_4: true
rule_18_9_16_5: true
rule_18_9_26_1_1: true
rule_18_9_26_1_2: true
rule_18_9_26_2_1: true
@@ -326,38 +365,38 @@ rule_18_9_26_4_2: true
rule_18_9_30_2: true
rule_18_9_30_3: true
rule_18_9_30_4: true
rule_18_9_39_2: true
rule_18_9_39_1: true
rule_18_9_43_1: true
rule_18_9_44_1: true
rule_18_9_52_1: true
rule_18_9_58_2_2: true
rule_18_9_58_3_2_1: true
rule_18_9_58_3_3_1: true
rule_18_9_58_3_3_2: true
rule_18_9_58_3_3_3: true
rule_18_9_58_3_3_4: true
rule_18_9_58_3_9_1: true
rule_18_9_58_3_9_2: true
rule_18_9_58_3_9_3: true
rule_18_9_58_3_10_1: true
rule_18_9_58_3_10_2: true
rule_18_9_58_3_11_1: true
rule_18_9_58_3_11_2: true
rule_18_9_59_1: true
rule_18_9_60_2: true
rule_18_9_60_3: true
rule_18_9_65_1: true
rule_18_9_76_3_1: true
rule_18_9_76_3_2: true
rule_18_9_76_7_1: true
rule_18_9_76_9_1: true
rule_18_9_76_10_1: true
rule_18_9_76_10_2: true
rule_18_9_76_13_1_1: true
rule_18_9_76_13_1_2: true
rule_18_9_76_13_3_1: true
rule_18_9_76_14: true
rule_18_9_79_1_1: true
rule_18_9_59_2_2: true
rule_18_9_59_3_2_1: true
rule_18_9_59_3_3_1: true
rule_18_9_59_3_3_2: true
rule_18_9_59_3_3_3: true
rule_18_9_59_3_3_4: true
rule_18_9_59_3_9_1: true
rule_18_9_59_3_9_2: true
rule_18_9_59_3_9_3: true
rule_18_9_59_3_9_4: true
rule_18_9_59_3_9_5: true
rule_18_9_59_3_10_1: true
rule_18_9_59_3_10_2: true
rule_18_9_59_3_11_1: true
rule_18_9_59_3_11_2: true
rule_18_9_60_1: true
rule_18_9_61_2: true
rule_18_9_61_3: true
rule_18_9_66_1: true
rule_18_9_77_3_1: true
rule_18_9_77_3_2: true
rule_18_9_77_7_1: true
rule_18_9_77_9_1: true
rule_18_9_77_10_1: true
rule_18_9_77_10_2: true
rule_18_9_77_13_3_1: true
rule_18_9_77_14: true
rule_18_9_77_15: true
rule_18_9_80_1_1: true
rule_18_9_84_1: true
rule_18_9_84_2: true
@@ -375,29 +414,30 @@ rule_18_9_97_2_2: true
rule_18_9_97_2_3: true
rule_18_9_97_2_4: true
rule_18_9_98_1: true
rule_18_9_101_1_1: true
rule_18_9_101_1_2: true
rule_18_9_101_1_3: true
rule_18_9_101_2: true
rule_18_9_101_3: true
rule_18_9_101_4: true
rule_18_9_99_2_1: true
rule_18_9_102_1_1: true
rule_18_9_102_1_2: true
rule_18_9_102_1_3: true
rule_18_9_102_2: true
rule_18_9_102_3: true
rule_18_9_102_4: true

# section19
rule_19_1_3_1: true
rule_19_1_3_2: true
rule_19_1_3_3: true
rule_19_1_3_4: true
rule_19_5_1_1: true
rule_19_6_5_1_1: true
rule_19_6_6_1_1: true
rule_19_7_4_1: true
rule_19_7_4_2: true
rule_19_7_7_1: true
rule_19_7_7_2: true
rule_19_7_7_3: true
rule_19_7_7_4: true
rule_19_7_26_1: true
rule_19_7_40_1: true
rule_19_7_44_2_1: true
rule_19_7_41_1: true
rule_19_7_45_2_1: true


# This SID is the same for standalone, member, domain controller for 'Administrators' group
@@ -437,3 +477,33 @@ sys_maxsize: 32768


legalnoticecaption: "DoD Notice and Consent Banner"

# 9.1.5
# domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log
# This is a variable to give some leway on where to store these log files
domain_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\domainfw.log'

# 9.1.6
# domain_firewall_log_size is the size of the log file generated
# To conform to CIS standards the value should be 16,384 or greater. Value is in KB
domain_firewall_log_size: 16,384

# 9.2.5
# private_firewall_log_path is the path to the private firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\privatefw.log
# This is a variable to give some leway on where to store these log files
private_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\privatefw.log'

# 9.2.6
# private_firewall_log_size is the size of the log file
# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB
private_firewall_log_size: 16,384

# 9.3.7
# public_firewall_log_path is the path to the public firewall log file. The control suggests %SystemRoot%\System32\logfiles\firewall\publicfw.log
# This is a variable to give some leway on where to store these log files
public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log'

# 9.3.8
# public_firewall_log_size is the size of the log file
# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB
public_firewall_log_size: 16,384
6 changes: 6 additions & 0 deletions tasks/main.yml
Original file line number Diff line number Diff line change
@@ -42,6 +42,12 @@
tags:
- section02

- name: Execute the section 9 tasks
import_tasks: section09.yml
when: section09_patch | bool
tags:
- section09

- name: Execute the section 17 tasks
import_tasks: section17.yml
when: section17_patch | bool
248 changes: 112 additions & 136 deletions tasks/section01.yml
Original file line number Diff line number Diff line change
@@ -1,195 +1,171 @@
---
- name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords"
assert:
that: passwordhistorysize | int is version('24', '>=')
fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}"
register: result
changed_when: no
ignore_errors: yes
when: rule_1_1_1
tags:
- level1
- level2
- rule_1.1.1
- audit
- name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
block:
- name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
assert:
that: passwordhistorysize | int is version('24', '>=')
fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}"
register: result
changed_when: no
ignore_errors: yes

- name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords"
win_security_policy:
section: System Access
key: PasswordHistorySize
value: "{{ passwordhistorysize }}"
- name: "SCORED | 1.1.1 | PATCH | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'"
win_security_policy:
section: System Access
key: PasswordHistorySize
value: "{{ passwordhistorysize }}"
when: rule_1_1_1
tags:
- level1
- level2
- level1-domaincontroller
- level1-memberserver
- rule_1.1.1
- patch

- name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0"
assert:
that: maximumpasswordage | int is version('60', '<=')
fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}"
register: result
changed_when: no
ignore_errors: yes
when: rule_1_1_2
tags:
- level1
- level2
- rule_1.1.2
- audit
- name: "SCORED | 1.1.2 | PATCH | (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'"
block:
- name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0"
assert:
that: maximumpasswordage | int is version('60', '<=')
fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}"
register: result
changed_when: no
ignore_errors: yes

- name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0"
win_security_policy:
section: System Access
key: MaximumPasswordAge
value: "{{ maximumpasswordage }}"
- name: "SCORED | 1.1.2 | PATCH | (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'"
win_security_policy:
section: System Access
key: MaximumPasswordAge
value: "{{ maximumpasswordage }}"
when: rule_1_1_2
tags:
- level1
- level2
- level1-domaincontroller
- level1-memberserver
- rule_1.1.2
- patch

- name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days"
assert:
that: minimumpasswordage is version('1', '>=')
fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}"
register: result
changed_when: no
ignore_errors: yes
when: rule_1_1_3
tags:
- level1
- level2
- rule_1.1.3
- audit
- name: "SCORED | 1.1.3 | AUDIT | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
block:
- name: "SCORED | 1.1.3 | AUDIT | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
assert:
that: minimumpasswordage is version('1', '>=')
fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}"
register: result
changed_when: no
ignore_errors: yes

- name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days"
win_security_policy:
section: System Access
key: MinimumPasswordAge
value: "{{ minimumpasswordage }}"
- name: "SCORED | 1.1.3 | PATCH | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'"
win_security_policy:
section: System Access
key: MinimumPasswordAge
value: "{{ minimumpasswordage }}"
when: rule_1_1_3
tags:
- level1
- level2
- level1-domaincontroller
- level1-memberserver
- rule_1.1.3
- patch

- name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters"
assert:
that: minimumpasswordlength is version('14', '>=')
fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters"
register: result
changed_when: no
ignore_errors: yes
when: rule_1_1_4
tags:
- level1
- level2
- rule_1.1.4
- audit
- name: "SCORED | 1.1.4 | AUDIT | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
block:
- name: "SCORED | 1.1.4 | AUDIT | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
assert:
that: minimumpasswordlength is version('14', '>=')
fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters"
register: result
changed_when: no
ignore_errors: yes

- name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters"
win_security_policy:
section: System Access
key: MinimumPasswordLength
value: "{{ minimumpasswordlength }}"
- name: "SCORED | 1.1.4 | PATCH | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'"
win_security_policy:
section: System Access
key: MinimumPasswordLength
value: "{{ minimumpasswordlength }}"
when: rule_1_1_4
tags:
- level1
- level2
- level1-domaincontroller
- level1-memberserver
- rule_1.1.4
- patch

- name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled"
- name: "SCORED | 1.1.5 | PATCH | (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'"
win_security_policy:
section: System Access
key: PasswordComplexity
value: 1
when: rule_1_1_5
tags:
- level1
- level2
- level1-domaincontroller
- level1-memberserver
- rule_1.1.5
- patch

- name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled"
- name: "SCORED | 1.1.6 | PATCH | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
win_security_policy:
section: System Access
key: ClearTextPassword
value: "0"
when: rule_1_1_6
tags:
- level1
- level2
- level1-domaincontroller
- level1-memberserver
- rule_1.1.6
- patch

- name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes"
assert:
that: lockoutduration | int is version('15', '<=')
fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}"
register: result
changed_when: no
ignore_errors: yes
when: rule_1_2_1
tags:
- level1
- level2
- rule_1.2.1
- audit

- name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes"
win_security_policy:
section: System Access
key: LockoutDuration
value: "{{ lockoutduration }}"
when:
- rule_1_2_1
- is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
tags:
- level1
- level2
- rule_1.2.1
- patch

#This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable
- name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0"
- name: "SCORED | 1.2.2 | PATCH | (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'"
win_security_policy:
section: System Access
key: LockoutBadCount
value: "{{ lockoutbadcount }}"
when: rule_1_2_2
tags:
- level1
- level2
- level1-domaincontroller
- level1-memberserver
- rule_1.2.2
- patch

- name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes"
assert:
that: resetlockoutcount | int is version('15', '>=')
fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}"
register: result
changed_when: no
ignore_errors: yes
when: rule_1_2_3
- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
block:
- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
assert:
that: lockoutduration | int is version('15', '<=')
fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}"
register: result
changed_when: no
ignore_errors: yes

- name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'"
win_security_policy:
section: System Access
key: LockoutDuration
value: "{{ lockoutduration }}"
when:
- rule_1_2_1
- is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
tags:
- level1
- level2
- rule_1.2.3
- audit
- level1-domaincontroller
- level1-memberserver
- rule_1.2.1
- patch

- name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes"
win_security_policy:
section: System Access
key: ResetLockoutCount
value: "{{ resetlockoutcount }}"
- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
block:
- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
assert:
that: resetlockoutcount | int is version('15', '>=')
fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}"
register: result
changed_when: no
ignore_errors: yes

- name: "SCORED | 1.2.3 | PATCH | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'"
win_security_policy:
section: System Access
key: ResetLockoutCount
value: "{{ resetlockoutcount }}"
when: rule_1_2_3
tags:
- level1
- level2
- level1-domaincontroller
- level1-memberserver
- rule_1.2.3
- patch
714 changes: 369 additions & 345 deletions tasks/section02.yml

Large diffs are not rendered by default.

364 changes: 364 additions & 0 deletions tasks/section09.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,364 @@
---
- name: "SCORED | 9.1.1 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
name: EnableFirewall
data: 1
type: dword
when:
- rule_9_1_1
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.1.1
- patch

- name: "SCORED | 9.1.2 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
name: DefaultInboundAction
data: 1
type: dword
when:
- rule_9_1_2
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.1.2
- patch

- name: "SCORED | 9.1.3 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
name: DefaultOutboundAction
data: 0
type: dword
when:
- rule_9_1_3
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.1.3
- patch

- name: "SCORED | 9.1.4 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
name: DisableNotifications
data: 0
type: dword
when:
- rule_9_1_4
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.1.4
- patch

# title has slashes switched
- name: "SCORED | 9.1.5 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging
name: LogFilePath
data: '{{ domain_firewall_log_path }}'
type: string
when:
- rule_9_1_5
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.1.5
- patch

- name: "SCORED | 9.1.6 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging
name: LogFileSize
data: '{{ domain_firewall_log_size }}'
type: dword
when:
- rule_9_1_6
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.1.6
- patch

- name: "SCORED | 9.1.7 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging
name: LogDroppedPackets
data: 1
type: dword
when:
- rule_9_1_7
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.1.7
- patch

- name: "SCORED | 9.1.8 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging
name: LogSuccessfulConnections
data: 1
type: dword
when:
- rule_9_1_8
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.1.8
- patch

- name: "SCORED | 9.2.1 | PATCH | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'"
win_firewall:
state: enabled
profile: Private
when:
- rule_9_2_1
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.2.1
- patch

- name: "SCORED | 9.2.2 | PATCH | (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile
name: DefaultInboundAction
data: 1
type: dword
when:
- rule_9_2_2
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.2.2
- patch

- name: "SCORED | 9.2.3 | PATCH | (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile
name: DefaultOutboundAction
data: 0
type: dword
when:
- rule_9_2_3
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.2.3
- patch

- name: "SCORED | 9.2.4 | PATCH | (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile
name: DisableNotifications
data: 0
type: dword
when:
- rule_9_2_4
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.2.4
- patch

# title has slashes switched
- name: "SCORED | 9.2.5 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging
name: LogFilePath
data: '{{ private_firewall_log_path }}'
type: string
when:
- rule_9_2_5
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.2.5
- patch

- name: "SCORED | 9.2.6 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging
name: LogFileSize
data: '{{ private_firewall_log_size }}'
type: dword
when:
- rule_9_2_6
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.2.6
- patch

- name: "SCORED | 9.2.7 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging
name: LogDroppedPackets
data: 1
type: dword
when:
- rule_9_2_7
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.2.7
- patch

- name: "SCORED | 9.2.8 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging
name: LogSuccessfulConnections
data: 1
type: dword
when:
- rule_9_2_8
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.2.8
- patch

- name: "SCORED | 9.3.1 | PATCH | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'"
win_firewall:
state: enabled
profile: Public
when:
- rule_9_3_1
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.3.1
- patch

- name: "SCORED | 9.3.2 | PATCH | (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile
name: DefaultInboundAction
data: 1
type: dword
when:
- rule_9_3_2
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.3.2
- patch

- name: "SCORED | 9.3.3 | PATCH | (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile
name: DefaultOutboundAction
data: 0
type: dword
when:
- rule_9_3_3
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.3.3
- patch

- name: "SCORED | 9.3.4 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile
name: DisableNotifications
data: 0
type: dword
when:
- rule_9_3_4
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.3.4
- patch

- name: "SCORED | 9.3.5 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile
name: AllowLocalPolicyMerge
data: 0
type: dword
when:
- rule_9_3_5
- not win_skip_for_test
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.3.5
- patch

- name: "SCORED | 9.3.6 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile
name: AllowLocalIPsecPolicyMerge
data: 0
type: dword
when:
- rule_9_3_6
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.3.6
- patch

# title has slashes switched
- name: "SCORED | 9.3.7 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging
name: LogFilePath
data: '{{ public_firewall_log_path }}'
type: string
when:
- rule_9_3_7
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.3.7
- patch

- name: "SCORED | 9.3.8 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging
name: LogFileSize
data: '{{ public_firewall_log_size }}'
type: dword
when:
- rule_9_3_8
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.3.8
- patch

- name: "SCORED | 9.3.9 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging
name: LogDroppedPackets
data: 1
type: dword
when:
- rule_9_3_9
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.3.9
- patch

- name: "SCORED | 9.3.10 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging
name: LogSuccessfulConnections
data: 1
type: dword
when:
- rule_9_3_10
tags:
- level1-domaincontroller
- level1-memberserver
- rule_9.3.10
- patch
1,007 changes: 473 additions & 534 deletions tasks/section17.yml

Large diffs are not rendered by default.

1,712 changes: 857 additions & 855 deletions tasks/section18.yml

Large diffs are not rendered by default.

169 changes: 94 additions & 75 deletions tasks/section19.yml

Large diffs are not rendered by default.

0 comments on commit a597795

Please sign in to comment.