Skip to content

Commit

Permalink
Merge pull request #29 from ansible-lockdown/april_2021_updates
Browse files Browse the repository at this point in the history
April 2021 updates
Signed-off-by: George Nalen <georgen@mindpointgroup.com>
  • Loading branch information
georgenalen authored Apr 12, 2021
2 parents 04c0a10 + e2e1c51 commit 6496f6d
Show file tree
Hide file tree
Showing 5 changed files with 17 additions and 17 deletions.
4 changes: 2 additions & 2 deletions tasks/section02.yml
Original file line number Diff line number Diff line change
Expand Up @@ -874,7 +874,7 @@
win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters
name: disablepasswordchange
data: 1
data: 0
type: dword
when:
- rule_2_3_6_4
Expand Down Expand Up @@ -1378,7 +1378,7 @@
win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters
name: SupportedEncryptionTypes
data: 2147483644
data: 2147483640
type: dword
when:
- rule_2_3_11_4
Expand Down
6 changes: 3 additions & 3 deletions tasks/section09.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
name: DisableNotifications
data: 0
data: 1
type: dword
when:
- rule_9_1_4
Expand Down Expand Up @@ -154,7 +154,7 @@
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile
name: DisableNotifications
data: 0
data: 1
type: dword
when:
- rule_9_2_4
Expand Down Expand Up @@ -265,7 +265,7 @@
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile
name: DisableNotifications
data: 0
data: 1
type: dword
when:
- rule_9_3_4
Expand Down
2 changes: 1 addition & 1 deletion tasks/section17.yml
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@
register: rule_17_5_1_audit

- name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to include Failure"
win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable
win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable
when: "'Failure' not in rule_17_5_1_audit.stdout"
when:
- rule_17_5_1
Expand Down
18 changes: 9 additions & 9 deletions tasks/section18.yml
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,7 @@
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
name: DisableExceptionChainValidation
data: 1
data: 0
type: dword
state: present
when:
Expand Down Expand Up @@ -271,8 +271,8 @@
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
state: present
name: NodeType
value: "{{ netbt_nodetype }}"
value: NodeType
data: "{{ netbt_nodetype }}"
datatype: dword
when:
- rule_18_3_6
Expand Down Expand Up @@ -745,7 +745,7 @@
win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy
name: fMinimizeConnections
data: 1
data: 3
type: dword
when:
- rule_18_5_21_1
Expand Down Expand Up @@ -1754,7 +1754,7 @@
path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application
name: Retention
data: 0
type: dword
type: string
when:
- rule_18_9_26_1_1
tags:
Expand Down Expand Up @@ -1807,7 +1807,7 @@

- name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup
name: Retention
data: 0
type: string
Expand Down Expand Up @@ -2352,7 +2352,7 @@
- name: "SCORED | 18.9.77.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block"
win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
name: ExploitGuard_ASR_Rules
name: EnableNetworkProtection
data: 1
type: dword
when:
Expand Down Expand Up @@ -2502,7 +2502,7 @@
win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging
name: EnableScriptBlockLogging
data: 1
data: 0
type: dword
when:
- rule_18_9_95_1
Expand All @@ -2516,7 +2516,7 @@
win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription
name: EnableTranscripting
data: 1
data: 0
type: dword
when:
- rule_18_9_95_2
Expand Down
4 changes: 2 additions & 2 deletions tasks/section19.yml
Original file line number Diff line number Diff line change
Expand Up @@ -143,14 +143,14 @@
win_regedit:
path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
name: SaveZoneInformation
data: 3
data: 2
type: dword

- name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled"
win_regedit:
path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
name: SaveZoneInformation
data: 3
data: 2
type: dword
when:
- rule_19_7_4_1
Expand Down

0 comments on commit 6496f6d

Please sign in to comment.