diff --git a/README.md b/README.md index 5b80abe..2641969 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ Windows Server 2016 CIS Configure a Windows Server 2016 system to be CIS compliant. -This role is based on CIS Microsoft Windows Server 2016 RTM: [Version 1.1.0 Rel 1607 released on October 21, 2018] (https://workbench.cisecurity.org/benchmarks/835). +This role is based on CIS Microsoft Windows Server 2016 RTM: [Version 1.2.0 Rel 1607 released on May 27, 2020] (https://learn.cisecurity.org/l/799323/2020-07-10/zx1v). Requirements ------------ diff --git a/defaults/main.yml b/defaults/main.yml index bf26961..23994ff 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,6 +1,7 @@ --- section01_patch: yes section02_patch: yes +section09_patch: yes section17_patch: yes section18_patch: yes section19_patch: yes @@ -40,6 +41,7 @@ is_implemented: false #set to false to skip long running tasks long_running: false +win_skip_for_test: true # These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules. # PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group @@ -175,10 +177,39 @@ rule_2_3_17_5: true rule_2_3_17_6: true rule_2_3_17_7: true rule_2_3_17_8: true -rule_2_3_17_9: true + +# section9 +rule_9_1_1: true +rule_9_1_2: true +rule_9_1_3: true +rule_9_1_4: true +rule_9_1_5: true +rule_9_1_6: true +rule_9_1_7: true +rule_9_1_8: true +rule_9_2_1: true +rule_9_2_2: true +rule_9_2_3: true +rule_9_2_4: true +rule_9_2_5: true +rule_9_2_6: true +rule_9_2_7: true +rule_9_2_8: true +rule_9_3_1: true +rule_9_3_2: true +rule_9_3_3: true +rule_9_3_4: true +rule_9_3_5: true +rule_9_3_6: true +rule_9_3_7: true +rule_9_3_8: true +rule_9_3_9: true +rule_9_3_10: true # section17 rule_17_1_1: true +rule_17_1_2: true +rule_17_1_3: true rule_17_2_1: true rule_17_2_2: true rule_17_2_3: true @@ -197,9 +228,13 @@ rule_17_5_5: true rule_17_5_6: true rule_17_6_1: true rule_17_6_2: true +rule_17_6_3: true +rule_17_6_4: true rule_17_7_1: true rule_17_7_2: true rule_17_7_3: true +rule_17_7_4: true +rule_17_7_5: true rule_17_8_1: true rule_17_9_1: true rule_17_9_2: true @@ -224,6 +259,7 @@ rule_18_3_3: true rule_18_3_4: true rule_18_3_5: true rule_18_3_6: true +rule_18_3_7: true rule_18_4_1: true rule_18_4_2: true rule_18_4_3: true @@ -252,13 +288,17 @@ rule_18_5_20_1: true rule_18_5_20_2: true rule_18_5_21_1: true rule_18_5_21_2: true +rule_18_7_1_1: true rule_18_8_3_1: true rule_18_8_4_1: true +rule_18_8_4_2: true rule_18_8_5_1: true rule_18_8_5_2: true rule_18_8_5_3: true rule_18_8_5_4: true rule_18_8_5_5: true +rule_18_8_5_6: true +rule_18_8_5_7: true rule_18_8_14_1: true rule_18_8_21_2: true rule_18_8_21_3: true @@ -278,27 +318,27 @@ rule_18_8_22_1_11: true rule_18_8_22_1_12: true rule_18_8_22_1_13: true rule_18_8_25_1: true -rule_18_8_26_1: true rule_18_8_27_1: true -rule_18_8_27_2: true -rule_18_8_27_3: true -rule_18_8_27_4: true -rule_18_8_27_5: true -rule_18_8_27_6: true -rule_18_8_27_7: true rule_18_8_28_1: true -rule_18_8_33_6_2: true -rule_18_8_33_6_3: true -rule_18_8_33_6_4: true -rule_18_8_35_1: true -rule_18_8_35_2: true +rule_18_8_28_2: true +rule_18_8_28_3: true +rule_18_8_28_4: true +rule_18_8_28_5: true +rule_18_8_28_6: true +rule_18_8_28_7: true +rule_18_8_34_6_1: true +rule_18_8_34_6_2: true +rule_18_8_34_6_3: true +rule_18_8_34_6_4: true rule_18_8_36_1: true rule_18_8_36_2: true -rule_18_8_44_5_1: true -rule_18_8_44_11_1: true -rule_18_8_46_1: true -rule_18_8_49_1_1: true -rule_18_8_49_1_2: true +rule_18_8_37_1: true +rule_18_8_37_2: true +rule_18_8_47_5_1: true +rule_18_8_47_11_1: true +rule_18_8_49_1: true +rule_18_8_52_1_1: true +rule_18_8_52_1_2: true rule_18_9_4_1: true rule_18_9_6_1: true rule_18_9_8_1: true @@ -314,7 +354,6 @@ rule_18_9_16_1: true rule_18_9_16_2: true rule_18_9_16_3: true rule_18_9_16_4: true -rule_18_9_16_5: true rule_18_9_26_1_1: true rule_18_9_26_1_2: true rule_18_9_26_2_1: true @@ -326,38 +365,38 @@ rule_18_9_26_4_2: true rule_18_9_30_2: true rule_18_9_30_3: true rule_18_9_30_4: true -rule_18_9_39_2: true +rule_18_9_39_1: true rule_18_9_43_1: true rule_18_9_44_1: true rule_18_9_52_1: true -rule_18_9_58_2_2: true -rule_18_9_58_3_2_1: true -rule_18_9_58_3_3_1: true -rule_18_9_58_3_3_2: true -rule_18_9_58_3_3_3: true -rule_18_9_58_3_3_4: true -rule_18_9_58_3_9_1: true -rule_18_9_58_3_9_2: true -rule_18_9_58_3_9_3: true -rule_18_9_58_3_10_1: true -rule_18_9_58_3_10_2: true -rule_18_9_58_3_11_1: true -rule_18_9_58_3_11_2: true -rule_18_9_59_1: true -rule_18_9_60_2: true -rule_18_9_60_3: true -rule_18_9_65_1: true -rule_18_9_76_3_1: true -rule_18_9_76_3_2: true -rule_18_9_76_7_1: true -rule_18_9_76_9_1: true -rule_18_9_76_10_1: true -rule_18_9_76_10_2: true -rule_18_9_76_13_1_1: true -rule_18_9_76_13_1_2: true -rule_18_9_76_13_3_1: true -rule_18_9_76_14: true -rule_18_9_79_1_1: true +rule_18_9_59_2_2: true +rule_18_9_59_3_2_1: true +rule_18_9_59_3_3_1: true +rule_18_9_59_3_3_2: true +rule_18_9_59_3_3_3: true +rule_18_9_59_3_3_4: true +rule_18_9_59_3_9_1: true +rule_18_9_59_3_9_2: true +rule_18_9_59_3_9_3: true +rule_18_9_59_3_9_4: true +rule_18_9_59_3_9_5: true +rule_18_9_59_3_10_1: true +rule_18_9_59_3_10_2: true +rule_18_9_59_3_11_1: true +rule_18_9_59_3_11_2: true +rule_18_9_60_1: true +rule_18_9_61_2: true +rule_18_9_61_3: true +rule_18_9_66_1: true +rule_18_9_77_3_1: true +rule_18_9_77_3_2: true +rule_18_9_77_7_1: true +rule_18_9_77_9_1: true +rule_18_9_77_10_1: true +rule_18_9_77_10_2: true +rule_18_9_77_13_3_1: true +rule_18_9_77_14: true +rule_18_9_77_15: true rule_18_9_80_1_1: true rule_18_9_84_1: true rule_18_9_84_2: true @@ -375,12 +414,13 @@ rule_18_9_97_2_2: true rule_18_9_97_2_3: true rule_18_9_97_2_4: true rule_18_9_98_1: true -rule_18_9_101_1_1: true -rule_18_9_101_1_2: true -rule_18_9_101_1_3: true -rule_18_9_101_2: true -rule_18_9_101_3: true -rule_18_9_101_4: true +rule_18_9_99_2_1: true +rule_18_9_102_1_1: true +rule_18_9_102_1_2: true +rule_18_9_102_1_3: true +rule_18_9_102_2: true +rule_18_9_102_3: true +rule_18_9_102_4: true # section19 rule_19_1_3_1: true @@ -388,7 +428,7 @@ rule_19_1_3_2: true rule_19_1_3_3: true rule_19_1_3_4: true rule_19_5_1_1: true -rule_19_6_5_1_1: true +rule_19_6_6_1_1: true rule_19_7_4_1: true rule_19_7_4_2: true rule_19_7_7_1: true @@ -396,8 +436,8 @@ rule_19_7_7_2: true rule_19_7_7_3: true rule_19_7_7_4: true rule_19_7_26_1: true -rule_19_7_40_1: true -rule_19_7_44_2_1: true +rule_19_7_41_1: true +rule_19_7_45_2_1: true # This SID is the same for standalone, member, domain controller for 'Administrators' group @@ -437,3 +477,33 @@ sys_maxsize: 32768 legalnoticecaption: "DoD Notice and Consent Banner" + +# 9.1.5 +# domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log +# This is a variable to give some leway on where to store these log files +domain_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\domainfw.log' + +# 9.1.6 +# domain_firewall_log_size is the size of the log file generated +# To conform to CIS standards the value should be 16,384 or greater. Value is in KB +domain_firewall_log_size: 16,384 + +# 9.2.5 +# private_firewall_log_path is the path to the private firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\privatefw.log +# This is a variable to give some leway on where to store these log files +private_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\privatefw.log' + +# 9.2.6 +# private_firewall_log_size is the size of the log file +# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB +private_firewall_log_size: 16,384 + +# 9.3.7 +# public_firewall_log_path is the path to the public firewall log file. The control suggests %SystemRoot%\System32\logfiles\firewall\publicfw.log +# This is a variable to give some leway on where to store these log files +public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' + +# 9.3.8 +# public_firewall_log_size is the size of the log file +# To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB +public_firewall_log_size: 16,384 \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 15aa8fd..77748a6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -42,6 +42,12 @@ tags: - section02 +- name: Execute the section 9 tasks + import_tasks: section09.yml + when: section09_patch | bool + tags: + - section09 + - name: Execute the section 17 tasks import_tasks: section17.yml when: section17_patch | bool diff --git a/tasks/section01.yml b/tasks/section01.yml index ea51705..0aa261f 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -1,195 +1,171 @@ --- -- name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords" - assert: - that: passwordhistorysize | int is version('24', '>=') - fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_1 - tags: - - level1 - - level2 - - rule_1.1.1 - - audit +- name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + block: + - name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + assert: + that: passwordhistorysize | int is version('24', '>=') + fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" - win_security_policy: - section: System Access - key: PasswordHistorySize - value: "{{ passwordhistorysize }}" + - name: "SCORED | 1.1.1 | PATCH | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'" + win_security_policy: + section: System Access + key: PasswordHistorySize + value: "{{ passwordhistorysize }}" when: rule_1_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.1 - patch -- name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" - assert: - that: maximumpasswordage | int is version('60', '<=') - fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_2 - tags: - - level1 - - level2 - - rule_1.1.2 - - audit +- name: "SCORED | 1.1.2 | PATCH | (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" + block: + - name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" + assert: + that: maximumpasswordage | int is version('60', '<=') + fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" - win_security_policy: - section: System Access - key: MaximumPasswordAge - value: "{{ maximumpasswordage }}" + - name: "SCORED | 1.1.2 | PATCH | (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" + win_security_policy: + section: System Access + key: MaximumPasswordAge + value: "{{ maximumpasswordage }}" when: rule_1_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.2 - patch -- name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" - assert: - that: minimumpasswordage is version('1', '>=') - fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_3 - tags: - - level1 - - level2 - - rule_1.1.3 - - audit +- name: "SCORED | 1.1.3 | AUDIT | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + block: + - name: "SCORED | 1.1.3 | AUDIT | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + assert: + that: minimumpasswordage is version('1', '>=') + fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" - win_security_policy: - section: System Access - key: MinimumPasswordAge - value: "{{ minimumpasswordage }}" + - name: "SCORED | 1.1.3 | PATCH | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" + win_security_policy: + section: System Access + key: MinimumPasswordAge + value: "{{ minimumpasswordage }}" when: rule_1_1_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.3 - patch -- name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" - assert: - that: minimumpasswordlength is version('14', '>=') - fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_1_4 - tags: - - level1 - - level2 - - rule_1.1.4 - - audit +- name: "SCORED | 1.1.4 | AUDIT | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + block: + - name: "SCORED | 1.1.4 | AUDIT | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + assert: + that: minimumpasswordlength is version('14', '>=') + fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" + register: result + changed_when: no + ignore_errors: yes -- name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" - win_security_policy: - section: System Access - key: MinimumPasswordLength - value: "{{ minimumpasswordlength }}" + - name: "SCORED | 1.1.4 | PATCH | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" + win_security_policy: + section: System Access + key: MinimumPasswordLength + value: "{{ minimumpasswordlength }}" when: rule_1_1_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.4 - patch -- name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled" +- name: "SCORED | 1.1.5 | PATCH | (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" win_security_policy: section: System Access key: PasswordComplexity value: 1 when: rule_1_1_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.5 - patch -- name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled" +- name: "SCORED | 1.1.6 | PATCH | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" win_security_policy: section: System Access key: ClearTextPassword value: "0" when: rule_1_1_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.1.6 - patch -- name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" - assert: - that: lockoutduration | int is version('15', '<=') - fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_2_1 - tags: - - level1 - - level2 - - rule_1.2.1 - - audit - -- name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" - win_security_policy: - section: System Access - key: LockoutDuration - value: "{{ lockoutduration }}" - when: - - rule_1_2_1 - - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp - tags: - - level1 - - level2 - - rule_1.2.1 - - patch - #This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable -- name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" +- name: "SCORED | 1.2.2 | PATCH | (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'" win_security_policy: section: System Access key: LockoutBadCount value: "{{ lockoutbadcount }}" when: rule_1_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.2.2 - patch -- name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" - assert: - that: resetlockoutcount | int is version('15', '>=') - fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" - register: result - changed_when: no - ignore_errors: yes - when: rule_1_2_3 +- name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + block: + - name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + assert: + that: lockoutduration | int is version('15', '<=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" + win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ lockoutduration }}" + when: + - rule_1_2_1 + - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp tags: - - level1 - - level2 - - rule_1.2.3 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_1.2.1 + - patch -- name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" - win_security_policy: - section: System Access - key: ResetLockoutCount - value: "{{ resetlockoutcount }}" +- name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + block: + - name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + assert: + that: resetlockoutcount | int is version('15', '>=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 1.2.3 | PATCH | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" + win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ resetlockoutcount }}" when: rule_1_2_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_1.2.3 - patch diff --git a/tasks/section02.yml b/tasks/section02.yml index e605865..e949a67 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1,43 +1,60 @@ --- -- name: "SCORED | 2.2.1 | PATCH | L1 Ensure Access Credential Manager as a trusted caller is set to No One" +- name: "SCORED | 2.2.1 | PATCH | (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" win_user_right: name: SeTrustedCredManAccessPrivilege users: action: set when: rule_2_2_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.1 - patch -- name: "SCORED | 2.2.2 & 2.2.3 | PATCH | L1 Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" +- name: "SCORED | 2.2.2 | PATCH | (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" win_user_right: name: SeNetworkLogonRight users: - Administrators - Authenticated Users + - ENTERPRISE DOMAIN CONTROLLERS action: set when: - - rule_2_2_2 or rule_2_2_3 + - rule_2_2_2 + - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller1 - rule_2.2.2 + - patch + +- name: "SCORED | 2.2.3 | PATCH | (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)" + win_user_right: + name: SeNetworkLogonRight + users: + - Administrators + - Authenticated Users + action: set + when: + - rule_2_2_3 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-memberserver - rule_2.2.3 - patch -- name: "SCORED | 2.2.4 | PATCH | L1 Ensure Act as part of the operating system is set to No One" +- name: "SCORED | 2.2.4 | PATCH | (L1) Ensure 'Act as part of the operating system' is set to 'No One'" win_user_right: name: SeTcbPrivilege users: action: set when: rule_2_2_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.4 - patch -- name: "SCORED | 2.2.5 | PATCH | L1 Ensure Add workstations to domain is set to Administrators DC only" +- name: "SCORED | 2.2.5 | PATCH | (L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)" win_user_right: name: SeMachineAccountPrivilege users: Administrators @@ -46,10 +63,11 @@ - rule_2_2_5 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.5 - patch -- name: "SCORED | 2.2.6 | PATCH | L1 Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" +- name: "SCORED | 2.2.6 | PATCH | (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" win_user_right: name: SeIncreaseQuotaPrivilege users: @@ -59,12 +77,12 @@ action: set when: rule_2_2_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.6 - patch -- name: "SCORED | 2.2.7 | PATCH | L1 Ensure Allow log on locally is set to Administrators" +- name: "SCORED | 2.2.7 | PATCH | (L1) Ensure 'Allow log on locally' is set to 'Administrators'" win_user_right: name: SeInteractiveLogonRight users: @@ -72,26 +90,41 @@ action: set when: rule_2_2_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.7 - patch -- name: "SCORED | 2.2.8 & 2.2.9 | PATCH | L1 Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" +- name: "SCORED | 2.2.8 | PATCH | (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)" win_user_right: name: SeRemoteInteractiveLogonRight users: - Administrators - - Remote Desktop Users action: set when: - - rule_2_2_8 or rule_2_2_9 + - rule_2_2_8 + - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.8 + - patch + +- name: "SCORED | 2.2.9 | PATCH | (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)" + win_user_right: + name: SeRemoteInteractiveLogonRight + users: + - Administrators + - Remote Desktop Users + action: set + when: + - rule_2_2_9 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-memberserver - rule_2.2.9 - patch -- name: "SCORED | 2.2.10 | PATCH | L1 Ensure Back up files and directories is set to Administrators" +- name: "SCORED | 2.2.10 | PATCH | (L1) Ensure 'Back up files and directories' is set to 'Administrators'" win_user_right: name: SeBackupPrivilege users: @@ -99,12 +132,12 @@ action: set when: rule_2_2_10 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.10 - patch -- name: "SCORED | 2.2.11 | PATCH | L1 Ensure Change the system time is set to Administrators LOCAL SERVICE" +- name: "SCORED | 2.2.11 | PATCH | (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" win_user_right: name: SeSystemTimePrivilege users: @@ -113,12 +146,12 @@ action: set when: rule_2_2_11 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.11 - patch -- name: "SCORED | 2.2.12 | PATCH | L1 Ensure Change the time zone is set to Administrators LOCAL SERVICE" +- name: "SCORED | 2.2.12 | PATCH | (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'" win_user_right: name: SeTimeZonePrivilege users: @@ -127,12 +160,12 @@ action: set when: rule_2_2_12 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.12 - patch -- name: "SCORED | 2.2.13 | PATCH | L1 Ensure Create a pagefile is set to Administrators" +- name: "SCORED | 2.2.13 | PATCH | (L1) Ensure 'Create a pagefile' is set to 'Administrators'" win_user_right: name: SeCreatePagefilePrivilege users: @@ -140,24 +173,24 @@ action: set when: rule_2_2_13 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.13 - patch -- name: "SCORED | 2.2.14 | PATCH | L1 Ensure Create a token object is set to No One" +- name: "SCORED | 2.2.14 | PATCH | (L1) Ensure 'Create a token object' is set to 'No One'" win_user_right: name: SeCreateTokenPrivilege users: action: set when: rule_2_2_14 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.14 - patch -- name: "SCORED | 2.2.15 | PATCH | L1 Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" +- name: "SCORED | 2.2.15 | PATCH | (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" win_user_right: name: SeCreateGlobalPrivilege users: @@ -168,24 +201,24 @@ action: set when: rule_2_2_15 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.15 - patch -- name: "SCORED | 2.2.16 | PATCH | L1 Ensure Create permanent shared objects is set to No One" +- name: "SCORED | 2.2.16 | PATCH | (L1) Ensure 'Create permanent shared objects' is set to 'No One'" win_user_right: name: SeCreatePermanentPrivilege users: action: set when: rule_2_2_16 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.16 - patch -- name: "SCORED | 2.2.17 | PATCH | L1 Ensure Create symbolic links is set to Administrators DC only" +- name: "SCORED | 2.2.17 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only)" win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -195,10 +228,11 @@ - rule_2_2_17 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.17 - patch -- name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" +- name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE/Virtual Machines' (MS only)" win_user_right: name: SeCreateSymbolicLinkPrivilege users: @@ -209,12 +243,11 @@ - rule_2_2_18 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.18 - patch -- name: "SCORED | 2.2.19 | PATCH | L1 Ensure Debug programs is set to Administrators" +- name: "SCORED | 2.2.19 | PATCH | (L1) Ensure 'Debug programs' is set to 'Administrators'" win_user_right: name: SeDebugPrivilege users: @@ -222,13 +255,13 @@ action: set when: rule_2_2_19 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.19 - patch #Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes -- name: "SCORED | 2.2.20 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests DC only" +- name: "SCORED | 2.2.20 | PATCH | (L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)" win_user_right: name: SeDenyNetworkLogonRight users: @@ -238,10 +271,11 @@ - rule_2_2_20 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.20 - patch -- name: "SCORED | 2.2.21 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" +- name: "SCORED | 2.2.21 | PATCH | (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)" win_user_right: name: SeDenyNetworkLogonRight users: @@ -253,12 +287,11 @@ - rule_2_2_21 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.21 - patch -- name: "SCORED | 2.2.22 | PATCH | L1 Ensure Deny log on as a batch job to include Guests" +- name: "SCORED | 2.2.22 | PATCH | (L1) Ensure 'Deny log on as a batch job' to include 'Guests'" win_user_right: name: SeDenyBatchLogonRight users: @@ -266,12 +299,12 @@ action: set when: rule_2_2_22 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.22 - patch -- name: "SCORED | 2.2.23 | PATCH | L1 Ensure Deny log on as a service to include Guests" +- name: "SCORED | 2.2.23 | PATCH | (L1) Ensure 'Deny log on as a service' to include 'Guests'" win_user_right: name: SeDenyServiceLogonRight users: @@ -279,12 +312,12 @@ action: set when: rule_2_2_23 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.23 - patch -- name: "SCORED | 2.2.24 | PATCH | L1 Ensure Deny log on locally to include Guests" +- name: "SCORED | 2.2.24 | PATCH | (L1) Ensure 'Deny log on locally' to include 'Guests'" win_user_right: name: SeDenyInteractiveLogonRight users: @@ -292,12 +325,12 @@ action: set when: rule_2_2_24 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.24 - patch -- name: "SCORED | 2.2.25 | PATCH | L1 Ensure Deny log on through Remote Desktop Services to include Guests DC only" +- name: "SCORED | 2.2.25 | PATCH | (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)" win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -308,10 +341,11 @@ - rule_2_2_25 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.25 - patch -- name: "SCORED | 2.2.26 | PATCH | L1 Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" +- name: "SCORED | 2.2.26 | PATCH | (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)" win_user_right: name: SeDenyRemoteInteractiveLogonRight users: @@ -322,12 +356,11 @@ - rule_2_2_26 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.26 - patch -- name: "SCORED | 2.2.27 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" +- name: "SCORED | 2.2.27 | PATCH | (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)" win_user_right: name: SeEnableDelegationPrivilege users: Administrators @@ -336,10 +369,11 @@ - rule_2_2_27 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.27 - patch -- name: "SCORED | 2.2.28 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" +- name: "SCORED | 2.2.28 | PATCH | (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)" win_user_right: name: SeEnableDelegationPrivilege users: @@ -348,12 +382,11 @@ - rule_2_2_28 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.28 - patch -- name: "SCORED | 2.2.29 | PATCH | L1 Ensure Force shutdown from a remote system is set to Administrators" +- name: "SCORED | 2.2.29 | PATCH | (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" win_user_right: name: SeRemoteShutdownPrivilege users: @@ -361,12 +394,12 @@ action: set when: rule_2_2_29 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.29 - patch -- name: "SCORED | 2.2.30 | PATCH | L1 Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" +- name: "SCORED | 2.2.30 | PATCH | (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'" win_user_right: name: SeAuditPrivilege users: @@ -375,12 +408,12 @@ action: set when: rule_2_2_30 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.30 - patch -- name: "SCORED | 2.2.31 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" +- name: "SCORED | 2.2.31 | PATCH | (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)" win_user_right: name: SeImpersonatePrivilege users: @@ -393,10 +426,11 @@ - rule_2_2_31 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.31 - patch -- name: "SCORED | 2.2.32 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" +- name: "SCORED | 2.2.32 | PATCH | (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)" win_user_right: name: SeImpersonatePrivilege users: @@ -410,12 +444,11 @@ - rule_2_2_32 - ansible_windows_domain_member tags: - - level1 - - level2 + - level1-memberserver - rule_2.2.32 - patch -- name: "SCORED | 2.2.33 | PATCH | L1 Ensure Increase scheduling priority is set to Administrators" +- name: "SCORED | 2.2.33 | PATCH | (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'" win_user_right: name: SeIncreaseBasePriorityPrivilege users: @@ -423,12 +456,12 @@ action: set when: rule_2_2_33 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.33 - patch -- name: "SCORED | 2.2.34 | PATCH | L1 Ensure Load and unload device drivers is set to Administrators" +- name: "SCORED | 2.2.34 | PATCH | (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" win_user_right: name: SeLoadDriverPrivilege users: @@ -436,24 +469,24 @@ action: set when: rule_2_2_34 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.34 - patch -- name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" +- name: "SCORED | 2.2.35 | PATCH | (L1) Ensure 'Lock pages in memory' is set to 'No One'" win_user_right: name: SeLockMemoryPrivilege users: action: set when: rule_2_2_35 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.35 - patch -- name: "SCORED | 2.2.36 | PATCH | L2 Ensure Log on as a batch job is set to Administrators DC Only" +- name: "SCORED | 2.2.36 | PATCH | (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)" win_user_right: name: SeBatchLogonRight users: Administrators @@ -462,10 +495,11 @@ - rule_2_2_36 - ansible_windows_domain_role == "Primary domain controller" tags: + - level2-domaincontroller - rule_2.2.36 - patch -- name: "SCORED | 2.2.37 & 2.2.38 | PATCH | L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" +- name: "SCORED | 2.2.37 (DC) & 2.2.38 (MS) | PATCH | (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers'" win_user_right: name: SeSecurityPrivilege users: @@ -474,23 +508,25 @@ when: - rule_2_2_37 or rule_2_2_38 tags: + - level1-domaincontroller + - level1-memberserver - rule_2.2.37 - rule_2.2.38 - patch -- name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" +- name: "SCORED | 2.2.39 | PATCH | (L1) Ensure 'Modify an object label' is set to 'No One'" win_user_right: name: SeReLabelPrivilege users: action: set when: rule_2_2_39 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.39 - patch -- name: "SCORED | 2.2.40 | PATCH | L1 Ensure Modify firmware environment values is set to Administrators" +- name: "SCORED | 2.2.40 | PATCH | (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" win_user_right: name: SeSystemEnvironmentPrivilege users: @@ -498,12 +534,12 @@ action: set when: rule_2_2_40 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.40 - patch -- name: "SCORED | 2.2.41 | PATCH | L1 Ensure Perform volume maintenance tasks is set to Administrators" +- name: "SCORED | 2.2.41 | PATCH | (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" win_user_right: name: SeManageVolumePrivilege users: @@ -511,12 +547,12 @@ action: set when: rule_2_2_41 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.41 - patch -- name: "SCORED | 2.2.42 | PATCH | L1 Ensure Profile single process is set to Administrators" +- name: "SCORED | 2.2.42 | PATCH | (L1) Ensure 'Profile single process' is set to 'Administrators'" win_user_right: name: SeProfileSingleProcessPrivilege users: @@ -524,12 +560,12 @@ action: set when: rule_2_2_42 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.42 - patch -- name: "SCORED | 2.2.43 | PATCH | L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" +- name: "SCORED | 2.2.43 | PATCH | (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE/WdiServiceHost'" win_user_right: name: SeSystemProfilePrivilege users: @@ -538,12 +574,12 @@ action: set when: rule_2_2_43 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.43 - patch -- name: "SCORED | 2.2.44 | PATCH | L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" +- name: "SCORED | 2.2.44 | PATCH | (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" win_user_right: name: SeAssignPrimaryTokenPrivilege users: @@ -552,12 +588,12 @@ action: set when: rule_2_2_44 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.44 - patch -- name: "SCORED | 2.2.45 | PATCH | L1 Ensure Restore files and directories is set to Administrators" +- name: "SCORED | 2.2.45 | PATCH | (L1) Ensure 'Restore files and directories' is set to 'Administrators'" win_user_right: name: SeRestorePrivilege users: @@ -565,12 +601,12 @@ action: set when: rule_2_2_45 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.45 - patch -- name: "SCORED | 2.2.46 | PATCH | L1 Ensure Shut down the system is set to Administrators" +- name: "SCORED | 2.2.46 | PATCH | (L1) Ensure 'Shut down the system' is set to 'Administrators'" win_user_right: name: SeShutdownPrivilege users: @@ -578,12 +614,12 @@ action: set when: rule_2_2_46 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.46 - patch -- name: "SCORED | 2.2.47 | PATCH | L1 Ensure Synchronize directory service data is set to No One DC only" +- name: "SCORED | 2.2.47 | PATCH | (L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only)" win_user_right: name: SeSyncAgentPrivilege users: @@ -592,10 +628,11 @@ - rule_2_2_47 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.2.47 - patch -- name: "SCORED | 2.2.48 | PATCH | L1 Ensure Take ownership of files or other objects is set to Administrators" +- name: "SCORED | 2.2.48 | PATCH | (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" win_user_right: name: SeTakeOwnershipPrivilege users: @@ -603,12 +640,12 @@ action: set when: rule_2_2_48 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.2.48 - patch -- name: "SCORED | 2.3.1.1 | PATCH | L1 Ensure Accounts Administrator account status is set to Disabled MS only" +- name: "SCORED | 2.3.1.1 | PATCH | (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)" win_security_policy: section: System Access key: EnableAdminAccount @@ -617,12 +654,11 @@ - rule_2_3_1_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.1.1 - patch -- name: "SCORED | 2.3.1.2 | PATCH | L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" +- name: "SCORED | 2.3.1.2 | PATCH | (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: NoConnectedUser @@ -630,24 +666,25 @@ type: dword when: rule_2_3_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.1.2 - patch -- name: "SCORED | 2.3.1.3 | PATCH | L1 Ensure Accounts Guest account status is set to Disabled MS only" +- name: "SCORED | 2.3.1.3 | PATCH | (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)" win_security_policy: section: System Access key: EnableGuestAccount value: 0 - when: rule_2_3_1_3 + when: + - rule_2_3_1_3 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.1.3 - patch -- name: "SCORED | 2.3.1.4 | PATCH | L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" +- name: "SCORED | 2.3.1.4 | PATCH | (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: LimitBlankPasswordUse @@ -655,36 +692,39 @@ type: dword when: rule_2_3_1_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.1.4 - patch -- name: "SCORED | 2.3.1.5 | PATCH | L1 Configure Accounts Rename administrator account" +- name: "SCORED | 2.3.1.5 | PATCH | (L1) Configure 'Accounts: Rename administrator account'" win_security_policy: section: System Access key: newadministratorname value: GeorgeSharp - when: rule_2_3_1_5 + when: + - rule_2_3_1_5 + - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.1.5 - patch -- name: "SCORED | 2.3.1.6 | PATCH | L1 Configure Accounts Rename guest account" +- name: "SCORED | 2.3.1.6 | PATCH | (L1) Configure 'Accounts: Rename guest account'" win_security_policy: section: System Access key: NewGuestName value: BobCooper - when: rule_2_3_1_6 + when: + - rule_2_3_1_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.1.6 - patch -- name: "SCORED | 2.3.2.1 | PATCH | L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" +- name: "SCORED | 2.3.2.1 | PATCH | (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: SCENoApplyLegacyAuditPolicy @@ -692,12 +732,12 @@ type: dword when: rule_2_3_2_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.2.1 - patch -- name: "SCORED | 2.3.2.2 | PATCH | L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" +- name: "SCORED | 2.3.2.2 | PATCH | (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: CrashOnAuditFail @@ -705,12 +745,12 @@ type: dword when: rule_2_3_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.2.2 - patch -- name: "SCORED | 2.3.4.1 | PATCH | L1 Ensure Devices Allowed to format and eject removable media is set to Administrators" +- name: "SCORED | 2.3.4.1 | PATCH | (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: AllocateDASD @@ -718,12 +758,12 @@ type: string when: rule_2_3_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.4.1 - patch -- name: "SCORED | 2.3.4.2 | PATCH | L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled" +- name: "SCORED | 2.3.4.2 | PATCH | (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers name: AddPrinterDrivers @@ -731,12 +771,12 @@ type: dword when: rule_2_3_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.4.2 - patch -- name: "SCORED | 2.3.5.1 | PATCH | L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" +- name: "SCORED | 2.3.5.1 | PATCH | (L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" win_regedit: path: HKLM:\System\CurrentControlSet\Control\Lsa name: SubmitControl @@ -746,10 +786,11 @@ - rule_2_3_5_1 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.3.5.1 - patch -- name: "SCORED | 2.3.5.2 | PATCH | L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" +- name: "SCORED | 2.3.5.2 | PATCH | (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" win_regedit: path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters name: LDAPServerIntegrity @@ -759,10 +800,11 @@ - rule_2_3_5_2 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.3.5.2 - patch -- name: "SCORED | 2.3.5.3 | PATCH | L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" +- name: "SCORED | 2.3.5.3 | PATCH | (L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled'" win_regedit: path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters name: RefusePasswordChange @@ -772,10 +814,11 @@ - rule_2_3_5_3 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.3.5.3 - patch -- name: "SCORED | 2.3.6.1 | PATCH | L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" +- name: "SCORED | 2.3.6.1 | PATCH | (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: RequireSignOrSeal @@ -785,12 +828,12 @@ - rule_2_3_6_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.1 - patch -- name: "SCORED | 2.3.6.2 | PATCH | L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" +- name: "SCORED | 2.3.6.2 | PATCH | (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: sealsecurechannel @@ -800,12 +843,12 @@ - rule_2_3_6_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.2 - patch -- name: "SCORED | 2.3.6.3 | PATCH | L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" +- name: "SCORED | 2.3.6.3 | PATCH | (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: signsecurechannel @@ -813,14 +856,13 @@ type: dword when: - rule_2_3_6_3 - - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.3 - patch -- name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled" +- name: "SCORED | 2.3.6.4 | PATCH | (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: disablepasswordchange @@ -828,14 +870,13 @@ type: dword when: - rule_2_3_6_4 - - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.4 - patch -- name: "SCORED | 2.3.6.5 | PATCH | L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" +- name: "SCORED | 2.3.6.5 | PATCH | (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: MaximumPasswordAge @@ -843,14 +884,13 @@ type: dword when: - rule_2_3_6_5 - - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.5 - patch -- name: "SCORED | 2.3.6.6 | PATCH | L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" +- name: "SCORED | 2.3.6.6 | PATCH | (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters name: RequireStrongKey @@ -858,14 +898,13 @@ type: dword when: - rule_2_3_6_6 - - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.6.6 - patch -- name: "SCORED | 2.3.7.1 | PATCH | L1 Ensure Interactive logon Dont display last signed-in is set to Enabled" +- name: "SCORED | 2.3.7.1 | PATCH | (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DontDisplayLastUserName @@ -873,12 +912,12 @@ type: dword when: rule_2_3_7_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.1 - patch -- name: "SCORED | 2.3.7.2 | PATCH | L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" +- name: "SCORED | 2.3.7.2 | PATCH | (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DisableCAD @@ -886,12 +925,12 @@ type: dword when: rule_2_3_7_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.2 - patch -- name: "SCORED | 2.3.7.3 | PATCH | L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" +- name: "SCORED | 2.3.7.3 | PATCH | (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: InactivityTimeoutSecs @@ -899,12 +938,12 @@ type: dword when: rule_2_3_7_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.3 - patch -- name: "SCORED | 2.3.7.4 | PATCH | L1 Configure Interactive logon Message text for users attempting to log on" +- name: "SCORED | 2.3.7.4 | PATCH | (L1) Configure 'Interactive logon: Message text for users attempting to log on'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LegalNoticeText @@ -912,12 +951,12 @@ type: string when: rule_2_3_7_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.4 - patch -- name: "SCORED | 2.3.7.5 | PATCH | L1 Configure Interactive logon Message title for users attempting to log on" +- name: "SCORED | 2.3.7.5 | PATCH | (L1) Configure 'Interactive logon: Message title for users attempting to log on'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: LegalNoticeCaption @@ -925,24 +964,26 @@ type: string when: rule_2_3_7_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.5 - patch -- name: "SCORED | 2.3.7.6 | PATCH | L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" +- name: "SCORED | 2.3.7.6 | PATCH | (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: cachedlogonscount data: 1 type: string - when: rule_2_3_7_6 + when: + - rule_2_3_7_6 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2 + - level2-memberserver - rule_2.3.7.6 - patch -- name: "SCORED | 2.3.7.7 | PATCH | L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" +- name: "SCORED | 2.3.7.7 | PATCH | (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: PasswordExpiryWarning @@ -950,12 +991,12 @@ type: dword when: rule_2_3_7_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.7 - patch -- name: "SCORED | 2.3.7.8 | PATCH | L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" +- name: "SCORED | 2.3.7.8 | PATCH | (L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: ForceUnlockLogon @@ -965,12 +1006,11 @@ - rule_2_3_7_8 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.7.8 - patch -- name: "SCORED | 2.3.7.9 | PATCH | L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" +- name: "SCORED | 2.3.7.9 | PATCH | (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: scremoveoption @@ -978,12 +1018,12 @@ type: string when: rule_2_3_7_9 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.7.9 - patch -- name: "SCORED | 2.3.8.1 | PATCH | L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled" +- name: "SCORED | 2.3.8.1 | PATCH | (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters name: RequireSecuritySignature @@ -991,12 +1031,12 @@ type: dword when: rule_2_3_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.8.1 - patch -- name: "SCORED | 2.3.8.2 | PATCH | L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" +- name: "SCORED | 2.3.8.2 | PATCH | (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters name: EnableSecuritySignature @@ -1004,12 +1044,12 @@ type: dword when: rule_2_3_8_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.8.2 - patch -- name: "SCORED | 2.3.8.3 | PATCH | L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" +- name: "SCORED | 2.3.8.3 | PATCH | (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters name: EnablePlainTextPassword @@ -1017,12 +1057,12 @@ type: dword when: rule_2_3_8_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.8.3 - patch -- name: "SCORED | 2.3.9.1 | PATCH | L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" +- name: "SCORED | 2.3.9.1 | PATCH | (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: autodisconnect @@ -1030,12 +1070,12 @@ type: dword when: rule_2_3_9_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.9.1 - patch -- name: "SCORED | 2.3.9.2 | PATCH | L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled" +- name: "SCORED | 2.3.9.2 | PATCH | (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: requiresecuritysignature @@ -1043,12 +1083,12 @@ type: dword when: rule_2_3_9_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.9.2 - patch -- name: "SCORED | 2.3.9.3 | PATCH | L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" +- name: "SCORED | 2.3.9.3 | PATCH | (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: enablesecuritysignature @@ -1056,12 +1096,12 @@ type: dword when: rule_2_3_9_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.9.3 - patch -- name: "SCORED | 2.3.9.4 | PATCH | L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" +- name: "SCORED | 2.3.9.4 | PATCH | (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: enableforcedlogoff @@ -1069,12 +1109,12 @@ type: dword when: rule_2_3_9_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.9.4 - patch -- name: "SCORED | 2.3.9.5 | PATCH | L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" +- name: "SCORED | 2.3.9.5 | PATCH | (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only)" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: SMBServerNameHardeningLevel @@ -1084,24 +1124,23 @@ - rule_2_3_9_5 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.9.5 - patch -- name: "SCORED | 2.3.10.1 | PATCH | L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled" +- name: "SCORED | 2.3.10.1 | PATCH | (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" win_security_policy: section: System Access key: LSAAnonymousNameLookup value: 0 when: rule_2_3_10_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.1 - patch -- name: "SCORED | 2.3.10.2 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" +- name: "SCORED | 2.3.10.2 | PATCH | (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: RestrictAnonymousSAM @@ -1111,12 +1150,11 @@ - rule_2_3_10_2 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.10.2 - patch -- name: "SCORED | 2.3.10.3 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" +- name: "SCORED | 2.3.10.3 | PATCH | (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: RestrictAnonymous @@ -1126,12 +1164,11 @@ - rule_2_3_10_3 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.10.3 - patch -- name: "SCORED | 2.3.10.4 | PATCH | L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" +- name: "SCORED | 2.3.10.4 | PATCH | (L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: DisableDomainCreds @@ -1139,11 +1176,12 @@ type: dword when: rule_2_3_10_4 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_2.3.10.4 - patch -- name: "SCORED | 2.3.10.5 | PATCH | L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" +- name: "SCORED | 2.3.10.5 | PATCH | (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: EveryoneIncludesAnonymous @@ -1151,12 +1189,12 @@ type: dword when: rule_2_3_10_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.5 - patch -- name: "SCORED | 2.3.10.6 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously DC only" +- name: "SCORED | 2.3.10.6 | PATCH | (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionPipes @@ -1166,10 +1204,11 @@ - rule_2_3_10_6 - ansible_windows_domain_role == "Primary domain controller" tags: + - level1-domaincontroller - rule_2.3.10.6 - patch -- name: "SCORED | 2.3.10.7 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously MS only" +- name: "SCORED | 2.3.10.7 | PATCH | (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionPipes @@ -1179,12 +1218,11 @@ - rule_2_3_10_7 - ansible_windows_domain_role == "Member server" tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.10.7 - patch -- name: "SCORED | 2.3.10.8 | PATCH | L1 Configure Network access Remotely accessible registry paths" +- name: "SCORED | 2.3.10.8 | PATCH | (L1) Configure 'Network access: Remotely accessible registry paths'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths name: "Machine" @@ -1192,12 +1230,12 @@ type: multistring when: rule_2_3_10_8 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.8 - patch -- name: "SCORED | 2.3.10.9 | PATCH | L1 Configure Network access Remotely accessible registry paths and sub-paths" +- name: "SCORED | 2.3.10.9 | PATCH | (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths name: "Machine" @@ -1205,12 +1243,12 @@ type: multistring when: rule_2_3_10_9 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.9 - patch -- name: "SCORED | 2.3.10.10 | PATCH | L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" +- name: "SCORED | 2.3.10.10 | PATCH | (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: RestrictNullSessAccess @@ -1218,25 +1256,26 @@ type: dword when: rule_2_3_10_10 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.10 - patch -- name: "SCORED | 2.3.10.11 | PATCH | L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" +- name: "SCORED | 2.3.10.11 | PATCH | (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)" win_regedit: path: HKLM:\System\CurrentControlSet\Control\Lsa name: RestrictRemoteSAM data: "O:BAG:BAD:(A;;RC;;;BA)" type: string - when: rule_2_3_10_11 + when: + - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_10_11 tags: - - level1 - - level2 + - level1-memberserver - rule_2.3.10.11 - patch -- name: "SCORED | 2.3.10.12 | PATCH | L1 Ensure Network access Shares that can be accessed anonymously is set to None" +- name: "SCORED | 2.3.10.12 | PATCH | (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters name: NullSessionShares @@ -1244,12 +1283,12 @@ type: multistring when: rule_2_3_10_12 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.12 - patch -- name: "SCORED | 2.3.10.13 | PATCH | L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" +- name: "SCORED | 2.3.10.13 | PATCH | (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: ForceGuest @@ -1257,12 +1296,12 @@ type: dword when: rule_2_3_10_13 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.10.13 - patch -- name: "SCORED | 2.3.11.1 | PATCH | L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" +- name: "SCORED | 2.3.11.1 | PATCH | (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: UseMachineId @@ -1270,12 +1309,12 @@ type: dword when: rule_2_3_11_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.1 - patch -- name: "SCORED | 2.3.11.2 | PATCH | L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" +- name: "SCORED | 2.3.11.2 | PATCH | (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 name: allownullsessionfallback @@ -1283,12 +1322,12 @@ type: dword when: rule_2_3_11_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.2 - patch -- name: "SCORED | 2.3.11.3 | PATCH | L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" +- name: "SCORED | 2.3.11.3 | PATCH | (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U name: AllowOnlineID @@ -1296,12 +1335,12 @@ type: dword when: rule_2_3_11_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.3 - patch -- name: "SCORED | 2.3.11.4 | PATCH | L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" +- name: "SCORED | 2.3.11.4 | PATCH | (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters name: SupportedEncryptionTypes @@ -1309,12 +1348,12 @@ type: dword when: rule_2_3_11_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.4 - patch -- name: "SCORED | 2.3.11.5 | PATCH | L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" +- name: "SCORED | 2.3.11.5 | PATCH | (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: NoLMHash @@ -1322,12 +1361,12 @@ type: dword when: rule_2_3_11_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.5 - patch -- name: "SCORED | 2.3.11.6 | PATCH | L1 Ensure Network security Force logoff when logon hours expire is set to Enabled" +- name: "NOTSCORED | 2.3.11.6 | PATCH | (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" win_regedit: path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters name: EnableForcedLogOff @@ -1335,12 +1374,12 @@ type: dword when: rule_2_3_11_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.6 - patch -- name: "SCORED | 2.3.11.7 | PATCH | L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" +- name: "SCORED | 2.3.11.7 | PATCH | (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa name: LMCompatibilityLevel @@ -1348,12 +1387,12 @@ type: dword when: rule_2_3_11_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.7 - patch -- name: "SCORED | 2.3.11.8 | PATCH | L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" +- name: "SCORED | 2.3.11.8 | PATCH | (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Ldap name: LDAPClientIntegrity @@ -1361,12 +1400,12 @@ type: dword when: rule_2_3_11_8 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.8 - patch -- name: "SCORED | 2.3.11.9 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" +- name: "SCORED | 2.3.11.9 | PATCH | (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 name: NTLMMinClientSec @@ -1374,12 +1413,12 @@ type: dword when: rule_2_3_11_9 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.9 - patch -- name: "SCORED | 2.3.11.10 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" +- name: "SCORED | 2.3.11.10 | PATCH | (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 name: NTLMMinServerSec @@ -1387,12 +1426,12 @@ type: dword when: rule_2_3_11_10 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.11.10 - patch -- name: "SCORED | 2.3.13.1 | PATCH | L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" +- name: "SCORED | 2.3.13.1 | PATCH | (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: ShutdownWithoutLogon @@ -1400,12 +1439,12 @@ type: dword when: rule_2_3_13_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.13.1 - patch -- name: "SCORED | 2.3.15.1 | PATCH | L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" +- name: "SCORED | 2.3.15.1 | PATCH | (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel name: ObCaseInsensitive @@ -1413,12 +1452,12 @@ type: dword when: rule_2_3_15_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.15.1 - patch -- name: "SCORED | 2.3.15.2 | PATCH | L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" +- name: "SCORED | 2.3.15.2 | PATCH | (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager name: ProtectionMode @@ -1426,12 +1465,12 @@ type: dword when: rule_2_3_15_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.15.2 - patch -- name: "SCORED | 2.3.17.1 | PATCH | L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" +- name: "SCORED | 2.3.17.1 | PATCH | (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: FilterAdministratorToken @@ -1439,12 +1478,12 @@ type: dword when: rule_2_3_17_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.1 - patch -- name: "SCORED | 2.3.17.2 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" +- name: "SCORED | 2.3.17.2 | PATCH | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: EnableUIADesktopToggle @@ -1452,80 +1491,80 @@ type: dword when: rule_2_3_17_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.2 - patch -- name: "SCORED | 2.3.17.3 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" +- name: "SCORED | 2.3.17.3 | PATCH | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ConsentPromptBehaviorAdmin + name: ConsentPromptBehaviorUser data: 2 type: dword when: rule_2_3_17_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.3 - patch -- name: "SCORED | 2.3.17.4 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" +- name: "SCORED | 2.3.17.4 | PATCH | (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ConsentPromptBehaviorUser - data: 0 + name: EnableInstallerDetection + data: 1 type: dword when: rule_2_3_17_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.4 - patch -- name: "SCORED | 2.3.17.5 | PATCH | L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" +- name: "SCORED | 2.3.17.5 | PATCH | (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableInstallerDetection + name: EnableSecureUIAPaths data: 1 type: dword when: rule_2_3_17_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.5 - patch -- name: "SCORED | 2.3.17.6 | PATCH | L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" +- name: "SCORED | 2.3.17.6 | PATCH | (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableSecureUIAPaths + name: EnableLUA data: 1 type: dword when: rule_2_3_17_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.6 - patch -- name: "SCORED | 2.3.17.7 | PATCH | L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" +- name: "SCORED | 2.3.17.7 | PATCH | (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableLUA + name: PromptOnSecureDesktop data: 1 type: dword when: rule_2_3_17_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_2.3.17.7 - patch -- name: "SCORED | 2.3.17.8 | PATCH | L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" +- name: "SCORED | 2.3.17.8 | PATCH | (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: PromptOnSecureDesktop + name: EnableVirtualization data: 1 type: dword when: rule_2_3_17_8 @@ -1534,18 +1573,3 @@ - level2 - rule_2.3.17.8 - patch - -- name: "SCORED | 2.3.17.9 | PATCH | L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableVirtualization - data: 1 - type: dword - when: rule_2_3_17_9 - tags: - - level1 - - level2 - - rule_2.3.17.9 - - patch - - diff --git a/tasks/section09.yml b/tasks/section09.yml new file mode 100644 index 0000000..8bef659 --- /dev/null +++ b/tasks/section09.yml @@ -0,0 +1,364 @@ +--- +- name: "SCORED | 9.1.1 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: EnableFirewall + data: 1 + type: dword + when: + - rule_9_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.1 + - patch + +- name: "SCORED | 9.1.2 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DefaultInboundAction + data: 1 + type: dword + when: + - rule_9_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.2 + - patch + +- name: "SCORED | 9.1.3 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DefaultOutboundAction + data: 0 + type: dword + when: + - rule_9_1_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.3 + - patch + +- name: "SCORED | 9.1.4 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DisableNotifications + data: 0 + type: dword + when: + - rule_9_1_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.4 + - patch + +# title has slashes switched +- name: "SCORED | 9.1.5 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFilePath + data: '{{ domain_firewall_log_path }}' + type: string + when: + - rule_9_1_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.5 + - patch + +- name: "SCORED | 9.1.6 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFileSize + data: '{{ domain_firewall_log_size }}' + type: dword + when: + - rule_9_1_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.6 + - patch + +- name: "SCORED | 9.1.7 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword + when: + - rule_9_1_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.7 + - patch + +- name: "SCORED | 9.1.8 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword + when: + - rule_9_1_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.1.8 + - patch + +- name: "SCORED | 9.2.1 | PATCH | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" + win_firewall: + state: enabled + profile: Private + when: + - rule_9_2_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.1 + - patch + +- name: "SCORED | 9.2.2 | PATCH | (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DefaultInboundAction + data: 1 + type: dword + when: + - rule_9_2_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.2 + - patch + +- name: "SCORED | 9.2.3 | PATCH | (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DefaultOutboundAction + data: 0 + type: dword + when: + - rule_9_2_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.3 + - patch + +- name: "SCORED | 9.2.4 | PATCH | (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DisableNotifications + data: 0 + type: dword + when: + - rule_9_2_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.4 + - patch + +# title has slashes switched +- name: "SCORED | 9.2.5 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFilePath + data: '{{ private_firewall_log_path }}' + type: string + when: + - rule_9_2_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.5 + - patch + +- name: "SCORED | 9.2.6 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFileSize + data: '{{ private_firewall_log_size }}' + type: dword + when: + - rule_9_2_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.6 + - patch + +- name: "SCORED | 9.2.7 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword + when: + - rule_9_2_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.7 + - patch + +- name: "SCORED | 9.2.8 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword + when: + - rule_9_2_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.2.8 + - patch + +- name: "SCORED | 9.3.1 | PATCH | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" + win_firewall: + state: enabled + profile: Public + when: + - rule_9_3_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.1 + - patch + +- name: "SCORED | 9.3.2 | PATCH | (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DefaultInboundAction + data: 1 + type: dword + when: + - rule_9_3_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.2 + - patch + +- name: "SCORED | 9.3.3 | PATCH | (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DefaultOutboundAction + data: 0 + type: dword + when: + - rule_9_3_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.3 + - patch + +- name: "SCORED | 9.3.4 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DisableNotifications + data: 0 + type: dword + when: + - rule_9_3_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.4 + - patch + +- name: "SCORED | 9.3.5 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: AllowLocalPolicyMerge + data: 0 + type: dword + when: + - rule_9_3_5 + - not win_skip_for_test + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.5 + - patch + +- name: "SCORED | 9.3.6 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: AllowLocalIPsecPolicyMerge + data: 0 + type: dword + when: + - rule_9_3_6 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.6 + - patch + +# title has slashes switched +- name: "SCORED | 9.3.7 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFilePath + data: '{{ public_firewall_log_path }}' + type: string + when: + - rule_9_3_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.7 + - patch + +- name: "SCORED | 9.3.8 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFileSize + data: '{{ public_firewall_log_size }}' + type: dword + when: + - rule_9_3_8 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.8 + - patch + +- name: "SCORED | 9.3.9 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword + when: + - rule_9_3_9 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.9 + - patch + +- name: "SCORED | 9.3.10 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword + when: + - rule_9_3_10 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_9.3.10 + - patch diff --git a/tasks/section17.yml b/tasks/section17.yml index ab2d25b..420d6c6 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -1,18 +1,12 @@ --- -- name: "SCORED | 17.1.1 | AUDIT | L1 Ensure Audit Credential Validation is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_1_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_1_1 - tags: - - level1 - - level2 - - rule_17.1.1 - - audit - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure" block: + - name: "SCORED | 17.1.1 | AUDIT | (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_1_1_audit + changed_when: no + failed_when: false + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable when: "'Success' not in rule_17_1_1_audit.stdout" @@ -24,742 +18,687 @@ changed_when: "'Failure' not in rule_17_1_1_audit.stdout" when: - rule_17_1_1 - - rule_17_1_1_audit is defined - - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_1_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.1.1 - patch -- name: "SCORED | 17.2.1 | AUDIT | L1 Ensure Audit Application Group Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_1 +- name: "SCORED | 17.1.2 | PATCH | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)" + block: + - name: "SCORED | 17.1.2 | audit | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_1_2_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.1.2 | PATCH | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Set for success" + win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable + when: "'Success' not in rule_17_1_2_audit.stdout" + + - name: "SCORED | 17.1.2 | PATCH | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Set for failure" + win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable + when: "'Failure' not in rule_17_1_2_audit.stdout" + when: + - rule_17_1_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 - - rule_17.2.1 - - audit + - level1-domaincontroller + - rule_17.1.2 + - patch + - notimplemented -- name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" +- name: "SCORED | 17.1.3 | PATCH | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)" block: - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Success" + - name: "SCORED | 17.1.3 | audit | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_1_3_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.1.3 | PATCH | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Set for success" + win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable + when: "'Success' not in rule_17_1_3_audit.stdout" + + - name: "SCORED | 17.1.3 | PATCH | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Set for failure" + win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable + when: "'Failure' not in rule_17_1_3_audit.stdout" + when: + - rule_17_1_3 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - rule_17.1.3 + - patch + - notimplemented + +- name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" + block: + - name: "SCORED | 17.2.1 | AUDIT | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_1_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable when: "'Success' not in rule_17_2_1_audit.stdout" changed_when: "'Success' not in rule_17_2_1_audit.stdout" - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Failure" + - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable when: "'Failure' not in rule_17_2_1_audit.stdout" changed_when: "'Failure' not in rule_17_2_1_audit.stdout" when: - rule_17_2_1 - - rule_17_2_1_audit is defined - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_2_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.2.1 - patch -- name: "SCORED | 17.2.2 | AUDIT | L1 Ensure Audit Computer Account Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_2_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_2_2 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_17.2.2 - - audit - -- name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable +- name: "SCORED | 17.2.2 | AUDIT | (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)" + block: + - name: "SCORED | 17.2.2 | AUDIT | (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_2_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.2.2 | PATCH | (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only) | Set success" + win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable + when: "'Success' not in rule_17_2_2_audit.stdout" when: - rule_17_2_2 - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_2_audit is defined - - "'Success' not in rule_17_2_2_audit.stdout" - changed_when: "'Success' not in rule_17_2_2_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller - rule_17.2.2 - patch -- name: "SCORED | 17.2.3 | AUDIT | L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only" - win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_3_audit - changed_when: no - ignore_errors: yes +- name: "SCORED | 17.2.3 | AUDIT | (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)" + block: + - name: "SCORED | 17.2.3 | AUDIT | (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_3_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.2.3 | PATCH | (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only) | Set success" + win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable + when: "'Success' not in rule_17_2_3_audit.stdout" when: - - ansible_windows_domain_role == "Primary domain controller" - rule_17_2_3 - tags: - - rule_17.2.3 - - audit - -- name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only" - win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable - when: - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_3 - - rule_17_2_3_audit is defined - - "'Success' not in rule_17_2_3_audit.stdout" - changed_when: "'Success' not in rule_17_2_3_audit.stdout" tags: + - level1-domaincontroller - rule_17.2.3 - patch -- name: "SCORED | 17.2.4 | AUDIT | L1 Ensure Audit Other Account Management Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_4 - tags: - - level1 - - level2 - - rule_17.2.4 - - audit - -- name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable +- name: "SCORED | 17.2.4 | AUDIT | (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)" + block: + - name: "SCORED | 17.2.4 | AUDIT | (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_4_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.2.4 | PATCH | (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only) | Set success" + win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable + when: "'Success' not in rule_17_2_4_audit.stdout" when: - rule_17_2_4 - - rule_17_2_4_audit is defined - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_2_4_audit.stdout" - changed_when: "'Success' not in rule_17_2_4_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller - rule_17.2.4 - patch -- name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_5 - tags: - - level1 - - level2 - - rule_17.2.5 - - audit +- name: "SCORED | 17.2.5 | AUDIT | (L1) Ensure 'Audit Security Group Management' is set to include 'Success'" + block: + - name: "SCORED | 17.2.5 | AUDIT | (L1) Ensure 'Audit Security Group Management' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_5_audit + changed_when: no + failed_when: false -- name: "SCORED | 17.2.5 | PATCH | L1 Ensure Audit Security Group Management is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + - name: "SCORED | 17.2.5 | PATCH | (L1) Ensure 'Audit Security Group Management' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + when: "'Success' not in rule_17_2_5_audit.stdout" when: - rule_17_2_5 - - rule_17_2_5_audit is defined - - "'Success' not in rule_17_2_5_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.2.5 - patch -- name: "SCORED | 17.2.6 | AUDIT | L1 Ensure Audit User Account Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_6_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_6 - tags: - - level1 - - level2 - - rule_17.2.6 - - audit - -- name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure" +- name: "SCORED | 17.2.6 | PATCH | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" block: - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Success" + - name: "SCORED | 17.2.6 | AUDIT | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_6_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.2.6 | PATCH | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable when: "'Success' not in rule_17_2_6_audit.stdout" changed_when: "'Success' not in rule_17_2_6_audit.stdout" - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Failure" + - name: "SCORED | 17.2.6 | PATCH | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable when: "'Failure' not in rule_17_2_6_audit.stdout" changed_when: "'Failure' not in rule_17_2_6_audit.stdout" when: - rule_17_2_6 - - rule_17_2_6_audit is defined tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.2.6 - patch -- name: "SCORED | 17.3.1 | AUDIT | L1 Ensure Audit PNP Activity is set to Success" - win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_3_1 - tags: - - level1 - - level2 - - rule_17.3.1 - - audit - -- name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to Success" - win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable - changed_when: "'Success' not in rule_17_3_1_audit.stdout" +- name: "SCORED | 17.3.1 | AUDIT | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Get current settings" + block: + - name: "SCORED | 17.3.1 | AUDIT | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Set success" + win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_3_1_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.3.1 | PATCH | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Set failure" + win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable + changed_when: "'Success' not in rule_17_3_1_audit.stdout" + when: "'Success' not in rule_17_3_1_audit.stdout" when: - rule_17_3_1 - - rule_17_3_1_audit is defined - - "'Success' not in rule_17_3_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.3.1 - patch -- name: "SCORED | 17.3.2 | AUDIT | L1 Ensure Audit Process Creation is set to Success" - win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_3_2 - tags: - - level1 - - level2 - - rule_17.3.2 - - audit - -- name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to Success" - win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable - changed_when: "'Success' not in rule_17_3_2_audit.stdout" +- name: "SCORED | 17.3.2 | AUDIT | (L1) Ensure 'Audit Process Creation' is set to include 'Success'" + block: + - name: "SCORED | 17.3.2 | AUDIT | (L1) Ensure 'Audit Process Creation' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_3_2_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.3.2 | PATCH | (L1) Ensure 'Audit Process Creation' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable + changed_when: "'Success' not in rule_17_3_2_audit.stdout" + when: "'Success' not in rule_17_3_2_audit.stdout" when: - rule_17_3_2 - - rule_17_3_2_audit is defined - - "'Success' not in rule_17_3_2_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.3.2 - patch -- name: "SCORED | 17.4.1 | AUDIT | L1 Ensure Audit Directory Service Access is set to Success and Failure DC only" - win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_4_1 - tags: - - rule_17.4.1 - - audit - -- name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to Success and Failure DC only" - win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable - changed_when: "'Success' not in rule_17_4_1_audit.stdout" +- name: "SCORED | 17.4.1 | AUDIT | (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)" + block: + - name: "SCORED | 17.4.1 | AUDIT | (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_4_1_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.4.1 | PATCH | (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only) | Set failure" + win_shell: AuditPol /set /subcategory:"Directory Service Access" /failure:enable + changed_when: "'Success' not in rule_17_4_1_audit.stdout" + when: "'Success' not in rule_17_4_1_audit.stdout" when: - rule_17_4_1 - - rule_17_4_1_audit is defined - - "'Success' not in rule_17_4_1_audit.stdout" tags: + - level1-domaincontroller - rule_17.4.1 - patch -- name: "SCORED | 17.4.2 | AUDIT | L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only" - win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_2_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_17.4.2 - - audit - -- name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only" - win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable - changed_when: "'Success' not in rule_17_4_2_audit.stdout" +- name: "SCORED | 17.4.2 | AUDIT | (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)" + block: + - name: "SCORED | 17.4.2 | AUDIT | (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_4_2_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.4.2 | PATCH | (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only) | Set success" + win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable + changed_when: "'Success' not in rule_17_4_2_audit.stdout" + when: "'Success' not in rule_17_4_2_audit.stdout" when: - rule_17_4_2 - ansible_windows_domain_role == "Primary domain controller" - - rule_17_4_2_audit is defined - - "'Success' not in rule_17_4_2_audit.stdout" tags: + - level1-domaincontroller - rule_17.4.2 - patch -- name: "SCORED | 17.5.1 | AUDIT | L1 Ensure Audit Account Lockout is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_1 - tags: - - level1 - - level2 - - rule_17.5.1 - - audit - -- name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable - changed_when: "'Failure' not in rule_17_5_1_audit.stdout" +- name: "SCORED | 17.5.1 | AUDIT | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" + block: + - name: "SCORED | 17.5.1 | AUDIT | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_1_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.5.1 | PATCH | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' | Set failure" + win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable + changed_when: "'Failure' not in rule_17_5_1_audit.stdout" + when: "'Failure' not in rule_17_5_1_audit.stdout" when: - rule_17_5_1 - - rule_17_5_1_audit is defined - - "'Failure' not in rule_17_5_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.1 - patch -- name: "SCORED | 17.5.2 | AUDIT | L1 Ensure Audit Group Membership is set to Success" - win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_2 - tags: - - level1 - - level2 - - rule_17.5.2 - - audit - -- name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to Success" - win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable - changed_when: "'Success' not in wn19_au_000170_audit.stdout" +- name: "SCORED | 17.5.2 | AUDIT | (L1) Ensure 'Audit Group Membership' is set to include 'Success'" + block: + - name: "SCORED | 17.5.2 | AUDIT | (L1) Ensure 'Audit Group Membership' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_2_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.5.2 | PATCH | (L1) Ensure 'Audit Group Membership' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable + changed_when: "'Success' not in rule_17_5_2_audit.stdout" + when: "'Success' not in rule_17_5_2_audit.stdout" when: - rule_17_5_2 - - wn19_au_000170_audit is defined - - "'Success' not in wn19_au_000170_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.2 - patch -- name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to Success" - win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_3 - tags: - - level1 - - level2 - - rule_17.5.3 - - audit - -- name: "SCORED | 17.5.3 | PATCH | L1 Ensure Audit Logoff is set to Success" - win_shell: AuditPol /set /subcategory:"Logoff" /success:enable - changed_when: "'Success' not in rule_17_5_3_audit.stdout" +- name: "SCORED | 17.5.3 | AUDIT | (L1) Ensure 'Audit Logoff' is set to include 'Success'" + block: + - name: "SCORED | 17.5.3 | AUDIT | (L1) Ensure 'Audit Logoff' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_3_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.5.3 | PATCH | (L1) Ensure 'Audit Logoff' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Logoff" /success:enable + changed_when: "'Success' not in rule_17_5_3_audit.stdout" + when: "'Success' not in rule_17_5_3_audit.stdout" when: - rule_17_5_3 - - rule_17_5_3_audit is defined - - "'Success' not in rule_17_5_3_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.3 - patch -- name: "SCORED | 17.5.4 | AUDIT | L1 Ensure Audit Logon is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_4 - tags: - - level1 - - level2 - - rule_17.5.4 - - audit - -- name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure" +- name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure'" block: - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Logon" /success:enable - changed_when: "'Success' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" - - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Logon" /failure:enable - changed_when: "'Failure' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" - when: rule_17_5_4 - tags: - - level1 - - level2 - - rule_17.5.4 - - patch - -- name: "SCORED | 17.5.5 | AUDIT | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_5_audit - changed_when: no - ignore_errors: yes + - name: "SCORED | 17.5.4 | AUDIT | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_4_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Success" + win_shell: AuditPol /set /subcategory:"Logon" /success:enable + changed_when: "'Success' not in rule_17_5_4_audit.stdout" + when: "'Failure' not in rule_17_5_4_audit.stdout" + + - name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Failure" + win_shell: AuditPol /set /subcategory:"Logon" /failure:enable + changed_when: "'Failure' not in rule_17_5_4_audit.stdout" + when: "'Failure' not in rule_17_5_4_audit.stdout" when: - - rule_17_5_5 + - rule_17_5_4 tags: - - level1 - - level2 - - rule_17.5.5 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_17.5.4 + - patch -- name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" +- name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" block: - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" + - name: "SCORED | 17.5.5 | AUDIT | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_5_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable changed_when: "'Success' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5_audit is defined - - "'Success' not in rule_17_5_5_audit.stdout" + when: "'Success' not in rule_17_5_5_audit.stdout" - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" + - name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable changed_when: "'Failure' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5_audit is defined - - "'Failure' not in rule_17_5_5_audit.stdout" + when: "'Failure' not in rule_17_5_5_audit.stdout" when: - rule_17_5_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.5 - patch -- name: "SCORED | 17.5.6 | AUDIT | L1 Ensure Audit Special Logon is set to Success" - win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_6_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_6 - tags: - - level1 - - level2 - - rule_17.5.6 - - audit - -- name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to Success" - win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable - changed_when: "'Success' not in rule_17_5_6_audit.stdout" +- name: "SCORED | 17.5.6 | PATCH | (L1) Ensure 'Audit Special Logon' is set to include 'Success'" + block: + - name: "SCORED | 17.5.6 | AUDIT | (L1) Ensure 'Audit Special Logon' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_6_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.5.6 | PATCH | (L1) Ensure 'Audit Special Logon' is set to include 'Success' | Get current settings" + win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable + changed_when: "'Success' not in rule_17_5_6_audit.stdout" + when: "'Success' not in rule_17_5_6_audit.stdout" when: - rule_17_5_6 - - rule_17_5_6_audit is defined - - "'Success' not in rule_17_5_6_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.5.6 - patch -- name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Other Object Access Events is set to Success and Failure" - win_audit_policy_system: - subcategory: Other Object Access Events - audit_type: success, failure +- name: "SCORED | 17.6.1 | PATCH | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + block: + - name: "SCORED | 17.6.1 | AUDIT | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_6_1_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.6.1 | PATCH | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable + when: "'Failure' not in rule_17_6_1_audit.stdout" when: rule_17_6_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.6.1 - patch -- name: "SCORED | 17.6.2 | AUDIT | L1 Ensure Audit Removable Storage is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_6_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_6_2 +- name: "SCORED | 17.6.2 | PATCH | (L1) Ensure 'Audit File Share' is set to 'Success and Failure'" + win_audit_policy_system: + subcategory: File Share + audit_type: success, failure + when: + - rule_17_6_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.6.2 - - audit + - patch -- name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable - changed_when: "'Success' not in rule_17_6_2_audit.stdout" +- name: "SCORED | 17.6.3 | PATCH | (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" + win_audit_policy_system: + subcategory: Other Object Access Events + audit_type: success, failure when: - - rule_17_6_2 - - rule_17_6_2_audit is defined - - "'Success' not in rule_17_6_2_audit.stdout" + - rule_17_6_3 tags: - - level1 - - level2 - - rule_17.6.2 + - level1-domaincontroller + - level1-memberserver + - rule_17.6.3 - patch -- name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_1 +- name: "SCORED | 17.6.4 | PATCH | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" + block: + - name: "SCORED | 17.6.4 | AUDIT | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_6_4_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.6.4 | PATCH | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Set success" + win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable + changed_when: "'Success' not in rule_17_6_4_audit.stdout" + when: "'Success' not in rule_17_6_4_audit.stdout" + + - name: "SCORED | 17.6.4 | PATCH | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Set failure" + win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable + changed_when: "'failure' not in rule_17_6_4_audit.stdout" + when: "'Failure' not in rule_17_6_4_audit.stdout" + when: + - rule_17_6_4 tags: - - level1 - - level2 - - rule_17.7.1 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_17.6.4 + - patch -- name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_1_audit.stdout" +- name: "SCORED | 17.7.1 | PATCH | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" + block: + - name: "SCORED | 17.7.1 | AUDIT | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_1_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.7.1 | PATCH | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_1_audit.stdout" + when: "'Success' not in rule_17_7_1_audit.stdout" when: - rule_17_7_1 - - rule_17_7_1_audit is defined - - "'Success' not in rule_17_7_1_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.1 - patch -- name: "SCORED | 17.7.2 | AUDIT | L1 Ensure Audit Authentication Policy Change is set to Success" - win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_2 - tags: - - level1 - - level2 - - rule_17.7.2 - - audit - -- name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to Success" - win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_2_audit.stdout" +- name: "SCORED | 17.7.2 | PATCH | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" + block: + - name: "SCORED | 17.7.2 | AUDIT | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_2_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.7.2 | PATCH | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_2_audit.stdout" + when: "'Success' not in rule_17_7_2_audit.stdout" when: - rule_17_7_2 - - rule_17_7_2_audit is defined - - "'Success' not in rule_17_7_2_audit.stdout" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.2 - patch -- name: "SCORED | 17.7.3 | AUDIT | L1 Ensure Audit Authorization Policy Change is set to Success" - win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_3 +- name: "SCORED | 17.7.3 | PATCH | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" + block: + - name: "SCORED | 17.7.3 | AUDIT | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_3_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.7.3 | PATCH | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_3_audit.stdout" + when: "'Success' not in rule_17_7_3_audit.stdout" + when: + - rule_17_7_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.7.3 - - audit + - patch -- name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to Success" - win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_3_audit.stdout" +- name: "SCORED | 17.7.4 | PATCH | (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" + win_audit_policy_system: + subcategory: MPSSVC Rule-Level Policy Change + audit_type: success, failure when: - - rule_17_7_3 - - rule_17_7_3_audit is defined - - "'Success' not in rule_17_7_3_audit.stdout" + - rule_17_7_4 tags: - - level1 - - level2 - - rule_17.7.3 + - level1-domaincontroller + - level1-memberserver + - rule_17.7.4 - patch -- name: "SCORED | 17.8.1 | AUDIT | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_8_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_8_1 +- name: "SCORED | 17.7.5 | PATCH | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" + block: + - name: "SCORED | 17.7.5 | AUDIT | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_5_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.7.5 | PATCH | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Set failure" + win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable + when: "'Failure' not in rule_17_7_5_audit.stdout" + when: + - rule_17_7_5 tags: - - level1 - - level2 - - rule_17.8.1 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_17.7.5 + - patch -- name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" +- name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" block: - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" + - name: "SCORED | 17.8.1 | AUDIT | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_8_1_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable changed_when: "'Success' not in rule_17_8_1_audit.stdout" - when: - - rule_17_8_1_audit is defined - - "'Success' not in rule_17_8_1_audit.stdout" + when: "'Success' not in rule_17_8_1_audit.stdout" - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" + - name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable changed_when: "'Failure' not in rule_17_8_1_audit.stdout" - when: - - rule_17_8_1_audit is defined - - "'Failure' not in rule_17_8_1_audit.stdout" + when: "'Failure' not in rule_17_8_1_audit.stdout" when: rule_17_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.8.1 - patch -- name: "SCORED | 17.9.1 | AUDIT | L1 Ensure Audit IPsec Driver is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_1 - tags: - - level1 - - level2 - - rule_17.9.1 - - audit - -- name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure" +- name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" block: - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Success" + - name: "SCORED | 17.9.1 | AUDIT | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_1_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable changed_when: "'Success' not in rule_17_9_1_audit.stdout" - when: - - rule_17_9_1_audit is defined - - "'Success' not in rule_17_9_1_audit.stdout" - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Failure" + when: "'Success' not in rule_17_9_1_audit.stdout" + + - name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable changed_when: "'Failure' not in rule_17_9_1_audit.stdout" - when: - - rule_17_9_1_audit is defined - - "'Failure' not in rule_17_9_1_audit.stdout" + when: "'Failure' not in rule_17_9_1_audit.stdout" when: rule_17_9_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.1 - patch -- name: "SCORED | 17.9.2 | AUDIT | L1 Ensure Audit Other System Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_2 - tags: - - level1 - - level2 - - rule_17.9.2 - - audit - -- name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure" +- name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" block: - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Success" + - name: "SCORED | 17.9.2 | AUDIT | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_2_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable changed_when: "'Success' not in rule_17_9_2_audit.stdout" - when: - - rule_17_9_2_audit is defined - - "'Success' not in rule_17_9_2_audit.stdout" - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Failure" + when: "'Success' not in rule_17_9_2_audit.stdout" + + - name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable changed_when: "'Failure' not in rule_17_9_2_audit.stdout" - when: - - rule_17_9_2_audit is defined - - "'Failure' not in rule_17_9_2_audit.stdout" + when: "'Failure' not in rule_17_9_2_audit.stdout" when: rule_17_9_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.2 - patch -- name: "SCORED | 17.9.3 | AUDIT | L1 Ensure Audit Security State Change is set to Success" - win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_3_audit - changed_when: no - ignore_errors: yes +- name: "SCORED | 17.9.3 | AUDIT | (L1) Ensure 'Audit Security State Change' is set to include 'Success'" + block: + - name: "SCORED | 17.9.3 | AUDIT | (L1) Ensure 'Audit Security State Change' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_3_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.9.3 | PATCH | (L1) Ensure 'Audit Security State Change' is set to include 'Success' Set success" + win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable + changed_when: "'Success' not in rule_17_9_3_audit.stdout" + when: "'Success' not in rule_17_9_3_audit.stdout" when: rule_17_9_3 tags: - - level1 - - level2 - - rule_17.9.3 - - audit - -- name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to Success" - win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable - changed_when: "'Success' not in rule_17_9_3_audit.stdout" - when: - - rule_17_9_3 - - rule_17_9_3_audit is defined - - "'Success' not in rule_17_9_3_audit.stdout" - tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.3 - patch -- name: "SCORED | 17.9.4 | AUDIT | L1 Ensure Audit Security System Extension is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_4_audit - changed_when: no - ignore_errors: yes +- name: "SCORED | 17.9.4 | AUDIT | (L1) Ensure 'Audit Security System Extension' is set to include 'Success'" + block: + - name: "SCORED | 17.9.4 | AUDIT | (L1) Ensure 'Audit Security System Extension' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_4_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.9.4 | PATCH | (L1) Ensure 'Audit Security System Extension' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable + changed_when: "'Success' not in rule_17_9_4_audit.stdout" + when: "'Success' not in rule_17_9_4_audit.stdout" when: rule_17_9_4 tags: - - level1 - - level2 - - rule_17.9.4 - - audit - -- name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable - changed_when: "'Success' not in rule_17_9_4_audit.stdout" - when: - - rule_17_9_4 - - rule_17_9_4_audit is defined - - "'Success' not in rule_17_9_4_audit.stdout" - tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.4 - patch -- name: "SCORED | 17.9.5 | AUDIT | L1 Ensure Audit System Integrity is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_5 - tags: - - level1 - - level2 - - rule_17.9.5 - - audit - -- name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure" +- name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" block: - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Success" + - name: "SCORED | 17.9.5 | AUDIT | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_5_audit + changed_when: no + failed_when: false + + - name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Success" win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable changed_when: "'Success' not in rule_17_9_5_audit.stdout" - when: - - rule_17_9_5_audit is defined - - "'Success' not in rule_17_9_5_audit.stdout" + when: "'Success' not in rule_17_9_5_audit.stdout" - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Failure" + - name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Failure" win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable changed_when: "'Failure' not in rule_17_9_5_audit.stdout" - when: - - rule_17_9_5_audit is defined - - "'Failure' not in rule_17_9_5_audit.stdout" + when: "'Failure' not in rule_17_9_5_audit.stdout" when: rule_17_9_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_17.9.5 - patch diff --git a/tasks/section18.yml b/tasks/section18.yml index 98a58e8..d0efd88 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1,6 +1,6 @@ --- #one of the settings in the file render the server unreachable from ansible with this message "the specified credentials were rejected by the server" -- name: "SCORED | 18.1.1.1 | PATCH | L1 Ensure Prevent enabling lock screen camera is set to Enabled" +- name: "SCORED | 18.1.1.1 | PATCH | (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Personalization name: NoLockScreenCamera @@ -8,12 +8,12 @@ type: dword when: rule_18_1_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.1.1.1 - patch -- name: "SCORED | 18.1.1.2 | PATCH | L1 Ensure Prevent enabling lock screen slide show is set to Enabled" +- name: "SCORED | 18.1.1.2 | PATCH | (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Personalization name: NoLockScreenSlideshow @@ -21,274 +21,197 @@ type: dword when: rule_18_1_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.1.1.2 - patch -- name: "SCORED | 18.1.2.2 | AUDIT | L1 Ensure Allow input personalization is set to Disabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_1_2_2 - tags: - - level1 - - level2 - - rule_18.1.2.2 - - audit - -- name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow input personalization is set to Disabled" - command: "echo true" +- name: "SCORED | 18.1.2.2 | PATCH | (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization + name: AllowInputPersonalization + data: 0 + type: dword when: - - is_implemented - rule_18_1_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.1.2.2 - patch -- name: "SCORED | 18.1.3 | AUDIT | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_1_3 - tags: - - level2 - - rule_18.1.3 - - audit - -- name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" +- name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + block: + - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + command: "echo true" when: - is_implemented - rule_18_1_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.1.3 - - patch - -- name: "SCORED | 18.2.1 | AUDIT | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.1 - audit -- name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" +- name: "SCORED | 18.2.1 | AUDIT | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" + block: + - name: "SCORED | 18.2.1 | AUDIT | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.2.1 | PATCH | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" + command: "echo true" when: - is_implemented - rule_18_2_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.1 - patch -- name: "SCORED | 18.2.2 | AUDIT | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes +- name: "SCORED | 18.2.2 | AUDIT | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" + block: + - name: "SCORED | 18.2.2 | AUDIT | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.2.2 | PATCH | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" + command: "echo true" when: - is_implemented - rule_18_2_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.2 - audit -- name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.2 - - patch - -- name: "SCORED | 18.2.3 | AUDIT | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes +- name: "SCORED | 18.2.3 | AUDIT | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" + block: + - name: "SCORED | 18.2.3 | AUDIT | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.2.3 | PATCH | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" + command: "echo true" when: - is_implemented - rule_18_2_3 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.3 - audit -- name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.3 - - patch - -- name: "SCORED | 18.2.4 | AUDIT | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes +- name: "SCORED | 18.2.4 | AUDIT | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" + block: + - name: "SCORED | 18.2.4 | AUDIT | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.2.4 | PATCH | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" + command: "echo true" when: - is_implemented - rule_18_2_4 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.4 - audit -- name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.4 - - patch - -- name: "SCORED | 18.2.5 | AUDIT | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes +- name: "SCORED | 18.2.5 | AUDIT | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + block: + - name: "SCORED | 18.2.5 | AUDIT | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.2.5 | PATCH | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + command: "echo true" when: - is_implemented - rule_18_2_5 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.5 - audit -- name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.5 - - patch - -- name: "SCORED | 18.2.6 | AUDIT | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes +- name: "SCORED | 18.2.6 | AUDIT | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" + block: + - name: "SCORED | 18.2.6 | AUDIT | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.2.6 | PATCH | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" + command: "echo true" when: - is_implemented - rule_18_2_6 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.2.6 - audit -- name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.6 - - patch - -- name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes +- name: "SCORED | 18.3.1 | AUDIT | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + block: + - name: "SCORED | 18.3.1 | AUDIT | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.3.1 | PATCH | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + command: "echo true" when: - is_implemented - rule_18_3_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-memberserver - rule_18.3.1 - audit -- name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" - when: - - is_implemented - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.3.1 - - patch - -- name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes +- name: "SCORED | 18.3.2 | AUDIT | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + block: + - name: "SCORED | 18.3.2 | AUDIT | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + + - name: "SCORED | 18.3.2 | PATCH | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + command: "echo true" when: - is_implemented - rule_18_3_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.3.2 - audit -- name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" - command: "echo true" - when: - - is_implemented - - rule_18_3_2 - tags: - - level1 - - level2 - - rule_18.3.2 - - patch - -- name: "SCORED | 18_3_3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" +- name: "SCORED | 18_3_3 | PATCH | (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters name: SMB1 @@ -298,12 +221,12 @@ notify: reboot_windows when: rule_18_3_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.3.3 - patch -- name: "SCORED | 18_3_4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" +- name: "SCORED | 18_3_4 | PATCH | (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel name: DisableExceptionChainValidation @@ -312,51 +235,55 @@ state: present when: rule_18_3_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.3.4 - patch -- name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes +- name: "SCORED | 18.3.5 | PATCH | (L1) Ensure 'Extended Protection for LDAP Authentication (Domain Controllers only)' is set to 'Enabled: Enabled, always (recommended)' (DC Only)" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters + name: LdapEnforceChannelBinding + data: 1 + type: dword when: - - is_implemented - rule_18_3_5 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller - rule_18.3.5 - - audit + - patch -- name: "SCORED | 18.3.5 | PATCH | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" - command: "echo true" - when: - - is_implemented - - rule_18_3_5 + +- name: "SCORED | 18.3.6 | PATCH | (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters + state: present + value: NodeType + data: 2 + datatype: dword + when: rule_18_3_6 tags: - - level1 - - level2 - - rule_18.3.5 + - level1-domaincontroller + - level1-memberserver + - rule_18.3.6 - patch -- name: "SCORED | 18.3.6 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" +- name: "SCORED | 18.3.7 | PATCH | (L1) Ensure 'WDigest Authentication' is set to 'Disabled'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest state: present value: UseLogonCredential data: 0 datatype: dword - when: rule_18_3_6 + when: rule_18_3_7 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.3.6 - patch -- name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" +- name: "SCORED | 18.4.1 | PATCH | (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon state: present @@ -365,12 +292,12 @@ datatype: dword when: rule_18_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.1 - patch -- name: "SCORED | 18.4.2 | PATCH | L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +- name: "SCORED | 18.4.2 | PATCH | (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters state: present @@ -379,12 +306,12 @@ datatype: dword when: rule_18_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.2 - patch -- name: "SCORED | 18.4.3 | PATCH | L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" +- name: "SCORED | 18.4.3 | PATCH | (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -393,12 +320,12 @@ datatype: dword when: rule_18_4_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.3 - patch -- name: "SCORED | 18.4.4 | PATCH | L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" +- name: "SCORED | 18.4.4 | PATCH | (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -407,12 +334,12 @@ datatype: dword when: rule_18_4_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.4 - patch -- name: "SCORED | 18.4.5 | PATCH | L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" +- name: "SCORED | 18.4.5 | PATCH | (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters state: present @@ -421,11 +348,12 @@ datatype: dword when: rule_18_4_5 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.4.5 - patch -- name: "SCORED | 18.4.6 | PATCH | L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" +- name: "SCORED | 18.4.6 | PATCH | (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters state: present @@ -434,12 +362,12 @@ type: dword when: rule_18_4_6 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.6 - patch -- name: "SCORED | 18.4.7 | PATCH | L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" +- name: "SCORED | 18.4.7 | PATCH | (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters state: present @@ -448,11 +376,12 @@ type: dword when: rule_18_4_7 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.4.7 - patch -- name: "SCORED | 18.4.8 | PATCH | L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" +- name: "SCORED | 18.4.8 | PATCH | (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" win_regedit: path: HKLM:\System\Currentcontrolset\Control\Session Manager name: SafeDllSearchMode @@ -461,12 +390,12 @@ state: present when: rule_18_4_8 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.8 - patch -- name: "SCORED | 18.4.9 | PATCH | L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" +- name: "SCORED | 18.4.9 | PATCH | (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" win_regedit: path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon name: ScreenSaverGracePeriod @@ -475,12 +404,12 @@ state: present when: rule_18_4_9 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.9 - patch -- name: "SCORED | 18.4.10 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" +- name: "SCORED | 18.4.10 | PATCH | (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters name: TcpMaxDataRetransmissions @@ -488,11 +417,12 @@ type: dword when: rule_18_4_10 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.4.10 - patch -- name: "SCORED | 18.4.11 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" +- name: "SCORED | 18.4.11 | PATCH | (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters name: TcpMaxDataRetransmissions @@ -500,11 +430,12 @@ type: dword when: rule_18_4_11 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.4.11 - patch -- name: "SCORED | 18.4.12 | PATCH | L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" +- name: "SCORED | 18.4.12 | PATCH | (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" win_regedit: path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security name: WarningLevel @@ -512,28 +443,12 @@ type: dword when: rule_18_4_12 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.4.12 - patch - -- name: "SCORED | 18.5.4.1 | PATCH | L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NetBT\Parameters - name: NodeType - data: 2 - type: dword - when: - - rule_18_5_4_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.5.4.1 - - patch - -- name: "SCORED | 18.5.4.2 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" +- name: "SCORED | 18.5.4.1 | PATCH | (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast @@ -541,14 +456,13 @@ type: dword when: - rule_18_5_4_2 - - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.4.2 - patch -- name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" +- name: "SCORED | 18.5.5.1 | PATCH | (L2) Ensure 'Enable Font Providers' is set to 'Disabled'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableFontProviders @@ -556,11 +470,12 @@ type: dword when: rule_18_5_5_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.5.1 - patch -- name: "SCORED | 18.5.8.1 | PATCH | L1 Ensure Enable insecure guest logons is set to Disabled" +- name: "SCORED | 18.5.8.1 | PATCH | (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation name: AllowInsecureGuestAuth @@ -568,35 +483,35 @@ type: dword when: rule_18_5_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.8.1 - patch -- name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" +- name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" block: - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" + - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | AllowLLTDIOOndomain" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOndomain data: 0 type: dword - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" + - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | AllowLLTDIOOnPublicNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowLLTDIOOnPublicNet data: 0 type: dword - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" + - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | EnableLLTDIO" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: EnableLLTDIO data: 0 type: dword - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" + - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | ProhibitLLTDIOOnPrivateNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: ProhibitLLTDIOOnPrivateNet @@ -604,34 +519,35 @@ type: dword when: rule_18_5_9_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.9.1 - patch -- name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled" +- name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" block: - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" + - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | AllowRspndrOnDomain" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnDomain data: 0 type: dword - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" + - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | AllowRspndrOnPublicNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: AllowRspndrOnPublicNet data: 0 type: dword - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" + - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | EnableRspndr" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: EnableRspndr data: 0 type: dword - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" + - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | ProhibitRspndrOnPrivateNet" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Lltd name: ProhibitRspndrOnPrivateNet @@ -639,11 +555,12 @@ type: dword when: rule_18_5_9_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.9.2 - patch -- name: "SCORED | 18.5.10.2 | PATCH | L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" +- name: "SCORED | 18.5.10.2 | PATCH | (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Peernet name: Disabled @@ -651,11 +568,12 @@ type: dword when: rule_18_5_10_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.10.2 - patch -- name: "SCORED | 18.5.11.2 | PATCH | L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" +- name: "SCORED | 18.5.11.2 | PATCH | (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections name: NC_AllowNetBridge_NLA @@ -663,12 +581,12 @@ type: dword when: rule_18_5_11_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.11.2 - patch -- name: "SCORED | 18.5.11.3 | PATCH | L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" +- name: "SCORED | 18.5.11.3 | PATCH | (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections name: NC_ShowSharedAccessUI @@ -676,12 +594,12 @@ type: dword when: rule_18_5_11_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.11.3 - patch -- name: "SCORED | 18.5.11.4 | PATCH | L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled" +- name: "SCORED | 18.5.11.4 | PATCH | (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections name: NC_StdDomainUserSetLocation @@ -689,20 +607,20 @@ type: dword when: rule_18_5_11_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.11.4 - patch -- name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" +- name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares'" block: - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" + - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares' | Set NETLOGON" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\NETLOGON" data: "RequireMutualAuthentication=1, RequireIntegrity=1" type: string - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" + - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares' | Set SYSVOL" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths name: "\\\\*\\SYSVOL" @@ -710,12 +628,12 @@ type: string when: rule_18_5_14_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.14.1 - patch -- name: "SCORED | 18.5.19.2.1 | PATCH | L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" +- name: "SCORED | 18.5.19.2.1 | PATCH | (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" win_regedit: path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters name: DisabledComponents @@ -723,41 +641,42 @@ type: dword when: rule_18_5_19_2_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.19.2.1 - patch -- name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" +- name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" block: - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | EnableRegistrars" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: EnableRegistrars data: 0 type: dword - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableUPnPRegistrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableUPnPRegistrar data: 0 type: dword - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableInBand802DOT11Registrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableInBand802DOT11Registrar data: 0 type: dword - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableFlashConfigRegistrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableFlashConfigRegistrar data: 0 type: dword - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableWPDRegistrar" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars name: DisableWPDRegistrar @@ -765,11 +684,12 @@ type: dword when: rule_18_5_20_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.20.1 - patch -- name: "SCORED | 18.5.20.2 | PATCH | L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" +- name: "SCORED | 18.5.20.2 | PATCH | (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui name: DisableWcnUi @@ -777,11 +697,12 @@ type: dword when: rule_18_5_20_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.5.20.2 - patch -- name: "SCORED | 18.5.21.1 | PATCH | L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" +- name: "SCORED | 18.5.21.1 | PATCH | (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 1 = Minimize simultaneous connections'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fMinimizeConnections @@ -789,12 +710,12 @@ type: dword when: rule_18_5_21_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.5.21.1 - patch -- name: "SCORED | 18.5.21.2 | PATCH | L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" +- name: "SCORED | 18.5.21.2 | PATCH | (L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy name: fBlockNonDomain @@ -804,11 +725,25 @@ - rule_18_5_21_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2 + - level2-memberserver - rule_18.5.21.2 - patch -- name: "SCORED | 18.8.3.1 | PATCH | L1 Ensure Include command line in process creation events is set to Disabled" +- name: "SCORED | 18.7.1.1 | PATCH | (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled' (Scored)" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + name: NoCloudApplicationNotification + data: 1 + type: dword + when: + - rule_18_7_1_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.7.1.1 + - patch + +- name: "SCORED | 18.8.3.1 | PATCH | (L1) Ensure 'Include command line in process creation events' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit name: ProcessCreationIncludeCmdLine_Enabled @@ -816,26 +751,39 @@ type: dword when: rule_18_8_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.3.1 - patch +- name: "SCORED | 18.8.4.1 | PATCH | (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters + name: AllowEncryptionOracle + data: 0 + type: dword + when: + - rule_18_8_4_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.4.1 + - patch -- name: "SCORED | 18.8.4.1 | PATCH | L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" +- name: "SCORED | 18.8.4.2 | PATCH | (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation name: AllowProtectedCreds data: 1 type: dword - when: rule_18_8_4_1 + when: rule_18_8_4_2 tags: - - level1 - - level2 - - rule_18.8.4.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.8.4.2 - patch -- name: "SCORED | 18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled MS Only" +- name: "SCORED | 18.8.5.1 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: EnableVirtualizationBasedSecurity @@ -845,10 +793,12 @@ - rule_18_8_5_1 - ansible_windows_domain_role == "Member server" tags: + - nextgen-domaincontroller + - nextgen-memberserver - rule_18.8.5.1 - patch -- name: "SCORED | 18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection MS Only" +- name: "SCORED | 18.8.5.2 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: RequirePlatformSecurityFeatures @@ -858,10 +808,12 @@ - rule_18_8_5_2 - ansible_windows_domain_role == "Member server" tags: + - nextgen-domaincontroller + - nextgen-memberserver - rule_18.8.5.2 - patch -- name: "SCORED | 18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock MS Only" +- name: "SCORED | 18.8.5.3 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: HypervisorEnforcedCodeIntegrity @@ -869,12 +821,13 @@ type: dword when: - rule_18_8_5_3 - - ansible_windows_domain_role == "Member server" tags: + - nextgen-domaincontroller + - nextgen-memberserver - rule_18.8.5.3 - patch -- name: "SCORED | 18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked MS Only" +- name: "SCORED | 18.8.5.4 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: HVCIMATRequired @@ -882,12 +835,13 @@ type: dword when: - rule_18_8_5_4 - - ansible_windows_domain_role == "Member server" tags: + - nextgen-domaincontroller + - nextgen-memberserver - rule_18.8.5.4 - patch -- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" +- name: "SCORED | 18.8.5.5 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: LsaCfgFlags @@ -897,23 +851,39 @@ - rule_18_8_5_5 - not ansible_windows_domain_role == "Primary domain controller" tags: + - nextgen-memberserver - rule_18.8.5.5 - patch -- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" +- name: "SCORED | 18.8.5.6 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only)" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard name: LsaCfgFlags + data: 0 + type: dword + when: + - rule_18_8_5_6 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - nextgen-domaincontroller + - rule_18.8.5.6 + - patch + +- name: "SCORED | 18.8.5.7 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: ConfigureSystemGuardLaunch data: 1 type: dword when: - - rule_18_8_5_5 - - ansible_windows_domain_role == "Member server" + - rule_18_8_5_7 tags: - - rule_18.8.5.5 + - nextgen-domaincontroller + - nextgen-memberserver + - rule_18.8.5.7 - patch -- name: "SCORED | 18.8.14.1 | PATCH | L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" +- name: "SCORED | 18.8.14.1 | PATCH | (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" win_regedit: path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch name: DriverLoadPolicy @@ -921,12 +891,12 @@ type: dword when: rule_18_8_14_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.14.1 - patch -- name: "SCORED | 18.8.21.2 | PATCH | L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" +- name: "SCORED | 18.8.21.2 | PATCH | (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoBackgroundPolicy @@ -934,12 +904,12 @@ type: dword when: rule_18_8_21_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.21.2 - patch -- name: "SCORED | 18.8.21.3 | PATCH | L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" +- name: "SCORED | 18.8.21.3 | PATCH | (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE's" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} name: NoGPOListChanges @@ -947,12 +917,12 @@ type: dword when: rule_18_8_21_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.21.3 - patch -- name: "SCORED | 18.8.21.4 | PATCH | L1 Ensure Continue experiences on this device is set to Disabled" +- name: "SCORED | 18.8.21.4 | PATCH | (L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System name: EnableCdp @@ -960,24 +930,24 @@ type: dword when: rule_18_8_21_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.21.4 - patch -- name: "SCORED | 18.8.21.5 | PATCH | L1 Ensure Turn off background refresh of Group Policy is set to Disabled" +- name: "SCORED | 18.8.21.5 | PATCH | (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy state: absent delete_key: yes when: rule_18_8_21_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.21.5 - patch -- name: "SCORED | 18.8.22.1.1 | PATCH | L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled" +- name: "SCORED | 18.8.22.1.1 | PATCH | (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers name: DisableWebPnPDownload @@ -985,12 +955,12 @@ type: dword when: rule_18_8_22_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.22.1.1 - patch -- name: "SCORED | 18.8.22.1.2 | PATCH | L2 Ensure Turn off handwriting personalization data sharing is set to Enabled" +- name: "SCORED | 18.8.22.1.2 | PATCH | (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc name: PreventHandwritingDataSharing @@ -998,11 +968,12 @@ type: dword when: rule_18_8_22_1_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.2 - patch -- name: "SCORED | 18.8.22.1.3 | PATCH | L2 Ensure Turn off handwriting recognition error reporting is set to Enabled" +- name: "SCORED | 18.8.22.1.3 | PATCH | (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports name: PreventHandwritingErrorReports @@ -1010,11 +981,12 @@ type: dword when: rule_18_8_22_1_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.3 - patch -- name: "SCORED | 18.8.22.1.4 | PATCH | L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" +- name: "SCORED | 18.8.22.1.4 | PATCH | (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard name: ExitOnMSICW @@ -1022,11 +994,12 @@ type: dword when: rule_18_8_22_1_4 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.4 - patch -- name: "SCORED | 18.8.22.1.5 | PATCH | L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" +- name: "SCORED | 18.8.22.1.5 | PATCH | (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoWebServices @@ -1034,12 +1007,12 @@ type: dword when: rule_18_8_22_1_5 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.8.22.1.5 - patch -- name: "SCORED | 18.8.22.1.6 | PATCH | L2 Ensure Turn off printing over HTTP is set to Enabled" +- name: "SCORED | 18.8.22.1.6 | PATCH | (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers name: DisableHTTPPrinting @@ -1047,12 +1020,12 @@ type: dword when: rule_18_8_22_1_6 tags: - - level1 - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.6 - patch -- name: "SCORED | 18.8.22.1.7 | PATCH | L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" +- name: "SCORED | 18.8.22.1.7 | PATCH | (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control name: NoRegistration @@ -1060,11 +1033,12 @@ type: dword when: rule_18_8_22_1_7 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.7 - patch -- name: "SCORED |18.8.22.1.8 | PATCH | L2 Ensure Turn off Search Companion content file updates is set to Enabled" +- name: "SCORED |18.8.22.1.8 | PATCH | (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Searchcompanion name: DisableContentFileUpdates @@ -1072,11 +1046,12 @@ type: dword when: rule_18_8_22_1_8 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.8 - patch -- name: "SCORED | 18.8.22.1.9 | PATCH | L2 Ensure Turn off the Order Prints picture task is set to Enabled" +- name: "SCORED | 18.8.22.1.9 | PATCH | (L2) Ensure 'Turn off the Order Prints picture task' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoOnlinePrintsWizard @@ -1084,11 +1059,12 @@ type: dword when: rule_18_8_22_1_9 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.9 - patch -- name: "SCORED | 18.8.22.1.10 | PATCH | L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled" +- name: "SCORED | 18.8.22.1.10 | PATCH | (L2) Ensure 'Turn off the Publish to Web task for files and folders' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoPublishingWizard @@ -1096,11 +1072,12 @@ type: dword when: rule_18_8_22_1_10 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.10 - patch -- name: "SCORED | 18.8.22.1.11 | PATCH | L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" +- name: "SCORED | 18.8.22.1.11 | PATCH | (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Messenger\Client name: CEIP @@ -1108,11 +1085,12 @@ type: dword when: rule_18_8_22_1_11 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.11 - patch -- name: "SCORED | 18.8.22.1.12 | PATCH | L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" +- name: "SCORED | 18.8.22.1.12 | PATCH | (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows name: CEIPEnable @@ -1120,19 +1098,21 @@ type: dword when: rule_18_8_22_1_12 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.12 - patch -- name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled" +- name: "SCORED | 18.8.22.1.13 | PATCH | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" block: - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" + - name: "SCORED | 18.8.22.1.13 | PATCH | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' | Windows Error Reporting" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting name: Disabled data: 1 type: dword - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" + + - name: "SCORED | 18.8.22.1.13 | PATCH | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' | ErrorReporting" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting name: DoReport @@ -1140,19 +1120,21 @@ type: dword when: rule_18_8_22_1_13 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.22.1.13 - patch -- name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic" +- name: "SCORED | 18.8.25.1 | PATCH | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" block: - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" + - name: "SCORED | 18.8.25.1 | PATCH | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' | DevicePKInitBehavior" win_regedit: path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitBehavior data: 0 type: dword - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" + + - name: "SCORED | 18.8.25.1 | PATCH | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' | DevicePKInitEnabled" win_regedit: path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters name: DevicePKInitEnabled @@ -1160,282 +1142,289 @@ type: dword when: rule_18_8_25_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.8.25.1 - patch -- name: "SCORED | 18.8.26.1 | PATCH | L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" +- name: "SCORED | 18.8.27.1 | PATCH | (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Control Panel\International name: BlockUserInputMethodsForSignIn data: 1 type: dword - when: rule_18_8_26_1 + when: rule_18_8_27_1 tags: - - level2 - - rule_18.8.26.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.27.1 - patch -- name: "SCORED | 18.8.27.1 | PATCH | L1 Ensure Block user from showing account details on sign-in is set to Enabled" +- name: "SCORED | 18.8.28.1 | PATCH | (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockUserFromShowingAccountDetailsOnSignin data: 1 type: dword - when: rule_18_8_27_1 + when: rule_18_8_28_1 tags: - - level1 - - level2 - - rule_18.8.27.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.1 - patch -- name: "SCORED | 18.8.27.2 | PATCH | L1 Ensure Do not display network selection UI is set to Enabled" +- name: "SCORED | 18.8.28.2 | PATCH | (L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DontDisplayNetworkSelectionUI data: 1 type: dword - when: rule_18_8_27_2 + when: rule_18_8_28_2 tags: - - level1 - - level2 - - rule_18.8.27.2 + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.2 - patch -- name: "SCORED | 18.8.27.3 | PATCH | L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" +- name: "SCORED | 18.8.28.3 | PATCH | (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DontEnumerateConnectedUsers data: 1 type: dword - when: rule_18_8_27_3 + when: rule_18_8_28_3 tags: - - level1 - - level2 - - rule_18.8.27.3 + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.3 - patch -- name: "SCORED | 18.8.27.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" +- name: "SCORED | 18.8.28.4 | PATCH | (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: EnumerateLocalUsers data: 0 type: dword - when: rule_18_8_27_4 + when: + - rule_18_8_28_4 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 - - rule_18.8.27.4 + - level1-memberserver + - rule_18.8.28.4 - patch -- name: "SCORED | 18.8.27.5 | PATCH | L1 Ensure Turn off app notifications on the lock screen is set to Enabled" +- name: "SCORED | 18.8.28.5 | PATCH | (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: DisableLockScreenAppNotifications data: 1 type: dword - when: rule_18_8_27_5 + when: rule_18_8_28_5 tags: - - level1 - - level2 - - rule_18.8.27.5 + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.5 - patch -- name: "SCORED | 18.8.27.6 | PATCH | L1 Ensure Turn off picture password sign-in is set to Enabled" +- name: "SCORED | 18.8.28.6 | PATCH | (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: BlockDomainPicturePassword data: 1 type: dword - when: rule_18_8_27_6 + when: rule_18_8_28_6 tags: - - level1 - - level2 - - rule_18.8.27.6 + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.6 - patch -- name: "SCORED | 18.8.27.7 | PATCH | L1 Ensure Turn on convenience PIN sign-in is set to Disabled" +- name: "SCORED | 18.8.28.7 | PATCH | (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: AllowDomainPINLogon data: 0 type: dword - when: rule_18_8_27_7 + when: rule_18_8_28_7 tags: - - level1 - - level2 - - rule_18.8.27.7 + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.7 - patch -- name: "SCORED | | PATCH | L1 Ensure Untrusted Font Blocking is set to Enabled Block untrusted fonts and log events" +- name: "SCORED | 18.8.34.6.1 | PATCH | (L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\MitigationOptions - name: MitigationOptions_FontBocking + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 + name: DCSettingIndex data: 0 type: dword - when: rule_18_8_28_1 + when: rule_18_8_34_6_1 tags: - - level1 - - level2 - - rule_18.8.28.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.34.6.1 - patch -- name: "SCORED | 18.8.33.6.2 | PATCH | L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" +- name: "SCORED | 18.8.34.6.2 | PATCH | (L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 name: ACSettingIndex data: 0 type: dword - when: rule_18_8_33_6_2 + when: rule_18_8_34_6_2 tags: - - level2 - - rule_18.8.33.6.2 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.34.6.2 - patch -- name: "SCORED | 18.8.33.6.3 | PATCH | L1 Ensure Require a password when a computer wakes on battery is set to Enabled" +- name: "SCORED | 18.8.34.6.3 | PATCH | (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 name: DCSettingIndex data: 1 type: dword - when: rule_18_8_33_6_3 + when: rule_18_8_34_6_3 tags: - - level1 - - level2 - - rule_18.8.33.6.3 + - level1-domaincontroller + - level1-memberserver + - rule_18.8.34.6.3 - patch -- name: "SCORED | 18.8.33.6.4 | PATCH | L1 Ensure Require a password when a computer wakes plugged in is set to Enabled" +- name: "SCORED | 18.8.34.6.4 | PATCH | (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 name: ACSettingIndex data: 1 type: dword - when: rule_18_8_33_6_4 + when: rule_18_8_34_6_4 tags: - - level1 - - level2 - - rule_18.8.33.6.4 + - level1-domaincontroller + - level1-memberserver + - rule_18.8.34.6.4 - patch -- name: "SCORED | 18.8.35.1 | PATCH | L1 Ensure Configure Offer Remote Assistance is set to Disabled" +- name: "SCORED | 18.8.36.1 | PATCH | (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowUnsolicited data: 0 type: dword - when: rule_18_8_35_1 + when: rule_18_8_36_1 tags: - - level1 - - level2 - - rule_18.8.35.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.8.36.1 - patch -- name: "SCORED | 18.8.35.2 | PATCH | L1 Ensure Configure Solicited Remote Assistance is set to Disabled" +- name: "SCORED | 18.8.36.2 | PATCH | (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fAllowToGetHelp data: 0 type: dword - when: rule_18_8_35_2 + when: rule_18_8_36_2 tags: - - level1 - - level2 - - rule_18.8.35.2 + - level1-domaincontroller + - level1-memberserver + - rule_18.8.36.2 - patch -- name: "SCORED | 18.8.36.1 | PATCH | L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" +- name: "SCORED | 18.8.37.1 | PATCH | (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc name: EnableAuthEpResolution data: 1 type: dword when: - - rule_18_8_36_1 + - rule_18_8_37_1 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1 - - level2 - - rule_18.8.36.1 + - level1-memberserver + - rule_18.8.37.1 - patch -- name: "SCORED | 18.8.36.2 | PATCH | L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" +- name: "SCORED | 18.8.37.2 | PATCH | (L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc name: RestrictRemoteClients data: 1 type: dword when: - - rule_18_8_36_2 + - rule_18_8_37_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2 - - rule_18.8.36.2 + - level2-memberserver + - rule_18.8.37.2 - patch -- name: "SCORED | 18.8.44.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" +- name: "SCORED | 18.8.47.5.1 | PATCH | (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy name: DisableQueryRemoteServer data: 0 type: dword - when: rule_18_8_44_5_1 + when: rule_18_8_47_5_1 tags: - - level2 - - rule_18.8.44.5.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.5.1 - patch -- name: "SCORED | 18.8.44.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" +- name: "SCORED | 18.8.47.11.1 | PATCH |(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} name: ScenarioExecutionEnabled data: 0 type: dword - when: rule_18_8_44_11_1 + when: rule_18_8_47_11_1 tags: - - level2 - - rule_18.8.44.11.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.11.1 - patch -- name: "SCORED | 18.8.46.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" +- name: "SCORED | 18.8.49.1 | PATCH | (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo name: DisabledByGroupPolicy data: 1 type: dword - when: rule_18_8_46_1 + when: rule_18_8_49_1 tags: - - level2 - - rule_18.8.46.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.49.1 - patch -- name: "SCORED | 18.8.49.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" +- name: "SCORED | 18.8.52.1.1 | PATCH | (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient name: Enabled data: 1 type: dword - when: rule_18_8_49_1_1 + when: rule_18_8_52_1_1 tags: - - level2 - - rule_18.8.49.1.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.8.52.1.1 - patch -- name: "SCORED | 18.8.49.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" +- name: "SCORED | 18.8.52.1.2 | PATCH | (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)" win_regedit: path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver name: Enabled - data: 1 + data: 0 type: dword when: - - rule_18_8_49_1_2 + - rule_18_8_52_1_2 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2 - - rule_18.8.49.1.2 + - level2-memberserver + - rule_18.8.52.1.2 - patch -- name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" +- name: "SCORED | 18.9.4.1 | PATCH | (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager name: AllowSharedLocalAppData @@ -1443,11 +1432,12 @@ type: dword when: rule_18_9_4_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.4.1 - patch -- name: "SCORED | 18.9.6.1 | PATCH | L1 Ensure Allow Microsoft accounts to be optional is set to Enabled" +- name: "SCORED | 18.9.6.1 | PATCH | (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: MSAOptional @@ -1455,12 +1445,12 @@ type: dword when: rule_18_9_6_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.6.1 - patch -- name: "SCORED | 18.9.8.1 | PATCH | L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled" +- name: "SCORED | 18.9.8.1 | PATCH | (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoAutoplayfornonVolume @@ -1468,12 +1458,12 @@ type: dword when: rule_18_9_8_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.8.1 - patch -- name: "SCORED | 18.9.8.2 | PATCH | L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" +- name: "SCORED | 18.9.8.2 | PATCH | (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoAutorun @@ -1481,12 +1471,12 @@ type: dword when: rule_18_9_8_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.8.2 - patch -- name: "SCORED | 18.9.8.3 | PATCH | L1 Ensure Turn off Autoplay is set to Enabled All drives" +- name: "SCORED | 18.9.8.3 | PATCH | (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoDriveTypeAutoRun @@ -1494,12 +1484,12 @@ type: dword when: rule_18_9_8_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.8.3 - patch -- name: "SCORED | 18.9.10.1.1 | PATCH | L1 Ensure Configure enhanced anti-spoofing is set to Enabled" +- name: "SCORED | 18.9.10.1.1 | PATCH | (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures name: EnhancedAntiSpoofing @@ -1507,12 +1497,12 @@ type: dword when: rule_18_9_10_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.10.1.1 - patch -- name: "SCORED | 18.9.12.1 | PATCH | L2 Ensure Allow Use of Camera is set to Disabled" +- name: "SCORED | 18.9.12.1 | PATCH | (L2) Ensure 'Allow Use of Camera' is set to 'Disabled's" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Camera name: AllowCamera @@ -1520,11 +1510,12 @@ type: dword when: rule_18_9_12_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.12.1 - patch -- name: "SCORED | 18.9.13.1 | PATCH | L1 Ensure Turn off Microsoft consumer experiences is set to Enabled" +- name: "SCORED | 18.9.13.1 | PATCH | (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent name: DisableWindowsConsumerFeatures @@ -1532,12 +1523,12 @@ type: dword when: rule_18_9_13_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.13.1 - patch -- name: "SCORED | 18.9.14.1 | PATCH | L1 Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" +- name: "SCORED | 18.9.14.1 | PATCH | (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect name: RequirePinForPairing @@ -1545,12 +1536,12 @@ type: dword when: rule_18_9_14_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.14.1 - patch -- name: "SCORED | 18.9.15.1 | PATCH | L1 Ensure Do not display the password reveal button is set to Enabled" +- name: "SCORED | 18.9.15.1 | PATCH | (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Credui name: DisablePasswordReveal @@ -1558,12 +1549,12 @@ type: dword when: rule_18_9_15_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.15.1 - patch -- name: "SCORED | 18.9.15.2 | PATCH | L1 Ensure Enumerate administrator accounts on elevation is set to Disabled" +- name: "SCORED | 18.9.15.2 | PATCH | (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui name: EnumerateAdministrators @@ -1571,12 +1562,12 @@ type: dword when: rule_18_9_15_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.15.2 - patch -- name: "SCORED | 18.9.16.1 | PATCH | L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" +- name: "SCORED | 18.9.16.1 | PATCH | (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection name: AllowTelemetry @@ -1584,12 +1575,12 @@ type: dword when: rule_18_9_16_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.16.1 - patch -- name: "SCORED | 18.9.16.2 | PATCH | L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" +- name: "SCORED | 18.9.16.2 | PATCH | (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection name: DisableEnterpriseAuthProxy @@ -1597,11 +1588,12 @@ type: dword when: rule_18_9_16_2 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.16.2 - patch -- name: "SCORED | 18.9.16.3 | PATCH | L1 Ensure Disable pre-release features or settings is set to Disabled" +- name: "SCORED | 18.9.16.3 | PATCH | (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds name: EnableConfigFlighting @@ -1609,38 +1601,25 @@ type: dword when: rule_18_9_16_3 tags: - - level1 - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.16.3 - patch -- name: "SCORED | 18.9.16.4 | PATCH | L1 Ensure Do not show feedback notifications is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: DoNotShowFeedbackNotifications - data: 1 - type: dword - when: rule_18_9_16_4 - tags: - - level1 - - level2 - - rule_18.9.16.4 - - patch - -- name: "SCORED | 18.9.16.5 | PATCH | L1 Ensure Toggle user control over Insider builds is set to Disabled" +- name: "SCORED | 18.9.16.4 | PATCH | (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds name: AllowBuildPreview data: 0 type: dword - when: rule_18_9_16_5 + when: rule_18_9_16_4 tags: - - level1 - - level2 - - rule_18.9.16.5 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.16.4 - patch -- name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "SCORED | 18.9.26.1.1 | PATCH | (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application name: Retention @@ -1648,12 +1627,12 @@ type: dword when: rule_18_9_26_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.1.1 - patch -- name: "SCORED | 18.9.26.1.2 | PATCH | L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "SCORED | 18.9.26.1.2 | PATCH | (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application name: MaxSize @@ -1661,12 +1640,12 @@ type: dword when: rule_18_9_26_1_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.1.2 - patch -- name: "SCORED | 18.9.26.2.1 | PATCH | L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "SCORED | 18.9.26.2.1 | PATCH | (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security name: Retention @@ -1674,12 +1653,12 @@ type: string when: rule_18_9_26_2_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.2.1 - patch -- name: "SCORED | 18.9.26.2.2 | PATCH | L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" +- name: "SCORED | 18.9.26.2.2 | PATCH | (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security name: MaxSize @@ -1687,25 +1666,25 @@ type: dword when: rule_18_9_26_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.2.2 - patch -- name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "SCORED | 18.9.26.3.1 | PATCH | (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup name: Retention data: 0 type: string when: rule_18_9_26_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.3.1 - patch -- name: "SCORED | 18.9.26.3.2 | PATCH | L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "SCORED | 18.9.26.3.2 | PATCH | (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup name: MaxSize @@ -1713,12 +1692,12 @@ type: dword when: rule_18_9_26_3_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.3.2 - patch -- name: "SCORED | 18.9.26.4.1 | PATCH | L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" +- name: "SCORED | 18.9.26.4.1 | PATCH | (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System name: Retention @@ -1726,12 +1705,12 @@ type: string when: rule_18_9_26_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.4.1 - patch -- name: "SCORED | 18.9.26.4.2 | PATCH | L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" +- name: "SCORED | 18.9.26.4.2 | PATCH | (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System name: MaxSize @@ -1739,12 +1718,12 @@ type: dword when: rule_18_9_26_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.26.4.2 - patch -- name: "SCORED | 18.9.30.2 | PATCH | L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" +- name: "SCORED | 18.9.30.2 | PATCH | (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoDataExecutionPrevention @@ -1752,12 +1731,12 @@ type: dword when: rule_18_9_30_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.30.2 - patch -- name: "SCORED | 18.9.30.3 | PATCH | L1 Ensure Turn off heap termination on corruption is set to Disabled" +- name: "SCORED | 18.9.30.3 | PATCH | (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Explorer name: NoHeapTerminationOnCorruption @@ -1765,12 +1744,12 @@ type: dword when: rule_18_9_30_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.30.3 - patch -- name: "SCORED | 18.9.30.4 | PATCH | L1 Ensure Turn off shell protocol protected mode is set to Disabled" +- name: "SCORED | 18.9.30.4 | PATCH | (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: PreXPSP2ShellProtocolBehavior @@ -1778,24 +1757,25 @@ type: dword when: rule_18_9_30_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.30.4 - patch -- name: "SCORED | 18.9.39.2 | PATCH | L2 Ensure Turn off location is set to Enabled" +- name: "SCORED | 18.9.39.1 | PATCH | (L2) Ensure 'Turn off location' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors name: DisableLocation data: 1 type: dword - when: rule_18_9_39_2 + when: rule_18_9_39_1 tags: - - level2 - - rule_18.9.39.2 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.39.1 - patch -- name: "SCORED | 18.9.43.1 | PATCH | L2 Ensure Allow Message Service Cloud Sync is set to Disabled" +- name: "SCORED | 18.9.43.1 | PATCH | (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Messaging name: AllowMessageSync @@ -1803,11 +1783,12 @@ type: dword when: rule_18_9_43_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.43.1 - patch -- name: "SCORED | 18.9.44.1 | PATCH | L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled" +- name: "SCORED | 18.9.44.1 | PATCH | (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount name: DisableUserAuth @@ -1815,12 +1796,12 @@ type: dword when: rule_18_9_44_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.44.1 - patch -- name: "SCORED | 18.9.52.1 | PATCH | L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled" +- name: "SCORED | 18.9.52.1 | PATCH | (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive name: DisableFileSyncNGSC @@ -1828,399 +1809,388 @@ type: dword when: rule_18_9_52_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.52.1 - patch -- name: "SCORED | 18.9.58.2.2 | PATCH | L1 Ensure Do not allow passwords to be saved is set to Enabled" +- name: "SCORED | 18.9.59.2.2 | PATCH | (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: DisablePasswordSaving data: 1 type: dword - when: rule_18_9_58_2_2 + when: rule_18_9_59_2_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.58.2.2 - patch -- name: "SCORED | 18.9.58.3.2.1 | PATCH | L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" +- name: "SCORED | 18.9.59.3.2.1 | PATCH | (L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fSingleSessionPerUser data: 1 type: dword - when: rule_18_9_58_3_2_1 + when: rule_18_9_59_3_2_1 tags: - - level2 - - rule_18.9.58.3.2.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.2.1 - patch -- name: "SCORED | 18.9.58.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" +- name: "SCORED | 18.9.59.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableCcm data: 1 type: dword - when: rule_18_9_58_3_3_1 + when: rule_18_9_59_3_3_1 tags: - - level2 - - rule_18.9.58.3.3.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.1 - patch -- name: "SCORED | 18.9.58.3.3.2 | PATCH | L1 Ensure Do not allow drive redirection is set to Enabled" +- name: "SCORED | 18.9.59.3.3.2 | PATCH | (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableCdm data: 1 type: dword - when: rule_18_9_58_3_3_2 + when: rule_18_9_59_3_3_2 tags: - - level1 - - level2 - - rule_18.9.58.3.3.2 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.3.2 - patch -- name: "SCORED | 18.9.58.3.3.3 | PATCH | L2 Ensure Do not allow LPT port redirection is set to Enabled" +- name: "SCORED | 18.9.59.3.3.3 | PATCH | (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisableLPT data: 1 type: dword - when: rule_18_9_58_3_3_3 + when: rule_18_9_59_3_3_3 tags: - - level2 - - rule_18.9.58.3.3.3 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.3 - patch -- name: "SCORED | 18.9.58.3.3.4 | PATCH | L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled" +- name: "SCORED | 18.9.59.3.3.4 | PATCH | (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fDisablePNPRedir data: 1 type: dword - when: rule_18_9_58_3_3_4 + when: rule_18_9_59_3_3_4 tags: - - level2 - - rule_18.9.58.3.3.4 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.4 - patch -- name: "SCORED | 18.9.58.3.9.1 | PATCH | L1 Ensure Always prompt for password upon connection is set to Enabled" +- name: "SCORED | 18.9.59.3.9.1 | PATCH | (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fPromptForPassword data: 1 type: dword - when: rule_18_9_58_3_9_1 + when: rule_18_9_59_3_9_1 tags: - - level1 - - level2 - - rule_18.9.58.3.9.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.1 - patch -- name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" +- name: "SCORED | 18.9.59.3.9.2 | PATCH | (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: fEncryptRPCTraffic data: 1 type: dword - when: rule_18_9_58_3_9_2 + when: rule_18_9_59_3_9_2 tags: - - level1 - - level2 - - rule_18.9.58.3.9.2 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.2 + - patch -- name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" +- name: "SCORED | 18.9.59.3.9.3 | PATCH | (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services - name: fEncryptRPCTraffic + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + name: SecurityLayer + data: 2 + type: dword + when: + - rule_18_9_59_3_9_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.3 + - patch + +- name: "SCORED | 18.9.59.3.9.4 | PATCH | (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + name: UserAuthentication data: 1 type: dword - when: rule_18_9_58_3_9_2 + when: + - rule_18_9_59_3_9_4 tags: - - level1 - - level2 - - rule_18.9.58.3.9.2 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.4 - patch -- name: "SCORED | 18.9.58.3.9.3 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" +- name: "SCORED | 18.9.59.3.9.5 | PATCH | (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MinEncryptionLevel data: 3 type: dword - when: rule_18_9_58_3_9_3 + when: rule_18_9_59_3_9_5 tags: - - level1 - - level2 - - rule_18.9.58.3.9.3 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.5 - patch -- name: "SCORED | 18.9.58.3.10.1 | PATCH | L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" +- name: "SCORED | 18.9.59.3.10.1 | PATCH | (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MaxIdleTime data: 3600000 type: dword - when: rule_18_9_58_3_10_1 + when: rule_18_9_59_3_10_1 tags: - - level2 - - rule_18.9.58.3.10.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.10.1 - patch -- name: "SCORED | 18.9.58.3.10.2 | PATCH | L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" +- name: "SCORED | 18.9.59.3.10.2 | PATCH | (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: MaxDisconnectionTime data: 28800000 type: dword - when: rule_18_9_58_3_10_2 + when: rule_18_9_59_3_10_2 tags: - - level2 - - rule_18.9.58.3.10.2 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.10.2 - patch -- name: "SCORED | 18.9.58.3.11.1 | PATCH | L1 Ensure Do not delete temp folders upon exit is set to Disabled" +- name: "SCORED | 18.9.59.3.11.1 | PATCH | (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: DeleteTempDirsOnExit data: 1 type: dword - when: rule_18_9_58_3_11_1 + when: rule_18_9_59_3_11_1 tags: - - level1 - - level2 - - rule_18.9.58.3.11.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.11.1 - patch -- name: "SCORED | 18.9.58.3.11.2 | PATCH | L1 Ensure Do not use temporary folders per session is set to Disabled" +- name: "SCORED | 18.9.59.3.11.2 | PATCH | (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services name: PerSessionTempDir data: 1 type: dword - when: rule_18_9_58_3_11_2 + when: rule_18_9_59_3_11_2 tags: - - level1 - - level2 - - rule_18.9.58.3.11.2 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.11.2 - patch -- name: "SCORED | 18.9.59.1 | PATCH | L1 Ensure Prevent downloading of enclosures is set to Enabled" +- name: "SCORED | 18.9.60.1 | PATCH | (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds name: DisableEnclosureDownload data: 1 type: dword - when: rule_18_9_59_1 + when: rule_18_9_60_1 tags: - - level1 - - level2 - - rule_18.9.59.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.60.1 - patch -- name: "SCORED | 18.9.60.2 | PATCH | L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" +- name: "SCORED | 18.9.61.2 | PATCH | (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search name: AllowCloudSearch data: 0 type: dword - when: rule_18_9_60_2 + when: rule_18_9_61_2 tags: - - level2 - - rule_18.9.60.2 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.61.2 - patch -- name: "SCORED | 18.9.60.3 | PATCH | L1 Ensure Allow indexing of encrypted files is set to Disabled" +- name: "SCORED | 18.9.61.3 | PATCH | (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search name: AllowIndexingEncryptedStoresOrItems data: 0 type: dword - when: rule_18_9_60_3 + when: rule_18_9_61_3 tags: - - level1 - - level2 - - rule_18.9.60.3 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.61.3 - patch -- name: "SCORED | 18.9.65.1 | PATCH | L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled" +- name: "SCORED | 18.9.66.1 | PATCH | (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform name: NoGenTicket data: 1 type: dword - when: rule_18_9_65_1 + when: rule_18_9_66_1 tags: - - level2 - - rule_18.9.65.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.66.1 - patch -- name: "SCORED | 18.9.76.3.1 | PATCH | L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" +- name: "SCORED | 18.9.77.3.1 | PATCH | (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet name: LocalSettingOverrideSpynetReporting data: 0 type: dword - when: rule_18_9_76_3_1 + when: rule_18_9_77_3_1 tags: - - level1 - - level2 - - rule_18.9.76.3.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.3.1 - patch -- name: "SCORED | 18.9.76.3.2 | PATCH | L2 Ensure Join Microsoft MAPS is set to Disabled" +- name: "SCORED | 18.9.77.3.2 | PATCH | (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet name: SpynetReporting data: 0 type: dword - when: rule_18_9_76_3_2 + when: rule_18_9_77_3_2 tags: - - level2 - - rule_18.9.76.3.2 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.77.3.2 - patch -- name: "SCORED | 18.9.76.7.1 | PATCH | L1 Ensure Turn on behavior monitoring is set to Enabled" +- name: "SCORED | 18.9.77.7.1 | PATCH | (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection name: DisableBehaviorMonitoring data: 0 type: dword - when: rule_18_9_76_7_1 + when: rule_18_9_77_7_1 tags: - - level1 - - level2 - - rule_18.9.76.7.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.7.1 - patch -- name: "SCORED | 18.9.76.9.1 | PATCH | L2 Ensure Configure Watson events is set to Disabled" +- name: "SCORED | 18.9.77.9.1 | PATCH | (L2) Ensure 'Configure Watson events' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting name: DisableGenericRePorts data: 1 type: dword - when: rule_18_9_76_9_1 + when: rule_18_9_77_9_1 tags: - - level2 - - rule_18.9.76.9.1 + - level2-domaincontroller + - level2-memberserver + - rule_18.9.77.9.1 - patch -- name: "SCORED | 18.9.76.10.1 | PATCH | L1 Ensure Scan removable drives is set to Enabled" +- name: "SCORED | 18.9.77.10.1 | PATCH | (L1) Ensure 'Scan removable drives' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan name: DisableRemovableDriveScanning data: 0 type: dword - when: rule_18_9_76_10_1 + when: rule_18_9_77_10_1 tags: - - level1 - - level2 - - rule_18.9.76.10.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.10.1 - patch -- name: "SCORED | 18.9.76.10.2 | PATCH | L1 Ensure Turn on e-mail scanning is set to Enabled" +- name: "SCORED | 18.9.77.10.2 | PATCH | (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan name: DisableEmailScanning data: 0 type: dword - when: rule_18_9_76_10_2 + when: rule_18_9_77_10_2 tags: - - level1 - - level2 - - rule_18.9.76.10.2 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.10.2 - patch -- name: "SCORED | 18.9.76.13.1.1 | PATCH | L1 Ensure Configure Attack Surface Reduction rules is set to Enabled" +- name: "SCORED | 18.9.77.13.3.1 | PATCH | (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR - name: ExploitGuard_ASR_Rules + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + name: EnableNetworkProtection data: 1 type: dword - when: rule_18_9_76_13_1_1 - tags: - - level1 - - level2 - - rule_18.9.76.13.1.1 - - patch - -- name: "SCORED | 18.9.76.13.1.2 | PATCH | L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - name: "{{ item }}" - data: 1 - type: string # aka REG_SZ - loop: - - 26190899-1602-49e8-8b27-eb1d0a1ce869 - - 3b576869-a4ec-4529-8536-b80a7769e899 - - 5beb7efe-fd9a-4556-801d-275e5ffc04cc - - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - - d3e037e1-3eb8-44c8-a917-57927947596d - - d4f940ab-401b-4efc-aadc-ad5f3c50688a - when: rule_18_9_76_13_1_2 + when: rule_18_9_77_13_3_1 tags: - - level1 - - level2 - - rule_18.9.76.13.1.2 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.13.3.1 - patch -- name: "SCORED | 18.9.76.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" +- name: "SCORED | 18.9.77.14 | PA | (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - name: ExploitGuard_ASR_Rules + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender + name: PUAProtection data: 1 type: dword - when: rule_18_9_76_13_3_1 + when: + - rule_18_9_77_14 tags: - - level1 - - level2 - - rule_18.9.76.13.3.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.14 - patch -- name: "SCORED | 18.9.76.14 | PATCH | L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled" +- name: "SCORED | 18.9.77.15 | PATCH | (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows Defender name: DisableAntiSpyware data: 0 type: dword - when: rule_18_9_76_14 + when: rule_18_9_77_15 tags: - - level1 - - level2 - - rule_18.9.76.14 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.15 - patch -- name: "SCORED | 18.9.79.1.1 | PATCH | L1 Ensure Prevent users from modifying settings is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - name: DisallowExploitProtectionOverride - data: 1 - type: dword - when: rule_18_9_79_1_1 - tags: - - level1 - - level2 - - rule_18.9.79.1.1 - - patch - -- name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" +- name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" block: - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" + - name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | EnableSmartScreen" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: EnableSmartScreen data: 1 type: dword - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" + + - name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | ShellSmartScreenLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\System name: ShellSmartScreenLevel @@ -2228,12 +2198,12 @@ type: string when: rule_18_9_80_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.80.1.1 - patch -- name: "SCORED | 18.9.84.1 | PATCH | L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" +- name: "SCORED | 18.9.84.1 | PATCH | (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace name: AllowSuggestedAppsInWindowsInkWorkspace @@ -2241,11 +2211,12 @@ type: dword when: rule_18_9_84_1 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.84.1 - patch -- name: "SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" +- name: "SCORED | 18.9.84.2 | PATCH | (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace name: AllowWindowsInkWorkspace @@ -2253,12 +2224,12 @@ type: dword when: rule_18_9_84_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.84.2 - patch -- name: "SCORED | 18.9.85.1 | PATCH | L1 Ensure Allow user control over installs is set to Disabled" +- name: "SCORED | 18.9.85.1 | PATCH | (L1) Ensure 'Allow user control over installs' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: EnableUserControl @@ -2266,12 +2237,12 @@ type: dword when: rule_18_9_85_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.85.1 - patch -- name: "SCORED | 18.9.85.2 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" +- name: "SCORED | 18.9.85.2 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated @@ -2279,12 +2250,12 @@ type: dword when: rule_18_9_85_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.85.2 - patch -- name: "SCORED | 18.9.85.3 | PATCH | L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" +- name: "SCORED | 18.9.85.3 | PATCH | (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer name: SafeForScripting @@ -2292,11 +2263,12 @@ type: dword when: rule_18_9_85_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.85.3 - patch -- name: "SCORED | 18.9.86.1 | PATCH | L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" +- name: "SCORED | 18.9.86.1 | PATCH | (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System name: DisableAutomaticRestartSignOn @@ -2304,12 +2276,12 @@ type: dword when: rule_18_9_86_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.86.1 - patch -- name: "SCORED | 18.9.95.1 | PATCH | L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled" +- name: "SCORED | 18.9.95.1 | PATCH | (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging name: EnableScriptBlockLogging @@ -2317,51 +2289,55 @@ type: dword when: rule_18_9_95_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.95.1 - patch -- name: "SCORED | 18.9.95.2 | PATCH | L1 Ensure Turn on PowerShell Transcription is set to Disabled" +- name: "SCORED | 18.9.95.2 | PATCH | (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription name: EnableTranscripting - data: 1 + data: 0 type: dword when: rule_18_9_95_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.95.2 - patch -- name: "SCORED | 18.9.97.1.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" +- name: "SCORED | 18.9.97.1.1 | PATCH | (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowBasic data: 0 type: dword - when: rule_18_9_97_1_1 + when: + - rule_18_9_97_1_1 + - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.1.1 - patch -- name: "SCORED | 18.9.97.1.2 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" +- name: "SCORED | 18.9.97.1.2 | PATCH | (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowUnencryptedTraffic data: 0 type: dword - when: rule_18_9_97_1_2 + when: + - rule_18_9_97_1_2 + - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.1.2 - patch -- name: "SCORED | 18.9.97.1.3 | PATCH | L1 Ensure Disallow Digest authentication is set to Enabled" +- name: "SCORED | 18.9.97.1.3 | PATCH | (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client name: AllowDigest @@ -2369,185 +2345,211 @@ type: dword when: rule_18_9_97_1_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.1.3 - patch -- name: "SCORED | 18.9.97.2.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" +- name: "SCORED | 18.9.97.2.1 | PATCH | (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowBasic data: 0 type: dword - when: rule_18_9_97_2_1 + when: + - rule_18_9_97_2_1 + - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.2.1 - patch #This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "SCORED | 18.9.97.2.2 | PATCH | L2 Ensure Allow remote server management through WinRM is set to Disabled" +- name: "SCORED | 18.9.97.2.2 | PATCH | (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowAutoConfig - data: 1 + data: 0 type: dword when: - rule_18_9_97_2_2 - - is_implemented + - not win_skip_for_test tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.97.2.2 - patch -- name: "SCORED | 18.9.97.2.3 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" +- name: "SCORED | 18.9.97.2.3 | PATCH | (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowUnencryptedTraffic data: 0 type: dword - when: rule_18_9_97_2_3 + when: + - rule_18_9_97_2_3 + - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.2.3 - patch -- name: "SCORED | 18.9.97.2.4 | PATCH | L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" +- name: "SCORED | 18.9.97.2.4 | PATCH | (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: DisableRunAs data: 1 type: dword - when: rule_18_9_97_2_4 + when: + - rule_18_9_97_2_4 + # - not win_skip_for_test tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.97.2.4 - patch #This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "SCORED | 18.9.98.1 | PATCH | L2 Ensure Allow Remote Shell Access is set to Disabled" +- name: "SCORED | 18.9.98.1 | PATCH | (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs name: AllowRemoteShellAccess - data: 1 + data: 0 type: dword when: - rule_18_9_98_1 - is_implemented + - not win_skip_for_test tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_18.9.98.1 - patch -- name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds" +- name: "SCORED | 18.9.99.2.1 | PATCH | (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + name: DisallowExploitProtectionOverride + data: 1 + type: dword + when: rule_18_9_99_2_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.99.2.1 + - patch + +- name: "SCORED | 18.9.102.1.1 | PATCH | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'" block: - - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + - name: "SCORED | 18.9.102.1.1 | PATCH | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' | ManagePreviewBuilds" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuilds data: 1 type: dword - - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + + - name: "SCORED | 18.9.102.1.1 | PATCH | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' | ManagePreviewBuilds" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue data: 0 type: dword - when: rule_18_9_101_1_1 + when: rule_18_9_102_1_1 tags: - - level1 - - level2 - - rule_18.9.101.1.1 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.1 - patch -- name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" +- name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" block: - - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" + - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | DeferFeatureUpdates" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdates data: 1 type: dword - - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" + + - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | DeferFeatureUpdatesPeriodInDays" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: DeferFeatureUpdatesPeriodInDays data: 180 type: dword - - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" + + - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | BranchReadinessLevel" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: BranchReadinessLevel data: 16 type: dword - when: rule_18_9_101_1_2 + when: rule_18_9_102_1_2 tags: - - level1 - - level2 - - rule_18.9.101.1.2 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.2 - patch -- name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days" +- name: "SCORED | 18.9.102.1.3 | PATCH | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'" block: - - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" + - name: "SCORED | 18.9.102.1.3 | PATCH | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' | DeferQualityUpdates" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdates data: 1 type: dword - - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" + + - name: "SCORED | 18.9.102.1.3 | PATCH | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' | DeferQualityUpdatesPeriodInDays" win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate name: DeferQualityUpdatesPeriodInDays data: 0 type: dword - when: rule_18_9_101_1_3 + when: rule_18_9_102_1_3 tags: - - level1 - - level2 - - rule_18.9.101.1.3 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.3 - patch -- name: "SCORED | 18.9.101.2 | PATCH | L1 Ensure Configure Automatic Updates is set to Enabled" +- name: "SCORED | 18.9.102.2 | PATCH | (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: NoAutoUpdate data: 0 type: dword - when: rule_18_9_101_2 + when: rule_18_9_102_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_18.9.101.2 - patch -- name: "SCORED | 18.9.101.3 | PATCH | L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" +- name: "SCORED | 18.9.102.3 | PATCH | (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: ScheduledInstallDay data: 0 type: dword - when: rule_18_9_101_3 + when: rule_18_9_102_3 tags: - - level1 - - level2 - - rule_18.9.101.3 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.3 - patch -- name: "SCORED | 18.9.101.4 | PATCH | L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" +- name: "SCORED | 18.9.102.4 | PATCH | (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au name: NoAutoRebootWithLoggedOnUsers data: 0 type: dword - when: rule_18_9_101_4 + when: rule_18_9_102_4 tags: - - level1 - - level2 - - rule_18.9.101.4 + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.4 - patch diff --git a/tasks/section19.yml b/tasks/section19.yml index 198b3fb..1eb28e1 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -1,13 +1,14 @@ --- -- name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" +- name: "SCORED | 19.1.3.1 | PATCH | (L1) Ensure 'Enable screen saver' is set to 'Enabled'" block: - - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + - name: "SCORED | 19.1.3.1 | PATCH | (L1) Ensure 'Enable screen saver' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive data: 1 type: string - - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + + - name: "SCORED | 19.1.3.1 | PATCH |(L1) Ensure 'Enable screen saver' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveActive @@ -15,20 +16,21 @@ type: string when: rule_19_1_3_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.1 - patch -- name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" +- name: "SCORED | 19.1.3.2 | PATCH | (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'" block: - - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + - name: "SCORED | 19.1.3.2 | PATCH | (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: SCRNSAVE.EXE data: scrnsave.scr type: string - - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + + - name: "SCORED | 19.1.3.2 | PATCH | (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: SCRNSAVE.EXE @@ -36,20 +38,21 @@ type: string when: rule_19_1_3_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.2 - patch -- name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" +- name: "SCORED | 19.1.3.3 | PATCH | (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" block: - - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + - name: "SCORED | 19.1.3.3 | PATCH | (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure data: 1 type: string - - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + + - name: "SCORED | 19.1.3.3 | PATCH | (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaverIsSecure @@ -57,20 +60,21 @@ type: string when: rule_19_1_3_3 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.3 - patch -- name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" +- name: "SCORED | 19.1.3.4 | PATCH | (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" block: - - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + - name: "SCORED | 19.1.3.4 | PATCH | (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut data: 900 type: string - - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + + - name: "SCORED | 19.1.3.4 | PATCH | (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut @@ -78,20 +82,21 @@ type: string when: rule_19_1_3_4 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.1.3.4 - patch -- name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" +- name: "SCORED | 19.5.1.1 | PATCH | (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" block: - - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + - name: "SCORED | 19.5.1.1 | PATCH | (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen data: 1 type: dword - - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + + - name: "SCORED | 19.5.1.1 | PATCH | (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications name: NoToastApplicationNotificationOnLockScreen @@ -99,40 +104,43 @@ type: dword when: rule_19_5_1_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.5.1.1 - patch -- name: "SCORED | 19.6.5.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" +- name: "SCORED | 19.6.6.1.1 | PATCH | (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" block: - - name: "SCORED | 19.6.5.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + - name: "SCORED | 19.6.6.1.1 | PATCH | (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback data: 1 type: dword - - name: "SCORED | 19.6.5.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + + - name: "SCORED | 19.6.6.1.1 | PATCH | (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 name: NoImplicitFeedback data: 1 type: dword - when: rule_19_6_5_1_1 + when: rule_19_6_6_1_1 tags: - - level2 - - rule_19.6.5.1.1 + - level2-domaincontroller + - level2-memberserver + - rule_19.6.6.1.1 - patch -- name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" +- name: "SCORED | 19.7.4.1 | PATCH | (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" block: - - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + - name: "SCORED | 19.7.4.1 | PATCH | (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation data: 3 type: dword - - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + + - name: "SCORED | 19.7.4.1 | PATCH | (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" win_regedit: path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments name: SaveZoneInformation @@ -140,20 +148,21 @@ type: dword when: rule_19_7_4_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.4.1 - patch -- name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" +- name: "SCORED | 19.7.4.2 | PATCH | (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" block: - - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + - name: "SCORED | 19.7.4.2 | PATCH | (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus data: 3 type: dword - - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + + - name: "SCORED | 19.7.4.2 | PATCH | (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments name: ScanWithAntiVirus @@ -161,20 +170,21 @@ type: dword when: rule_19_7_4_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.4.2 - patch -- name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" +- name: "SCORED | 19.7.7.1 | PATCH | (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" block: - - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + - name: "SCORED | 19.7.7.1 | PATCH | (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight data: 2 type: dword - - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + + - name: "SCORED | 19.7.7.1 | PATCH | (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: ConfigureWindowsSpotlight @@ -182,20 +192,21 @@ type: dword when: rule_19_7_7_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.7.1 - patch -- name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" +- name: "SCORED | 19.7.7.2 | PATCH | (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" block: - - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + - name: "SCORED | 19.7.7.2 | PATCH | (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions data: 1 type: dword - - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + + - name: "SCORED | 19.7.7.2 | PATCH | (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableThirdPartySuggestions @@ -203,20 +214,21 @@ type: dword when: rule_19_7_7_2 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.7.2 - patch -- name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" +- name: "SCORED | 19.7.7.3 | PATCH | (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" block: - - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + - name: "SCORED | 19.7.7.3 | PATCH | (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData data: 1 type: dword - - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + + - name: "SCORED | 19.7.7.3 | PATCH | (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableTailoredExperiencesWithDiagnosticData @@ -224,19 +236,21 @@ type: dword when: rule_19_7_7_3 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_19.7.7.3 - patch -- name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" +- name: "SCORED | 19.7.7.4 | PATCH | (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" block: - - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + - name: "SCORED | 19.7.7.4 | PATCH | (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures data: 1 type: dword - - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + + - name: "SCORED | 19.7.7.4 | PATCH | (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent name: DisableWindowsSpotlightFeatures @@ -244,19 +258,21 @@ type: dword when: rule_19_7_7_4 tags: - - level2 + - level2-domaincontroller + - level2-memberserver - rule_19.7.7.4 - patch -- name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" +- name: "SCORED | 19.7.26.1 | PATCH | (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" block: - - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + - name: "SCORED | 19.7.26.1 | PATCH | (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing data: 1 type: dword - - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + + - name: "SCORED | 19.7.26.1 | PATCH | (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer name: NoInplaceSharing @@ -264,49 +280,52 @@ type: dword when: rule_19_7_26_1 tags: - - level1 - - level2 + - level1-domaincontroller + - level1-memberserver - rule_19.7.26.1 - patch -- name: "SCORED | 19.7.40.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" +- name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" block: - - name: "SCORED | 19.7.40.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + - name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword - - name: "SCORED | 19.7.40.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + + - name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windows\Installer name: AlwaysInstallElevated data: 0 type: dword - when: rule_19_7_40_1 + when: rule_19_7_41_1 tags: - level1 - level2 - - rule_19.7.40.1 + - rule_19.7.41.1 - patch -- name: "SCORED | 19.7.44.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" +- name: "SCORED | 19.7.45.2.1 | PATCH | (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" block: - - name: "SCORED | 19.7.44.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + - name: "SCORED | 19.7.45.2.1 | PATCH | (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" win_regedit: path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword - - name: "SCORED | 19.7.44.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + + - name: "SCORED | 19.7.45.2.1 | PATCH | (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" win_regedit: path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer name: PreventCodecDownload data: 1 type: dword - when: rule_19_7_44_2_1 + when: rule_19_7_45_2_1 tags: - - level2 - - rule_19.7.44.2.1 + - level2-domaincontroller + - level2-memberserver + - rule_19.7.45.2.1 - patch