diff --git a/.ansible-lint b/.ansible-lint new file mode 100755 index 0000000..f2a7e7c --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,11 @@ +parseable: true +quiet: true +skip_list: + - '204' + - '305' + - '303' + - '403' + - '306' + - '602' +use_default_rules: true +verbosity: 0 diff --git a/.yamllint b/.yamllint new file mode 100755 index 0000000..93378b9 --- /dev/null +++ b/.yamllint @@ -0,0 +1,20 @@ +--- +ignore: | + tests/ + molecule/ + .gitlab-ci.yml + *molecule.yml + +extends: default + +rules: + indentation: + spaces: 4 + truthy: disable + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + line-length: disable diff --git a/defaults/main.yml b/defaults/main.yml index 8382e3e..237d569 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -35,10 +35,10 @@ workaround_for_ssg_benchmark: true # tweak role to run in a non-privileged container system_is_container: no -#set to false to skip tasks that either have not been developed or cannot be automated +# set to false to skip tasks that either have not been developed or cannot be automated is_implemented: false -#set to false to skip long running tasks +# set to false to skip long running tasks long_running: false win_skip_for_test: false @@ -446,6 +446,20 @@ rule_19_7_41_1: true rule_19_7_45_2_1: true +# Section 2 Variables + +# 2.2.18 +# is_hyperv_installed is Hyper-V installed +is_hyperv_installed: false + +# 2.3.1.5 +# win19cis_admin_username is the name the administrator account will be renamed to +win19cis_admin_username: adminchangethis + +# 2.3.1.6 +# win19cis_guest_username is the name the guest account will be renamed to +win19cis_guest_username: guestchangethis + # This SID is the same for standalone, member, domain controller for 'Administrators' group sedebugprivilege: "*S-1-5-32-544" @@ -514,7 +528,19 @@ public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' # To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB public_firewall_log_size: 16,384 +# Control 18.2.5 +# laps_passwordlength is the LAPS tool password length. +# To conform to CIS standards please use a min value of 15 and max value of 127 +laps_passwordlength: 15 + +# Control 18.2.6 +# laps_passwordagedays is the LAPS tool password age in days +# To conform to CIS standards please use a max value of 30 +laps_passwordagedays: 30 + # 18.3.6 # netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType # Options are B-node value of 1, P-node value of 2, M-node value of 4, H-node value of 8. P-node is the recommended setting from CIS -netbt_nodetype: 2 \ No newline at end of file +netbt_nodetype: 2 + + diff --git a/meta/main.yml b/meta/main.yml index 793e52d..c6e3de7 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,10 +4,11 @@ galaxy_info: description: "Ansible role to apply Windows Server 2019 CIS Benchmark" company: "MindPoint Group" license: MIT + role_name: windows_2019_cis min_ansible_version: 2.6 platforms: - - name: Windows Server + - name: Windows versions: - 2019 diff --git a/tasks/section01.yml b/tasks/section01.yml index 8ea7d90..a1fb085 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -15,12 +15,12 @@ key: PasswordHistorySize value: "{{ passwordhistorysize }}" when: - - rule_1_1_1 + - rule_1_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.1 + - patch - name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" block: @@ -38,12 +38,12 @@ key: MaximumPasswordAge value: "{{ maximumpasswordage }}" when: - - rule_1_1_2 + - rule_1_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.2 + - patch - name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" block: @@ -61,12 +61,12 @@ key: MinimumPasswordAge value: "{{ minimumpasswordage }}" when: - - rule_1_1_3 + - rule_1_1_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.3 + - patch - name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" block: @@ -83,12 +83,13 @@ section: System Access key: MinimumPasswordLength value: "{{ minimumpasswordlength }}" - when: rule_1_1_4 + when: + - rule_1_1_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.4 + - patch - name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled" win_security_policy: @@ -96,26 +97,27 @@ key: PasswordComplexity value: 1 when: - - rule_1_1_5 + - rule_1_1_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.5 + - patch - name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled" win_security_policy: - section: System Access - key: ClearTextPassword - value: "0" + section: System Access + key: ClearTextPassword + value: "0" when: - - rule_1_1_6 + - rule_1_1_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.6 + - patch +# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" block: - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" @@ -128,31 +130,31 @@ - name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" win_security_policy: - section: System Access - key: LockoutDuration - value: "{{ lockoutduration }}" + section: System Access + key: LockoutDuration + value: "{{ lockoutduration }}" when: - - rule_1_2_1 - - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp + - rule_1_2_1 + - is_implemented tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.2.1 + - patch -#This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable +# This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable - name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" win_security_policy: section: System Access key: LockoutBadCount value: "{{ lockoutbadcount }}" when: - - rule_1_2_2 + - rule_1_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.2.2 + - patch - name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" block: @@ -170,9 +172,9 @@ key: ResetLockoutCount value: "{{ resetlockoutcount }}" when: - - rule_1_2_3 + - rule_1_2_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.2.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.2.3 + - patch diff --git a/tasks/section02.yml b/tasks/section02.yml index b2bbce8..36f8841 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1,45 +1,46 @@ --- - name: "SCORED | 2.2.1 | PATCH | L1 Ensure Access Credential Manager as a trusted caller is set to No One" win_user_right: - name: SeTrustedCredManAccessPrivilege - users: [] - action: set + name: SeTrustedCredManAccessPrivilege + users: [] + action: set when: - - rule_2_2_1 + - rule_2_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.1 + - patch - name: "SCORED | 2.2.2 & 2.2.3 | PATCH | L1 Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" win_user_right: - name: SeNetworkLogonRight - users: - - Administrators - - Authenticated Users - action: set + name: SeNetworkLogonRight + users: + - Administrators + - Authenticated Users + action: set when: - - rule_2_2_2 or rule_2_2_3 + - rule_2_2_2 or + rule_2_2_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.2 - - rule_2.2.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.2 + - rule_2.2.3 + - patch - name: "SCORED | 2.2.4 | PATCH | L1 Ensure Act as part of the operating system is set to No One" win_user_right: - name: SeTcbPrivilege - users: [] - action: set + name: SeTcbPrivilege + users: [] + action: set when: - - rule_2_2_4 + - rule_2_2_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.4 + - patch - name: "SCORED | 2.2.5 | PATCH | L1 Ensure Add workstations to domain is set to Administrators DC only" win_user_right: @@ -47,1582 +48,1594 @@ users: Administrators action: set when: - - rule_2_2_5 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_5 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.5 - - patch + - level1-domaincontroller + - rule_2.2.5 + - patch - name: "SCORED | 2.2.6 | PATCH | L1 Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" win_user_right: - name: SeIncreaseQuotaPrivilege - users: - - Administrators - - Local Service - - Network Service - action: set + name: SeIncreaseQuotaPrivilege + users: + - Administrators + - Local Service + - Network Service + action: set when: - - rule_2_2_6 + - rule_2_2_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.6 + - patch - name: "SCORED | 2.2.7 | PATCH | L1 Ensure Allow log on locally is set to Administrators" win_user_right: - name: SeInteractiveLogonRight - users: - - Administrators - action: set + name: SeInteractiveLogonRight + users: + - Administrators + action: set when: - - rule_2_2_7 + - rule_2_2_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.7 + - patch - name: "SCORED | 2.2.8 & 2.2.9 | PATCH | L1 Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" win_user_right: - name: SeRemoteInteractiveLogonRight - users: - - Administrators - - Remote Desktop Users - action: set + name: SeRemoteInteractiveLogonRight + users: + - Administrators + - Remote Desktop Users + action: set when: - - rule_2_2_8 or rule_2_2_9 + - rule_2_2_8 or + rule_2_2_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.8 - - rule_2.2.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.8 + - rule_2.2.9 + - patch - name: "SCORED | 2.2.10 | PATCH | L1 Ensure Back up files and directories is set to Administrators" win_user_right: - name: SeBackupPrivilege - users: - - Administrators - action: set + name: SeBackupPrivilege + users: + - Administrators + action: set when: - - rule_2_2_10 + - rule_2_2_10 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.10 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.10 + - patch - name: "SCORED | 2.2.11 | PATCH | L1 Ensure Change the system time is set to Administrators LOCAL SERVICE" win_user_right: - name: SeSystemTimePrivilege - users: - - Administrators - - Local Service - action: set + name: SeSystemTimePrivilege + users: + - Administrators + - Local Service + action: set when: - - rule_2_2_11 + - rule_2_2_11 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.11 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.11 + - patch - name: "SCORED | 2.2.12 | PATCH | L1 Ensure Change the time zone is set to Administrators LOCAL SERVICE" win_user_right: - name: SeTimeZonePrivilege - users: - - Administrators - - Local Service - action: set + name: SeTimeZonePrivilege + users: + - Administrators + - Local Service + action: set when: - - rule_2_2_12 + - rule_2_2_12 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.12 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.12 + - patch - name: "SCORED | 2.2.13 | PATCH | L1 Ensure Create a pagefile is set to Administrators" win_user_right: - name: SeCreatePagefilePrivilege - users: - - Administrators - action: set + name: SeCreatePagefilePrivilege + users: + - Administrators + action: set when: - - rule_2_2_13 + - rule_2_2_13 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.13 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.13 + - patch - name: "SCORED | 2.2.14 | PATCH | L1 Ensure Create a token object is set to No One" win_user_right: - name: SeCreateTokenPrivilege - users: [] - action: set + name: SeCreateTokenPrivilege + users: [] + action: set when: - - rule_2_2_14 + - rule_2_2_14 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.14 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.14 + - patch - name: "SCORED | 2.2.15 | PATCH | L1 Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" win_user_right: - name: SeCreateGlobalPrivilege - users: - - Administrators - - Local Service - - Network Service - - Service - action: set + name: SeCreateGlobalPrivilege + users: + - Administrators + - Local Service + - Network Service + - Service + action: set when: - - rule_2_2_15 + - rule_2_2_15 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.15 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.15 + - patch - name: "SCORED | 2.2.16 | PATCH | L1 Ensure Create permanent shared objects is set to No One" win_user_right: - name: SeCreatePermanentPrivilege - users: [] - action: set + name: SeCreatePermanentPrivilege + users: [] + action: set when: - - rule_2_2_16 + - rule_2_2_16 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.16 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.16 + - patch - name: "SCORED | 2.2.17 | PATCH | L1 Ensure Create symbolic links is set to Administrators DC only" win_user_right: - name: SeCreateSymbolicLinkPrivilege - users: - - Administrators - action: set + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + action: set when: - - rule_2_2_17 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_17 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.17 - - patch + - level1-domaincontroller + - rule_2.2.17 + - patch - name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" - win_user_right: - name: SeCreateSymbolicLinkPrivilege - users: - - Administrators - - NT VIRTUAL MACHINE\Virtual Machines - action: set - when: - - rule_2_2_18 - - ansible_windows_domain_role == "Member server" - tags: - - level1-memberserver - - rule_2.2.18 - - patch + block: + - name: "SCORED | 2.2.18 | PATCH | (L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | No Hyper-v" + win_user_right: + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + action: set + when: not is_hyperv_installed + + - name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | With Hyper-v" + win_user_right: + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + - NT VIRTUAL MACHINE\Virtual Machines + action: set + when: is_hyperv_installed + when: + - rule_2_2_18 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-memberserver + - rule_2.2.18 + - patch - name: "SCORED | 2.2.19 | PATCH | L1 Ensure Debug programs is set to Administrators" win_user_right: - name: SeDebugPrivilege - users: - - Administrators - action: set + name: SeDebugPrivilege + users: + - Administrators + action: set when: - - rule_2_2_19 + - rule_2_2_19 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.19 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.19 + - patch - #Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes +# Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes - name: "SCORED | 2.2.20 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests DC only" win_user_right: - name: SeDenyNetworkLogonRight - users: - - Guests - action: set - when: - - rule_2_2_20 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - level1-domaincontroller - - rule_2.2.20 - - patch + name: SeDenyNetworkLogonRight + users: + - Guests + action: set + when: + - rule_2_2_20 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - rule_2.2.20 + - patch - name: "SCORED | 2.2.21 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" win_user_right: - name: SeDenyNetworkLogonRight - users: - - Guests - #- Local Account - #- Administrators - action: set - when: - - rule_2_2_21 - - ansible_windows_domain_member - tags: - - level1-memberserver - - rule_2.2.21 - - patch + name: SeDenyNetworkLogonRight + users: + - Guests + # - Local Account + # - Administrators + action: set + when: + - rule_2_2_21 + - ansible_windows_domain_member + tags: + - level1-memberserver + - rule_2.2.21 + - patch - name: "SCORED | 2.2.22 | PATCH | L1 Ensure Deny log on as a batch job to include Guests" win_user_right: - name: SeDenyBatchLogonRight - users: - - Guests - action: set + name: SeDenyBatchLogonRight + users: + - Guests + action: set when: - - rule_2_2_22 + - rule_2_2_22 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.22 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.22 + - patch - name: "SCORED | 2.2.23 | PATCH | L1 Ensure Deny log on as a service to include Guests" win_user_right: - name: SeDenyServiceLogonRight - users: - - Guests - action: set + name: SeDenyServiceLogonRight + users: + - Guests + action: set when: - - rule_2_2_23 + - rule_2_2_23 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.23 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.23 + - patch - name: "SCORED | 2.2.24 | PATCH | L1 Ensure Deny log on locally to include Guests" win_user_right: name: SeDenyInteractiveLogonRight users: - - Guests + - Guests action: set when: - - rule_2_2_24 + - rule_2_2_24 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.24 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.24 + - patch - name: "SCORED | 2.2.25 | PATCH | L1 Ensure Deny log on through Remote Desktop Services to include Guests DC only" win_user_right: - name: SeDenyRemoteInteractiveLogonRight - users: - - Guests - #- Local Account - action: set + name: SeDenyRemoteInteractiveLogonRight + users: + - Guests + # - Local Account + action: set when: - - rule_2_2_25 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_25 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.25 - - patch + - level1-domaincontroller + - rule_2.2.25 + - patch - name: "SCORED | 2.2.26 | PATCH | L1 Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" win_user_right: - name: SeDenyRemoteInteractiveLogonRight - users: - - Guests - #- Local Account - action: set + name: SeDenyRemoteInteractiveLogonRight + users: + - Guests + # - Local Account + action: set when: - - rule_2_2_26 - - ansible_windows_domain_member + - rule_2_2_26 + - ansible_windows_domain_member tags: - - level1-memberserver - - rule_2.2.26 - - patch + - level1-memberserver + - rule_2.2.26 + - patch - name: "SCORED | 2.2.27 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" win_user_right: - name: SeEnableDelegationPrivilege - users: Administrators - action: set + name: SeEnableDelegationPrivilege + users: Administrators + action: set when: - - rule_2_2_27 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_27 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.27 - - patch + - level1-domaincontroller + - rule_2.2.27 + - patch - name: "SCORED | 2.2.28 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" win_user_right: - name: SeEnableDelegationPrivilege - users: [] - action: set + name: SeEnableDelegationPrivilege + users: [] + action: set when: - - rule_2_2_28 - - ansible_windows_domain_member + - rule_2_2_28 + - ansible_windows_domain_member tags: - - level1-memberserver - - rule_2.2.28 - - patch + - level1-memberserver + - rule_2.2.28 + - patch - name: "SCORED | 2.2.29 | PATCH | L1 Ensure Force shutdown from a remote system is set to Administrators" win_user_right: name: SeRemoteShutdownPrivilege users: - - Administrators + - Administrators action: set when: - - rule_2_2_29 + - rule_2_2_29 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.29 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.29 + - patch - name: "SCORED | 2.2.30 | PATCH | L1 Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" win_user_right: - name: SeAuditPrivilege - users: - - Local Service - - Network Service - action: set + name: SeAuditPrivilege + users: + - Local Service + - Network Service + action: set when: - - rule_2_2_30 + - rule_2_2_30 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.30 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.30 + - patch - name: "SCORED | 2.2.31 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" win_user_right: - name: SeImpersonatePrivilege - users: - - Administrators - - Local Service - - Network Service - - Service - action: set + name: SeImpersonatePrivilege + users: + - Administrators + - Local Service + - Network Service + - Service + action: set when: - - rule_2_2_31 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_31 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.31 - - patch + - level1-domaincontroller + - rule_2.2.31 + - patch - name: "SCORED | 2.2.32 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" win_user_right: - name: SeImpersonatePrivilege - users: - - Administrators - - IIS_IUSRS - - Local Service - - Network Service - - Service - action: set - when: - - rule_2_2_32 - - ansible_windows_domain_member - tags: - - level1-memberserver - - rule_2.2.32 - - patch + name: SeImpersonatePrivilege + users: + - Administrators + - IIS_IUSRS + - Local Service + - Network Service + - Service + action: set + when: + - rule_2_2_32 + - ansible_windows_domain_member + tags: + - level1-memberserver + - rule_2.2.32 + - patch - name: "SCORED | 2.2.33 | PATCH | L1 Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group" win_user_right: - name: SeIncreaseBasePriorityPrivilege - users: - - Administrators - - Window Manager\Window Manager Group - action: set + name: SeIncreaseBasePriorityPrivilege + users: + - Administrators + - Window Manager\Window Manager Group + action: set when: - - rule_2_2_33 + - rule_2_2_33 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.33 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.33 + - patch - name: "SCORED | 2.2.34 | PATCH | L1 Ensure Load and unload device drivers is set to Administrators" win_user_right: - name: SeLoadDriverPrivilege - users: - - Administrators - action: set + name: SeLoadDriverPrivilege + users: + - Administrators + action: set when: - - rule_2_2_34 + - rule_2_2_34 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.34 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.34 + - patch - name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" win_user_right: - name: SeLockMemoryPrivilege - users: [] - action: set + name: SeLockMemoryPrivilege + users: [] + action: set when: - - rule_2_2_35 + - rule_2_2_35 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.35 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.35 + - patch - name: "SCORED | 2.2.36 | PATCH | L2 Ensure Log on as a batch job is set to Administrators DC Only" win_user_right: - name: SeBatchLogonRight - users: Administrators - action: set + name: SeBatchLogonRight + users: Administrators + action: set when: - - rule_2_2_36 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_36 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level2-domaincontroller - - rule_2.2.36 - - patch + - level2-domaincontroller + - rule_2.2.36 + - patch - name: "SCORED | 2.2.37 & 2.2.38 | PATCH | L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" win_user_right: - name: SeSecurityPrivilege - users: - - Administrators - action: set + name: SeSecurityPrivilege + users: + - Administrators + action: set when: - - rule_2_2_37 or rule_2_2_38 + - rule_2_2_37 or + rule_2_2_38 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.37 - - rule_2.2.38 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.37 + - rule_2.2.38 + - patch - name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" win_user_right: - name: SeReLabelPrivilege - users: [] - action: set + name: SeReLabelPrivilege + users: [] + action: set when: - - rule_2_2_39 + - rule_2_2_39 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.39 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.39 + - patch - name: "SCORED | 2.2.40 | PATCH | L1 Ensure Modify firmware environment values is set to Administrators" win_user_right: - name: SeSystemEnvironmentPrivilege - users: - - Administrators - action: set + name: SeSystemEnvironmentPrivilege + users: + - Administrators + action: set when: - - rule_2_2_40 + - rule_2_2_40 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.40 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.40 + - patch - name: "SCORED | 2.2.41 | PATCH | L1 Ensure Perform volume maintenance tasks is set to Administrators" win_user_right: - name: SeManageVolumePrivilege - users: - - Administrators - action: set + name: SeManageVolumePrivilege + users: + - Administrators + action: set when: - - rule_2_2_41 + - rule_2_2_41 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.41 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.41 + - patch - name: "SCORED | 2.2.42 | PATCH | L1 Ensure Profile single process is set to Administrators" win_user_right: - name: SeProfileSingleProcessPrivilege - users: - - Administrators - action: set + name: SeProfileSingleProcessPrivilege + users: + - Administrators + action: set when: - - rule_2_2_42 + - rule_2_2_42 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.42 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.42 + - patch - name: "SCORED | 2.2.43 | PATCH | L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" win_user_right: - name: SeSystemProfilePrivilege - users: - - Administrators - - NT SERVICE\WdiServiceHost - action: set + name: SeSystemProfilePrivilege + users: + - Administrators + - NT SERVICE\WdiServiceHost + action: set when: - - rule_2_2_43 + - rule_2_2_43 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.43 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.43 + - patch - name: "SCORED | 2.2.44 | PATCH | L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" win_user_right: - name: SeAssignPrimaryTokenPrivilege - users: - - LOCAL SERVICE - - NETWORK SERVICE - action: set + name: SeAssignPrimaryTokenPrivilege + users: + - LOCAL SERVICE + - NETWORK SERVICE + action: set when: - - rule_2_2_44 + - rule_2_2_44 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.44 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.44 + - patch - name: "SCORED | 2.2.45 | PATCH | L1 Ensure Restore files and directories is set to Administrators" win_user_right: - name: SeRestorePrivilege - users: - - Administrators - action: set + name: SeRestorePrivilege + users: + - Administrators + action: set when: - - rule_2_2_45 + - rule_2_2_45 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.45 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.45 + - patch - name: "SCORED | 2.2.46 | PATCH | L1 Ensure Shut down the system is set to Administrators" win_user_right: - name: SeShutdownPrivilege - users: - - Administrators - action: set + name: SeShutdownPrivilege + users: + - Administrators + action: set when: - - rule_2_2_46 + - rule_2_2_46 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.46 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.46 + - patch - name: "SCORED | 2.2.47 | PATCH | L1 Ensure Synchronize directory service data is set to No One DC only" win_user_right: - name: SeSyncAgentPrivilege - users: - action: set + name: SeSyncAgentPrivilege + users: [] + action: set when: - - rule_2_2_47 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_47 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.47 - - patch + - level1-domaincontroller + - rule_2.2.47 + - patch - name: "SCORED | 2.2.48 | PATCH | L1 Ensure Take ownership of files or other objects is set to Administrators" win_user_right: - name: SeTakeOwnershipPrivilege - users: - - Administrators - action: set + name: SeTakeOwnershipPrivilege + users: + - Administrators + action: set when: - - rule_2_2_48 + - rule_2_2_48 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.48 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.48 + - patch - name: "SCORED | 2.3.1.1 | PATCH | L1 Ensure Accounts Administrator account status is set to Disabled MS only" win_security_policy: - section: System Access - key: EnableAdminAccount - value: 0 + section: System Access + key: EnableAdminAccount + value: 0 when: - - rule_2_3_1_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_1_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_2.3.1.1 - - patch + - level1-memberserver + - rule_2.3.1.1 + - patch - name: "SCORED | 2.3.1.2 | PATCH | L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: NoConnectedUser - data: 3 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: NoConnectedUser + data: 3 + type: dword when: - - rule_2_3_1_2 + - rule_2_3_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.2 + - patch - name: "SCORED | 2.3.1.3 | PATCH | L1 Ensure Accounts Guest account status is set to Disabled MS only" win_security_policy: - section: System Access - key: EnableGuestAccount - value: 0 + section: System Access + key: EnableGuestAccount + value: 0 when: - - rule_2_3_1_3 + - rule_2_3_1_3 tags: - - level1-memberserver - - rule_2.3.1.3 - - patch + - level1-memberserver + - rule_2.3.1.3 + - patch - name: "SCORED | 2.3.1.4 | PATCH | L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: LimitBlankPasswordUse - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: LimitBlankPasswordUse + data: 1 + type: dword when: - - rule_2_3_1_4 + - rule_2_3_1_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.1.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.4 + - patch - name: "SCORED | 2.3.1.5 | PATCH | L1 Configure Accounts Rename administrator account" win_security_policy: - section: System Access - key: newadministratorname - value: GeorgeSharp + section: System Access + key: newadministratorname + value: "{{ win19cis_admin_username }}" when: - - rule_2_3_1_5 - - not win_skip_for_test + - rule_2_3_1_5 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.1.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.5 + - patch - name: "SCORED | 2.3.1.6 | PATCH | L1 Configure Accounts Rename guest account" win_security_policy: - section: System Access - key: NewGuestName - value: BobCooper + section: System Access + key: NewGuestName + value: "{{ win19cis_guest_username }}" when: - - rule_2_3_1_6 + - rule_2_3_1_6 tags: - - level1-domaincontroller - - level1-memberservers - - rule_2.3.1.6 - - patch + - level1-domaincontroller + - level1-memberservers + - rule_2.3.1.6 + - patch - name: "SCORED | 2.3.2.1 | PATCH | L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: SCENoApplyLegacyAuditPolicy - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: SCENoApplyLegacyAuditPolicy + data: 1 + type: dword when: - - rule_2_3_2_1 + - rule_2_3_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.2.1 + - patch - name: "SCORED | 2.3.2.2 | PATCH | L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: CrashOnAuditFail - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: CrashOnAuditFail + data: 0 + type: dword when: - - rule_2_3_2_2 + - rule_2_3_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.2.2 + - patch - name: "SCORED | 2.3.4.1 | PATCH | L1 Ensure Devices Allowed to format and eject removable media is set to Administrators" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: AllocateDASD - data: 0 - type: string + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: AllocateDASD + data: 0 + type: string when: - - rule_2_3_4_1 + - rule_2_3_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.4.1 + - patch - name: "SCORED | 2.3.4.2 | PATCH | L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers - name: AddPrinterDrivers - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers + name: AddPrinterDrivers + data: 1 + type: dword when: - - rule_2_3_4_2 + - rule_2_3_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.4.2 + - patch - name: "SCORED | 2.3.5.1 | PATCH | L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa - name: SubmitControl - data: 0 - type: dword + path: HKLM:\System\CurrentControlSet\Control\Lsa + name: SubmitControl + data: 0 + type: dword when: - - rule_2_3_5_1 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_5_1 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.3.5.1 - - patch + - level1-domaincontroller + - rule_2.3.5.1 + - patch - name: "SCORED | 2.3.5.2 | PATCH | L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters - name: LDAPServerIntegrity - data: 2 - type: dword + path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters + name: LDAPServerIntegrity + data: 2 + type: dword when: - - rule_2_3_5_2 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_5_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.3.5.2 - - patch + - level1-domaincontroller + - rule_2.3.5.2 + - patch - name: "SCORED | 2.3.5.3 | PATCH | L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" win_regedit: - path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters - name: RefusePasswordChange - data: 0 - type: dword + path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters + name: RefusePasswordChange + data: 0 + type: dword when: - - rule_2_3_5_3 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_5_3 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.3.5.3 - - patch + - level1-domaincontroller + - rule_2.3.5.3 + - patch - name: "SCORED | 2.3.6.1 | PATCH | L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: RequireSignOrSeal - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: RequireSignOrSeal + data: 1 + type: dword when: - - rule_2_3_6_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.1 + - patch - name: "SCORED | 2.3.6.2 | PATCH | L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: sealsecurechannel - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: sealsecurechannel + data: 1 + type: dword when: - - rule_2_3_6_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.2 + - patch - name: "SCORED | 2.3.6.3 | PATCH | L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: signsecurechannel - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: signsecurechannel + data: 1 + type: dword when: - - rule_2_3_6_3 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_3 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.3 + - patch - name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: disablepasswordchange - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: disablepasswordchange + data: 0 + type: dword when: - - rule_2_3_6_4 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_4 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.4 + - patch - name: "SCORED | 2.3.6.5 | PATCH | L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: MaximumPasswordAge - data: 30 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: MaximumPasswordAge + data: 30 + type: dword when: - - rule_2_3_6_5 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_5 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.5 + - patch - name: "SCORED | 2.3.6.6 | PATCH | L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: RequireStrongKey - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: RequireStrongKey + data: 1 + type: dword when: - - rule_2_3_6_6 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_6 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.6 + - patch - name: "SCORED | 2.3.7.1 | PATCH | L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DisableCAD - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableCAD + data: 0 + type: dword when: - - rule_2_3_7_1 + - rule_2_3_7_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.1 + - patch - name: "SCORED | 2.3.7.2 | PATCH | L1 Ensure Interactive logon Dont display last signed-in is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DontDisplayLastUserName - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DontDisplayLastUserName + data: 1 + type: dword when: - - rule_2_3_7_2 + - rule_2_3_7_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.2 + - patch - name: "SCORED | 2.3.7.3 | PATCH | L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: InactivityTimeoutSecs - data: 900 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: InactivityTimeoutSecs + data: 900 + type: dword when: - - rule_2_3_7_3 + - rule_2_3_7_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.3 + - patch - name: "SCORED | 2.3.7.4 | PATCH | L1 Configure Interactive logon Message text for users attempting to log on" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: LegalNoticeText - data: "{{ legalnoticetext }}" - type: string + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LegalNoticeText + data: "{{ legalnoticetext }}" + type: string when: - - rule_2_3_7_4 + - rule_2_3_7_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.4 + - patch - name: "SCORED | 2.3.7.5 | PATCH | L1 Configure Interactive logon Message title for users attempting to log on" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: LegalNoticeCaption - data: "{{ legalnoticecaption }}" - type: string + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LegalNoticeCaption + data: "{{ legalnoticecaption }}" + type: string when: - - rule_2_3_7_5 + - rule_2_3_7_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.5 + - patch - name: "SCORED | 2.3.7.6 | PATCH | L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: cachedlogonscount - data: 1 - type: string + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: cachedlogonscount + data: 1 + type: string when: - - rule_2_3_7_6 + - rule_2_3_7_6 tags: - - level2-memberserver - - rule_2.3.7.6 - - patch + - level2-memberserver + - rule_2.3.7.6 + - patch - name: "SCORED | 2.3.7.7 | PATCH | L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: PasswordExpiryWarning - data: 14 - type: dword + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: PasswordExpiryWarning + data: 14 + type: dword when: - - rule_2_3_7_7 + - rule_2_3_7_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.7 + - patch - name: "SCORED | 2.3.7.8 | PATCH | L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ForceUnlockLogon - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ForceUnlockLogon + data: 1 + type: dword when: - - rule_2_3_7_8 - - ansible_windows_domain_role == "Member server" + - rule_2_3_7_8 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.7.8 - - patch + - level1-memberserver + - rule_2.3.7.8 + - patch - name: "SCORED | 2.3.7.9 | PATCH | L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: scremoveoption - data: 1 - type: string + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: scremoveoption + data: 1 + type: string when: - - rule_2_3_7_9 + - rule_2_3_7_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.9 + - patch - name: "SCORED | 2.3.8.1 | PATCH | L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: RequireSecuritySignature - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: RequireSecuritySignature + data: 1 + type: dword when: - - rule_2_3_8_1 + - rule_2_3_8_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.8.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.8.1 + - patch - name: "SCORED | 2.3.8.2 | PATCH | L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: EnableSecuritySignature - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: EnableSecuritySignature + data: 1 + type: dword when: - - rule_2_3_8_2 + - rule_2_3_8_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.8.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.8.2 + - patch - name: "SCORED | 2.3.8.3 | PATCH | L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: EnablePlainTextPassword - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: EnablePlainTextPassword + data: 0 + type: dword when: - - rule_2_3_8_3 + - rule_2_3_8_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.8.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.8.3 + - patch - name: "SCORED | 2.3.9.1 | PATCH | L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: autodisconnect - data: 15 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: autodisconnect + data: 15 + type: dword when: - - rule_2_3_9_1 + - rule_2_3_9_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.9.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.1 + - patch - name: "SCORED | 2.3.9.2 | PATCH | L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: requiresecuritysignature - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: requiresecuritysignature + data: 1 + type: dword when: - - rule_2_3_9_2 + - rule_2_3_9_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.9.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.2 + - patch - name: "SCORED | 2.3.9.3 | PATCH | L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: enablesecuritysignature - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: enablesecuritysignature + data: 1 + type: dword when: - - rule_2_3_9_3 + - rule_2_3_9_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.9.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.3 + - patch - name: "SCORED | 2.3.9.4 | PATCH | L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: enableforcedlogoff - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: enableforcedlogoff + data: 1 + type: dword when: - - rule_2_3_9_4 + - rule_2_3_9_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.9.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.4 + - patch - name: "SCORED | 2.3.9.5 | PATCH | L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: SMBServerNameHardeningLevel - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: SMBServerNameHardeningLevel + data: 1 + type: dword when: - - rule_2_3_9_5 - - ansible_windows_domain_role == "Member server" + - rule_2_3_9_5 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.9.5 - - patch + - level1-memberserver + - rule_2.3.9.5 + - patch - name: "SCORED | 2.3.10.1 | PATCH | L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled" win_security_policy: - section: System Access - key: LSAAnonymousNameLookup - value: 0 + section: System Access + key: LSAAnonymousNameLookup + value: 0 when: - - rule_2_3_10_1 + - rule_2_3_10_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.1 + - patch - name: "SCORED | 2.3.10.2 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: RestrictAnonymousSAM - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: RestrictAnonymousSAM + data: 1 + type: dword when: - - rule_2_3_10_2 - - ansible_windows_domain_role == "Member server" + - rule_2_3_10_2 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.10.2 - - patch + - level1-memberserver + - rule_2.3.10.2 + - patch - name: "SCORED | 2.3.10.3 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: RestrictAnonymous - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: RestrictAnonymous + data: 1 + type: dword when: - - rule_2_3_10_3 - - ansible_windows_domain_role == "Member server" + - rule_2_3_10_3 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.10.3 - - patch + - level1-memberserver + - rule_2.3.10.3 + - patch - name: "SCORED | 2.3.10.4 | PATCH | L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: DisableDomainCreds - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: DisableDomainCreds + data: 1 + type: dword when: - - rule_2_3_10_4 + - rule_2_3_10_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_2.3.10.4 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_2.3.10.4 + - patch - name: "SCORED | 2.3.10.5 | PATCH | L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: EveryoneIncludesAnonymous - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: EveryoneIncludesAnonymous + data: 0 + type: dword when: - - rule_2_3_10_5 + - rule_2_3_10_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.5 + - patch - name: "SCORED | 2.3.10.6 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously DC only" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionPipes - data: "" - type: multistring + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionPipes + data: "" + type: multistring when: - - rule_2_3_10_6 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_10_6 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.3.10.6 - - patch + - level1-domaincontroller + - rule_2.3.10.6 + - patch - name: "SCORED | 2.3.10.7 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously MS only" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionPipes - data: "" - type: multistring + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionPipes + data: "" + type: multistring when: - - rule_2_3_10_7 - - ansible_windows_domain_role == "Member server" + - rule_2_3_10_7 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.10.7 - - patch + - level1-memberserver + - rule_2.3.10.7 + - patch - name: "SCORED | 2.3.10.8 | PATCH | L1 Configure Network access Remotely accessible registry paths" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] - type: multistring + path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths + name: "Machine" + data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] + type: multistring when: - - rule_2_3_10_8 + - rule_2_3_10_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.8 + - patch - name: "SCORED | 2.3.10.9 | PATCH | L1 Configure Network access Remotely accessible registry paths and sub-paths" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] - type: multistring + path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths + name: "Machine" + data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] + type: multistring when: - - rule_2_3_10_9 + - rule_2_3_10_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.9 + - patch - name: "SCORED | 2.3.10.10 | PATCH | L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: RestrictNullSessAccess - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: RestrictNullSessAccess + data: 1 + type: dword when: - - rule_2_3_10_10 + - rule_2_3_10_10 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.10 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.10 + - patch - name: "SCORED | 2.3.10.11 | PATCH | L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa - name: RestrictRemoteSAM - data: "O:BAG:BAD:(A;;RC;;;BA)" - type: string + path: HKLM:\System\CurrentControlSet\Control\Lsa + name: RestrictRemoteSAM + data: "O:BAG:BAD:(A;;RC;;;BA)" + type: string when: - - rule_2_3_10_11 + - rule_2_3_10_11 tags: - - level1-memberserver - - rule_2.3.10.11 - - patch + - level1-memberserver + - rule_2.3.10.11 + - patch - name: "SCORED | 2.3.10.12 | PATCH | L1 Ensure Network access Shares that can be accessed anonymously is set to None" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionShares - data: "" - type: multistring + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionShares + data: "" + type: multistring when: - - rule_2_3_10_12 + - rule_2_3_10_12 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.12 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.12 + - patch - name: "SCORED | 2.3.10.13 | PATCH | L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: ForceGuest - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: ForceGuest + data: 0 + type: dword when: - - rule_2_3_10_13 + - rule_2_3_10_13 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.13 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.13 + - patch - name: "SCORED | 2.3.11.1 | PATCH | L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: UseMachineId - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: UseMachineId + data: 1 + type: dword when: - - rule_2_3_11_1 + - rule_2_3_11_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.1 + - patch - name: "SCORED | 2.3.11.2 | PATCH | L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: allownullsessionfallback - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: allownullsessionfallback + data: 0 + type: dword when: - - rule_2_3_11_2 + - rule_2_3_11_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.2 + - patch - name: "SCORED | 2.3.11.3 | PATCH | L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U - name: AllowOnlineID - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U + name: AllowOnlineID + data: 0 + type: dword when: - - rule_2_3_11_3 + - rule_2_3_11_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.3 + - patch - name: "SCORED | 2.3.11.4 | PATCH | L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters - name: SupportedEncryptionTypes - data: 2147483640 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters + name: SupportedEncryptionTypes + data: 2147483640 + type: dword when: - - rule_2_3_11_4 + - rule_2_3_11_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.4 + - patch - name: "SCORED | 2.3.11.5 | PATCH | L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: NoLMHash - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: NoLMHash + data: 1 + type: dword when: - - rule_2_3_11_5 + - rule_2_3_11_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.5 + - patch - name: "SCORED | 2.3.11.6 | PATCH | L1 Ensure Network security Force logoff when logon hours expire is set to Enabled" win_regedit: - path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters - name: EnableForcedLogOff - data: 1 - type: dword + path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters + name: EnableForcedLogOff + data: 1 + type: dword when: - - rule_2_3_11_6 + - rule_2_3_11_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.6 + - patch - name: "SCORED | 2.3.11.7 | PATCH | L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: LMCompatibilityLevel - data: 5 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: LMCompatibilityLevel + data: 5 + type: dword when: - - rule_2_3_11_7 + - rule_2_3_11_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.7 + - patch - name: "SCORED | 2.3.11.8 | PATCH | L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Ldap - name: LDAPClientIntegrity - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Ldap + name: LDAPClientIntegrity + data: 1 + type: dword when: - - rule_2_3_11_8 + - rule_2_3_11_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.8 + - patch - name: "SCORED | 2.3.11.9 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: NTLMMinClientSec - data: 537395200 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: NTLMMinClientSec + data: 537395200 + type: dword when: - - rule_2_3_11_9 + - rule_2_3_11_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.9 + - patch - name: "SCORED | 2.3.11.10 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: NTLMMinServerSec - data: 537395200 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: NTLMMinServerSec + data: 537395200 + type: dword when: - - rule_2_3_11_10 + - rule_2_3_11_10 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.10 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.10 + - patch - name: "SCORED | 2.3.13.1 | PATCH | L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ShutdownWithoutLogon - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ShutdownWithoutLogon + data: 0 + type: dword when: - - rule_2_3_13_1 + - rule_2_3_13_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.13.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.13.1 + - patch - name: "SCORED | 2.3.15.1 | PATCH | L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel - name: ObCaseInsensitive - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel + name: ObCaseInsensitive + data: 1 + type: dword when: - - rule_2_3_15_1 + - rule_2_3_15_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.15.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.15.1 + - patch - name: "SCORED | 2.3.15.2 | PATCH | L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager - name: ProtectionMode - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Session Manager + name: ProtectionMode + data: 1 + type: dword when: - - rule_2_3_15_2 + - rule_2_3_15_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.15.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.15.2 + - patch - name: "SCORED | 2.3.17.1 | PATCH | L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: FilterAdministratorToken - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: FilterAdministratorToken + data: 1 + type: dword when: - - rule_2_3_17_1 + - rule_2_3_17_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.1 + - patch - name: "SCORED | 2.3.17.2 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ConsentPromptBehaviorAdmin - data: 2 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ConsentPromptBehaviorAdmin + data: 2 + type: dword when: - - rule_2_3_17_2 + - rule_2_3_17_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.2 + - patch - name: "SCORED | 2.3.17.3 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ConsentPromptBehaviorUser - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ConsentPromptBehaviorUser + data: 0 + type: dword when: - - rule_2_3_17_3 + - rule_2_3_17_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.3 + - patch - name: "SCORED | 2.3.17.4 | PATCH | L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableInstallerDetection - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableInstallerDetection + data: 1 + type: dword when: - - rule_2_3_17_4 + - rule_2_3_17_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.4 + - patch - name: "SCORED | 2.3.17.5 | PATCH | L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableSecureUIAPaths - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableSecureUIAPaths + data: 1 + type: dword when: - - rule_2_3_17_5 + - rule_2_3_17_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.5 + - patch - name: "SCORED | 2.3.17.6 | PATCH | L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableLUA - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableLUA + data: 1 + type: dword when: - - rule_2_3_17_6 + - rule_2_3_17_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.6 + - patch - name: "SCORED | 2.3.17.7 | PATCH | L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: PromptOnSecureDesktop - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: PromptOnSecureDesktop + data: 1 + type: dword when: - - rule_2_3_17_7 + - rule_2_3_17_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.7 + - patch - name: "SCORED | 2.3.17.8 | PATCH | L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableVirtualization - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableVirtualization + data: 1 + type: dword when: - - rule_2_3_17_8 + - rule_2_3_17_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.8 - - patch - + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.8 + - patch diff --git a/tasks/section09.yml b/tasks/section09.yml index 4901180..c2bd4a2 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -1,362 +1,362 @@ --- - name: "SCORED | 9.1.1 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" win_firewall: - state: enabled - profile: Domain + state: enabled + profile: Domain when: - - rule_9_1_1 + - rule_9_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.1 + - patch - name: "SCORED | 9.1.2 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - name: DefaultInboundAction - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DefaultInboundAction + data: 1 + type: dword when: - - rule_9_1_2 + - rule_9_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.2 + - patch - name: "SCORED | 9.1.3 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - name: DefaultOutboundAction - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DefaultOutboundAction + data: 0 + type: dword when: - - rule_9_1_3 + - rule_9_1_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.3 + - patch - name: "SCORED | 9.1.4 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - name: DisableNotifications - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DisableNotifications + data: 1 + type: dword when: - - rule_9_1_4 + - rule_9_1_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.4 + - patch # title has slashes switched - name: "SCORED | 9.1.5 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogFilePath - data: '{{ domain_firewall_log_path }}' - type: string + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFilePath + data: '{{ domain_firewall_log_path }}' + type: string when: - - rule_9_1_5 + - rule_9_1_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.5 + - patch - name: "SCORED | 9.1.6 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogFileSize - data: '{{ domain_firewall_log_size }}' - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFileSize + data: '{{ domain_firewall_log_size }}' + type: dword when: - - rule_9_1_6 + - rule_9_1_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.6 + - patch - name: "SCORED | 9.1.7 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogDroppedPackets - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword when: - - rule_9_1_7 + - rule_9_1_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.7 + - patch - name: "SCORED | 9.1.8 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogSuccessfulConnections - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword when: - - rule_9_1_8 + - rule_9_1_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.7 + - patch - name: "SCORED | 9.2.1 | PATCH | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" win_firewall: - state: enabled - profile: Private + state: enabled + profile: Private when: - - rule_9_2_1 + - rule_9_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.1 + - patch - name: "SCORED | 9.2.2 | PATCH | (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile - name: DefaultInboundAction - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DefaultInboundAction + data: 1 + type: dword when: - - rule_9_2_2 + - rule_9_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.2 + - patch - name: "SCORED | 9.2.3 | PATCH | (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile - name: DefaultOutboundAction - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DefaultOutboundAction + data: 0 + type: dword when: - - rule_9_2_3 + - rule_9_2_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.3 + - patch - name: "SCORED | 9.2.4 | PATCH | (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile - name: DisableNotifications - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DisableNotifications + data: 1 + type: dword when: - - rule_9_2_4 + - rule_9_2_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.4 + - patch # title has slashes switched - name: "SCORED | 9.2.5 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogFilePath - data: '{{ private_firewall_log_path }}' - type: string + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFilePath + data: '{{ private_firewall_log_path }}' + type: string when: - - rule_9_2_5 + - rule_9_2_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.5 + - patch - name: "SCORED | 9.2.6 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogFileSize - data: '{{ private_firewall_log_size }}' - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFileSize + data: '{{ private_firewall_log_size }}' + type: dword when: - - rule_9_2_6 + - rule_9_2_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.6 + - patch - name: "SCORED | 9.2.7 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogDroppedPackets - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword when: - - rule_9_2_7 + - rule_9_2_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.7 + - patch - name: "SCORED | 9.2.8 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogSuccessfulConnections - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword when: - - rule_9_2_8 + - rule_9_2_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.8 + - patch - name: "SCORED | 9.3.1 | PATCH | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" win_firewall: - state: enabled - profile: Public + state: enabled + profile: Public when: - - rule_9_3_1 + - rule_9_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.1 + - patch - name: "SCORED | 9.3.2 | PATCH | (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: DefaultInboundAction - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DefaultInboundAction + data: 1 + type: dword when: - - rule_9_3_2 + - rule_9_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.2 + - patch - name: "SCORED | 9.3.3 | PATCH | (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: DefaultOutboundAction - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DefaultOutboundAction + data: 0 + type: dword when: - - rule_9_3_3 + - rule_9_3_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.3 + - patch - name: "SCORED | 9.3.4 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: DisableNotifications - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DisableNotifications + data: 1 + type: dword when: - - rule_9_3_4 + - rule_9_3_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.4 + - patch - name: "SCORED | 9.3.5 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: AllowLocalPolicyMerge - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: AllowLocalPolicyMerge + data: 0 + type: dword when: - - rule_9_3_5 - - not win_skip_for_test + - rule_9_3_5 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.5 + - patch - name: "SCORED | 9.3.6 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: AllowLocalIPsecPolicyMerge - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: AllowLocalIPsecPolicyMerge + data: 0 + type: dword when: - - rule_9_3_6 + - rule_9_3_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.6 + - patch # title has slashes switched - name: "SCORED | 9.3.7 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogFilePath - data: '{{ public_firewall_log_path }}' - type: string + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFilePath + data: '{{ public_firewall_log_path }}' + type: string when: - - rule_9_3_7 + - rule_9_3_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.7 + - patch - name: "SCORED | 9.3.8 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogFileSize - data: '{{ public_firewall_log_size }}' - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFileSize + data: '{{ public_firewall_log_size }}' + type: dword when: - - rule_9_3_8 + - rule_9_3_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.8 + - patch - name: "SCORED | 9.3.9 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogDroppedPackets - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword when: - - rule_9_3_9 + - rule_9_3_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.9 + - patch - name: "SCORED | 9.3.10 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogSuccessfulConnections - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword when: - - rule_9_3_10 + - rule_9_3_10 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.10 - - patch \ No newline at end of file + - level1-domaincontroller + - level1-memberserver + - rule_9.3.10 + - patch diff --git a/tasks/section17.yml b/tasks/section17.yml index f4c0695..685c64e 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -17,13 +17,13 @@ when: "'Failure' not in rule_17_1_1_audit.stdout" changed_when: "'Failure' not in rule_17_1_1_audit.stdout" when: - - rule_17_1_1 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_1_1 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.1.1 + - patch - name: "SCORED | 17.1.2 | PATCH | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" block: @@ -41,12 +41,12 @@ win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /failure:enable when: "'Failure' not in rule_17_1_2_audit.stdout" when: - - rule_17_1_2 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_1_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.1.2 - - patch + - level1-domaincontroller + - rule_17.1.2 + - patch - name: "SCORED | 17.1.3 | PATCH | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" block: @@ -64,12 +64,12 @@ win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /failure:enable when: "'Failure' not in rule_17_1_3_audit.stdout" when: - - rule_17_1_3 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_1_3 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.1.2 - - patch + - level1-domaincontroller + - rule_17.1.2 + - patch - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" block: @@ -87,13 +87,13 @@ win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable when: "'Failure' not in rule_17_2_1_audit.stdout" when: - - rule_17_2_1 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_1 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.2.1 + - patch - name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to include Success DC only" block: @@ -108,12 +108,12 @@ changed_when: "'Success' not in rule_17_2_2_audit.stdout" when: "'Success' not in rule_17_2_2_audit.stdout" when: - - rule_17_2_2 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.2.2 - - patch + - level1-domaincontroller + - rule_17.2.2 + - patch - name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to include Success DC only" block: @@ -127,12 +127,12 @@ win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable when: "'Success' not in rule_17_2_3_audit.stdout" when: - - rule_17_2_3 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_3 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.2.3 - - patch + - level1-domaincontroller + - rule_17.2.3 + - patch - name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to include Success DC only" block: @@ -146,12 +146,12 @@ win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable when: "'Success' not in rule_17_2_4_audit.stdout" when: - - rule_17_2_4 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_4 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.2.4 - - patch + - level1-domaincontroller + - rule_17.2.4 + - patch - name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to include Success" block: @@ -165,12 +165,12 @@ win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable when: "'Success' not in rule_17_2_5_audit.stdout" when: - - rule_17_2_5 + - rule_17_2_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.2.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.2.5 + - patch - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure" block: @@ -188,12 +188,12 @@ win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable when: "'Failure' not in rule_17_2_6_audit.stdout" when: - - rule_17_2_6 + - rule_17_2_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.2.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.2.6 + - patch - name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to include Success" block: @@ -207,12 +207,12 @@ win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable when: "'Success' not in rule_17_3_1_audit.stdout" when: - - rule_17_3_1 + - rule_17_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.3.1 + - patch - name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to include Success" block: @@ -226,12 +226,12 @@ win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable when: "'Success' not in rule_17_3_2_audit.stdout" when: - - rule_17_3_2 + - rule_17_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.3.2 + - patch - name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to include Failure DC only" block: @@ -245,11 +245,11 @@ win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable when: "'Success' not in rule_17_4_1_audit.stdout" when: - - rule_17_4_1 + - rule_17_4_1 tags: - - level1-domaincontroller - - rule_17.4.1 - - patch + - level1-domaincontroller + - rule_17.4.1 + - patch - name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to include Success DC only" block: @@ -263,11 +263,11 @@ win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable when: "'Success' not in rule_17_4_2_audit.stdout" when: - - rule_17_4_2 + - rule_17_4_2 tags: - - level1-domaincontroller - - rule_17.4.2 - - patch + - level1-domaincontroller + - rule_17.4.2 + - patch - name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to include Failure" block: @@ -281,12 +281,12 @@ win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable when: "'Failure' not in rule_17_5_1_audit.stdout" when: - - rule_17_5_1 + - rule_17_5_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.1 + - patch - name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to include Success" block: @@ -300,17 +300,17 @@ win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable when: "'Success' not in rule_17_5_2_audit.stdout" when: - - rule_17_5_2 + - rule_17_5_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.2 + - patch - name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to include Success" block: - name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to include Success" - win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_5_3_audit @@ -319,12 +319,12 @@ win_shell: AuditPol /set /subcategory:"Logoff" /success:enable when: "'Success' not in rule_17_5_3_audit.stdout" when: - - rule_17_5_3 + - rule_17_5_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.3 + - patch - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure" block: @@ -342,12 +342,12 @@ win_shell: AuditPol /set /subcategory:"Logon" /failure:enable when: "'Failure' not in rule_17_5_4_audit.stdout" when: - - rule_17_5_4 + - rule_17_5_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.4 + - patch - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" block: @@ -365,12 +365,12 @@ win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable when: "'Failure' not in rule_17_5_5_audit.stdout" when: - - rule_17_5_5 + - rule_17_5_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.5 + - patch - name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to include Success" block: @@ -384,12 +384,12 @@ win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable when: "'Success' not in rule_17_5_6_audit.stdout" when: - - rule_17_5_6 + - rule_17_5_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.6 + - patch - name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Detailed File Share is set to include Failure" block: @@ -403,12 +403,12 @@ win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable when: "'Failure' not in rule_17_6_1_audit.stdout" when: - - rule_17_6_1 + - rule_17_6_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.6.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.6.1 + - patch - name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit File Share is set to Success and Failure" block: @@ -421,22 +421,25 @@ - name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /set /subcategory:"File Share" /failure:enable when: "'Failure' not in rule_17_6_2_audit.stdout" + when: + - rule_17_6_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.6.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.6.2 + - patch - name: "SCORED | 17.6.3 | PATCH | L1 Ensure Audit Other Object Access Events is set to Success and Failure" win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure - when: rule_17_6_3 + when: + - rule_17_6_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.6.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.6.3 + - patch - name: "SCORED | 17.6.4 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" block: @@ -450,12 +453,12 @@ win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable when: "'Success' not in rule_17_6_4_audit.stdout" when: - - rule_17_6_4 + - rule_17_6_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.6.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.6.4 + - patch - name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to include Success" block: @@ -469,12 +472,12 @@ win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable when: "'Success' not in rule_17_7_1_audit.stdout" when: - - rule_17_7_1 + - rule_17_7_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.1 + - patch - name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to include Success" block: @@ -488,12 +491,12 @@ win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable when: "'Success' not in rule_17_7_2_audit.stdout" when: - - rule_17_7_2 + - rule_17_7_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.2 + - patch - name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to include Success" block: @@ -507,12 +510,12 @@ win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable when: "'Success' not in rule_17_7_3_audit.stdout" when: - - rule_17_7_3 + - rule_17_7_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.3 + - patch - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" block: @@ -530,12 +533,12 @@ win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable when: "'Failure' not in rule_17_7_4_audit.stdout" when: - - rule_17_7_4 + - rule_17_7_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.4 + - patch - name: "SCORED | 17.7.5 | PATCH | L1 Ensure Audit Other Policy Change Events is set to include Failure" block: @@ -549,12 +552,12 @@ win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable when: "'Success' not in rule_17_7_5_audit.stdout" when: - - rule_17_7_5 + - rule_17_7_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.5 + - patch - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" block: @@ -572,12 +575,12 @@ win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable when: "'Failure' not in rule_17_8_1_audit.stdout" when: - - rule_17_8_1 + - rule_17_8_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.8.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.8.1 + - patch - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure" block: @@ -595,12 +598,12 @@ win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable when: "'Failure' not in rule_17_9_1_audit.stdout" when: - - rule_17_9_1 + - rule_17_9_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.9.1 + - patch - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure" block: @@ -618,12 +621,12 @@ win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable when: "'Failure' not in rule_17_9_2_audit.stdout" when: - - rule_17_9_2 + - rule_17_9_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.9.2 + - patch - name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to include Success" block: @@ -637,12 +640,12 @@ win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable when: "'Success' not in rule_17_9_3_audit.stdout" when: - - rule_17_9_3 + - rule_17_9_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.9.3 + - patch - name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to include Success" block: @@ -656,12 +659,12 @@ win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable when: "'Success' not in rule_17_9_4_audit.stdout" when: - - rule_17_9_4 + - rule_17_9_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.9.4 + - patch - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure" block: @@ -681,9 +684,9 @@ changed_when: "'Failure' not in rule_17_9_5_audit.stdout" when: "'Failure' not in rule_17_9_5_audit.stdout" when: - - rule_17_9_5 + - rule_17_9_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.9.5 + - patch diff --git a/tasks/section18.yml b/tasks/section18.yml index 2b4c964..bbdf407 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1,221 +1,171 @@ --- - name: "SCORED | 18.1.1.1 | PATCH | L1 Ensure Prevent enabling lock screen camera is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Personalization - name: NoLockScreenCamera - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Personalization + name: NoLockScreenCamera + data: 1 + type: dword when: - - rule_18_1_1_1 + - rule_18_1_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.1.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.1.1.1 + - patch - name: "SCORED | 18.1.1.2 | PATCH | L1 Ensure Prevent enabling lock screen slide show is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Personalization - name: NoLockScreenSlideshow - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Personalization + name: NoLockScreenSlideshow + data: 1 + type: dword when: - - rule_18_1_1_2 + - rule_18_1_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.1.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.1.1.2 + - patch - name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" - block: - - name: "SCORED | 18.1.2.2 | AUDIT | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_1_2_2_audit - - - name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" - command: "echo true" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\InputPersonalization + name: "AllowInputPersonalization" + data: "0" + type: dword when: - - is_implemented - - rule_18_1_2_2 + - rule_18_1_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.1.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.1.2.2 + - patch - name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" - block: - - name: "SCORED | 18.1.3 | AUDIT | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_1_2_2_audit - - - name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + name: AllowOnlineTips + data: 0 + type: dword when: - - is_implemented - - rule_18_1_3 + - rule_18_1_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.1.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.1.3 + - patch - name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - block: - - name: "SCORED | 18.2.1 | AUDIT | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_2_1_audit - - - name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} + name: DllName + data: C:\Program Files\LAPS\CSE\AdmPwd.dll + type: string when: - - is_implemented - - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_2_1 + - ansible_windows_domain_role == "Member Server" tags: - - level1-memberserver - - rule_18.2.1 - - patch + - level1-memberserver + - rule_18.2.1 + - patch - name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - block: - - name: "SCORED | 18.2.2 | AUDIT | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_2_2_audit - - - name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PwdExpirationProtectionEnabled + data: 1 + type: dword when: - - is_implemented - - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_2_2 + - ansible_windows_domain_role == "Member Server" tags: - - level1-memberserver - - rule_18.2.2 - - patch + - level1-memberserver + - rule_18.2.2 + - patch - name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - block: - - name: "SCORED | 18.2.3 | AUDIT | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_2_3_audit - - - name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: AdmPwdEnabled + data: 1 + type: dword when: - - is_implemented - - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_2_3 + - ansible_windows_domain_role == "Member Server" tags: - - level1-memberserver - - rule_18.2.3 - - patch + - level1-memberserver + - rule_18.2.3 + - patch - name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - block: - - name: "SCORED | 18.2.4 | AUDIT | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_2_4_audit - - - name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordComplexity + data: 4 + type: dword when: - - is_implemented - - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_2_4 + - ansible_windows_domain_role == "Member Server" tags: - - level1-memberserver - - rule_18.2.4 - - patch + - level1-memberserver + - rule_18.2.4 + - patch - name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - block: - - name: "SCORED | 18.2.5 | AUDIT | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_2_5_audit - - - name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordLength + data: "{{ laps_passwordlength }}" + type: dword when: - - is_implemented - - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_2_5 + - ansible_windows_domain_role == "Member Server" tags: - - level1-memberserver - - rule_18.2.5 - - patch + - level1-memberserver + - rule_18.2.5 + - patch - name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - block: - - name: "SCORED | 18.2.6 | AUDIT | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_3_6_audit - - - name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordAgeDays + data: "{{ laps_passwordagedays }}" + type: dword when: - - is_implemented - - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_2_6 + - ansible_windows_domain_role == "Memmber Server" tags: - - level1-memberserver - - rule_18.2.6 - - patch + - level1-memberserver + - rule_18.2.6 + - patch - name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - block: - - name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_3_1_audit - - - name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LocalAccountTokenFilterPolicy + data: 0 + type: dword when: - - is_implemented - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_3_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.3.1 - - patch + - level1-memberserver + - rule_18.3.1 + - patch - name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" - block: - - name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_3_2_audit - - - name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" - command: "echo true" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 + name: Start + data: 4 + type: dword when: - - is_implemented - - rule_18_3_2 + - rule_18_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.2 + - patch - name: "SCORED | 18.3.3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" win_regedit: @@ -226,12 +176,12 @@ state: present notify: reboot_windows when: - - rule_18_3_3 + - rule_18_3_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.3 + - patch - name: "SCORED | 18.3.4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" win_regedit: @@ -241,31 +191,26 @@ type: dword state: present when: - - rule_18_3_4 + - rule_18_3_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.4 + - patch - name: "SCORED | 18.3.5 | PATCH | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" - block: - - name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_3_5_audit - - - name: "SCORED | 18.3.5 | PATCH | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" - command: "echo true" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters + name: LdapEnforceChannelBinding + data: 1 + type: dword when: - - is_implemented - - rule_18_3_5 - - ansible_windows_domain_role == "Primary domain controller" + - rule_18_3_5 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_18.3.5 - - patch + - level1-domaincontroller + - rule_18.3.5 + - patch - name: "SCORED | 18.3.6 | PATCH | L1 Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" win_regedit: @@ -275,12 +220,12 @@ data: "{{ netbt_nodetype }}" datatype: dword when: - - rule_18_3_6 + - rule_18_3_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.6 + - patch - name: "SCORED | 18.3.7 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" win_regedit: @@ -290,12 +235,12 @@ data: 0 datatype: dword when: - - rule_18_3_7 + - rule_18_3_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.7 + - patch - name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" @@ -304,14 +249,14 @@ state: present value: AutoAdminLogon data: 0 - datatype: dword + datatype: string when: - - rule_18_4_1 + - rule_18_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.1 + - patch - name: "SCORED | 18.4.2 | PATCH | L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" win_regedit: @@ -321,12 +266,12 @@ data: 2 datatype: dword when: - - rule_18_4_2 + - rule_18_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.2 + - patch - name: "SCORED | 18.4.3 | PATCH | L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" win_regedit: @@ -336,12 +281,12 @@ data: 2 datatype: dword when: - - rule_18_4_3 + - rule_18_4_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.3 + - patch - name: "SCORED | 18.4.4 | PATCH | L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" win_regedit: @@ -351,858 +296,862 @@ data: 0 datatype: dword when: - - rule_18_4_4 + - rule_18_4_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.4 + - patch - name: "SCORED | 18.4.5 | PATCH | L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present - value: KeepAliveTime - data: 300000 - datatype: dword + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: KeepAliveTime + data: 300000 + datatype: dword when: - - rule_18_4_5 + - rule_18_4_5 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.4.5 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.4.5 + - patch - name: "SCORED | 18.4.6 | PATCH | L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters - state: present - name: NoNameReleaseOnDemand - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters + state: present + name: NoNameReleaseOnDemand + data: 1 + type: dword when: - - rule_18_4_6 + - rule_18_4_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.6 + - patch - name: "SCORED | 18.4.7 | PATCH | L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - state: present - name: PerformRouterDiscovery - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + state: present + name: PerformRouterDiscovery + data: 0 + type: dword when: - - rule_18_4_7 + - rule_18_4_7 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.4.7 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.4.7 + - patch - name: "SCORED | 18.4.8 | PATCH | L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager - name: SafeDllSearchMode - data: 1 - type: dword - state: present + path: HKLM:\System\Currentcontrolset\Control\Session Manager + name: SafeDllSearchMode + data: 1 + type: dword + state: present when: - - rule_18_4_8 + - rule_18_4_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.8 + - patch - name: "SCORED | 18.4.9 | PATCH | L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ScreenSaverGracePeriod - data: 5 - type: string - state: present + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ScreenSaverGracePeriod + data: 5 + type: string + state: present when: - - rule_18_4_9 + - rule_18_4_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.9 + - patch - name: "SCORED | 18.4.10 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters - name: TcpMaxDataRetransmissions - data: 3 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters + name: TcpMaxDataRetransmissions + data: 3 + type: dword when: - - rule_18_4_10 + - rule_18_4_10 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.4.10 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.4.10 + - patch - name: "SCORED | 18.4.11 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - name: TcpMaxDataRetransmissions - data: 3 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + name: TcpMaxDataRetransmissions + data: 3 + type: dword when: - - rule_18_4_11 + - rule_18_4_11 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.11 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.11 + - patch - name: "SCORED | 18.4.12 | PATCH | L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security - name: WarningLevel - data: 90 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security + name: WarningLevel + data: 90 + type: dword when: - - rule_18_4_12 + - rule_18_4_12 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.12 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.12 + - patch - name: "SCORED | 18.5.4.1 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient - name: EnableMulticast - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient + name: EnableMulticast + data: 0 + type: dword when: - - rule_18_5_4_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_5_4_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.4.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.5.4.1 + - patch - name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System - name: EnableFontProviders - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: EnableFontProviders + data: 0 + type: dword when: - - rule_18_5_5_1 + - rule_18_5_5_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.5.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.5.5.1 + - patch - name: "SCORED | 18.5.8.1 | PATCH | L1 Ensure Enable insecure guest logons is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation - name: AllowInsecureGuestAuth - data: 0 - type: dword - when: rule_18_5_8_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation + name: AllowInsecureGuestAuth + data: 0 + type: dword + when: + - rule_18_5_8_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.8.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.8.1 + - patch - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" block: - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowLLTDIOOndomain - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowLLTDIOOnPublicNet - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: EnableLLTDIO - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: ProhibitLLTDIOOnPrivateNet - data: 0 - type: dword - when: - - rule_18_5_9_1 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.9.1 - - patch + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowLLTDIOOndomain + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowLLTDIOOnPublicNet + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: EnableLLTDIO + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: ProhibitLLTDIOOnPrivateNet + data: 0 + type: dword + when: + - rule_18_5_9_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.9.1 + - patch - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled" block: - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowRspndrOnDomain - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowRspndrOnPublicNet - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: EnableRspndr - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: ProhibitRspndrOnPrivateNet - data: 0 - type: dword - when: - - rule_18_5_9_2 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.9.2 - - patch + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowRspndrOnDomain + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowRspndrOnPublicNet + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: EnableRspndr + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: ProhibitRspndrOnPrivateNet + data: 0 + type: dword + when: + - rule_18_5_9_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.9.2 + - patch - name: "SCORED | 18.5.10.2 | PATCH | L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Peernet - name: Disabled - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Peernet + name: Disabled + data: 1 + type: dword when: - - rule_18_5_10_2 + - rule_18_5_10_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.10.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.10.2 + - patch - name: "SCORED | 18.5.11.2 | PATCH | L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections - name: NC_AllowNetBridge_NLA - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + name: NC_AllowNetBridge_NLA + data: 0 + type: dword when: - - rule_18_5_11_2 + - rule_18_5_11_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.11.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.11.2 + - patch - name: "SCORED | 18.5.11.3 | PATCH | L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections - name: NC_ShowSharedAccessUI - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections + name: NC_ShowSharedAccessUI + data: 0 + type: dword when: - - rule_18_5_11_3 + - rule_18_5_11_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.11.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.11.3 + - patch - name: "SCORED | 18.5.11.4 | PATCH | L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections - name: NC_StdDomainUserSetLocation - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + name: NC_StdDomainUserSetLocation + data: 1 + type: dword when: - - rule_18_5_11_4 + - rule_18_5_11_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.11.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.11.4 + - patch - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" block: - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths - name: "\\\\*\\NETLOGON" - data: "RequireMutualAuthentication=1, RequireIntegrity=1" - type: string - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths - name: "\\\\*\\SYSVOL" - data: "RequireMutualAuthentication=1, RequireIntegrity=1" - type: string - when: - - rule_18_5_14_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.14.1 - - patch + - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + name: "\\\\*\\NETLOGON" + data: "RequireMutualAuthentication=1, RequireIntegrity=1" + type: string + + - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + name: "\\\\*\\SYSVOL" + data: "RequireMutualAuthentication=1, RequireIntegrity=1" + type: string + when: + - rule_18_5_14_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.5.14.1 + - patch - name: "SCORED | 18.5.19.2.1 | PATCH | L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" win_regedit: - path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters - name: DisabledComponents - data: 255 - type: dword + path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters + name: DisabledComponents + data: 255 + type: dword when: - - rule_18_5_19_2_1 + - rule_18_5_19_2_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.19.2.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.5.19.2.1 + - patch - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" block: - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: EnableRegistrars - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableUPnPRegistrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableInBand802DOT11Registrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableFlashConfigRegistrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableWPDRegistrar - data: 0 - type: dword - when: - - rule_18_5_20_1 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.20.1 - - patch + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: EnableRegistrars + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableUPnPRegistrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableInBand802DOT11Registrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableFlashConfigRegistrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableWPDRegistrar + data: 0 + type: dword + when: + - rule_18_5_20_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.20.1 + - patch - name: "SCORED | 18.5.20.2 | PATCH | L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui - name: DisableWcnUi - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui + name: DisableWcnUi + data: 1 + type: dword when: - - rule_18_5_20_2 + - rule_18_5_20_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.20.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.5.20.2 + - patch - name: "SCORED | 18.5.21.1 | PATCH | L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy - name: fMinimizeConnections - data: 3 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + name: fMinimizeConnections + data: 3 + type: dword when: - - rule_18_5_21_1 + - rule_18_5_21_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.21.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.21.1 + - patch - name: "SCORED | 18.5.21.2 | PATCH | L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy - name: fBlockNonDomain - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + name: fBlockNonDomain + data: 1 + type: dword when: - - rule_18_5_21_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_5_21_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-memberserver - - rule_18.5.21.2 - - patch + - level2-memberserver + - rule_18.5.21.2 + - patch - name: "SCORED | 18.7.1.1 | PATCH | L2 Ensure Turn off notifications network usage is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications - name: NoCloudApplicationNotification - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + name: NoCloudApplicationNotification + data: 1 + type: dword when: - - rule_18_7_1_1 + - rule_18_7_1_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.7.1.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.7.1.1 + - patch - name: "SCORED | 18.8.3.1 | PATCH | L1 Ensure Include command line in process creation events is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit - name: ProcessCreationIncludeCmdLine_Enabled - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit + name: ProcessCreationIncludeCmdLine_Enabled + data: 0 + type: dword when: - - rule_18_8_3_1 + - rule_18_8_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.3.1 + - patch - name: "SCORED | 18.8.4.1 | PATCH | L1 Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients" win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters - name: AllowEncryptionOracle - data: 0 - type: dword + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters + name: AllowEncryptionOracle + data: 0 + type: dword when: - - rule_18_8_4_1 + - rule_18_8_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.4.1 + - patch - name: "SCORED | 18.8.4.2 | PATCH | L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation - name: AllowProtectedCreds - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation + name: AllowProtectedCreds + data: 1 + type: dword when: - - rule_18_8_4_2 + - rule_18_8_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.4.2 + - patch - name: "SCORED | 18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: EnableVirtualizationBasedSecurity - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: EnableVirtualizationBasedSecurity + data: 1 + type: dword when: - - rule_18_8_5_1 + - rule_18_8_5_1 tags: - - ngws-domaincontroller - - ngws-memberserver - - rule_18.8.5.1 - - patch + - ngws-domaincontroller + - ngws-memberserver + - rule_18.8.5.1 + - patch - name: "SCORED | 18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: RequirePlatformSecurityFeatures - data: 3 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: RequirePlatformSecurityFeatures + data: 3 + type: dword when: - - rule_18_8_5_2 + - rule_18_8_5_2 tags: - - ngws-domaincontroller - - ngws-memberserver - - rule_18.8.5.2 - - patch + - ngws-domaincontroller + - ngws-memberserver + - rule_18.8.5.2 + - patch - name: "SCORED | 18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: HypervisorEnforcedCodeIntegrity - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: HypervisorEnforcedCodeIntegrity + data: 1 + type: dword when: - - rule_18_8_5_3 + - rule_18_8_5_3 tags: - - ngws-domaincontroller - - ngws-memberserver - - rule_18.8.5.3 - - patch + - ngws-domaincontroller + - ngws-memberserver + - rule_18.8.5.3 + - patch - name: "SCORED | 18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: HVCIMATRequired - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: HVCIMATRequired + data: 1 + type: dword when: - - rule_18_8_5_4 + - rule_18_8_5_4 tags: - - ngws-domaincontroller - - ngws-memberserver - - rule_18.8.5.4 - - patch + - ngws-domaincontroller + - ngws-memberserver + - rule_18.8.5.4 + - patch - name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: LsaCfgFlags - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: LsaCfgFlags + data: 1 + type: dword when: - - rule_18_8_5_5 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_5_5 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - ngws-memberserver - - rule_18.8.5.5 - - patch + - ngws-memberserver + - rule_18.8.5.5 + - patch - name: "SCORED | 18.8.5.6 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Disabled DC Only" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: LsaCfgFlags - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: LsaCfgFlags + data: 0 + type: dword when: - - rule_18_8_5_6 - - ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_5_6 + - ansible_windows_domain_role == "Primary domain controller" tags: - - ngws-domaincontroller - - rule_18.8.5.6 - - patch + - ngws-domaincontroller + - rule_18.8.5.6 + - patch - name: "SCORED | 18.8.5.7 | PATCH | NG Ensure Turn On Virtualization Based Security Secure Launch Configuration is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: ConfigureSystemGuardLaunch - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: ConfigureSystemGuardLaunch + data: 1 + type: dword when: - - rule_18_8_5_7 + - rule_18_8_5_7 tags: - - ngws-domaincontroller - - ngws-memberserver - - rule_18.8.5.7 - - patch + - ngws-domaincontroller + - ngws-memberserver + - rule_18.8.5.7 + - patch - name: "SCORED | 18.8.14.1 | PATCH | L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" win_regedit: - path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch - name: DriverLoadPolicy - data: 3 - type: dword + path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch + name: DriverLoadPolicy + data: 3 + type: dword when: - - rule_18_8_14_1 + - rule_18_8_14_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.14.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.14.1 + - patch - name: "SCORED | 18.8.21.2 | PATCH | L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} - name: NoBackgroundPolicy - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + name: NoBackgroundPolicy + data: 0 + type: dword when: - - rule_18_8_21_2 + - rule_18_8_21_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.21.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.2 + - patch - name: "SCORED | 18.8.21.3 | PATCH | L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} - name: NoGPOListChanges - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + name: NoGPOListChanges + data: 0 + type: dword when: - - rule_18_8_21_3 + - rule_18_8_21_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.21.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.3 + - patch - name: "SCORED | 18.8.21.4 | PATCH | L1 Ensure Continue experiences on this device is set to Disabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System - name: EnableCdp - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: EnableCdp + data: 0 + type: dword when: - - rule_18_8_21_4 + - rule_18_8_21_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.21.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.4 + - patch - name: "SCORED | 18.8.21.5 | PATCH | L1 Ensure Turn off background refresh of Group Policy is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy - state: absent - delete_key: yes + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy + state: absent + delete_key: yes when: - - rule_18_8_21_5 + - rule_18_8_21_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.21.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.5 + - patch - name: "SCORED | 18.8.22.1.1 | PATCH | L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers - name: DisableWebPnPDownload - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + name: DisableWebPnPDownload + data: 1 + type: dword when: - - rule_18_8_22_1_1 + - rule_18_8_22_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.22.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.22.1.1 + - patch - name: "SCORED | 18.8.22.1.2 | PATCH | L2 Ensure Turn off handwriting personalization data sharing is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc - name: PreventHandwritingDataSharing - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc + name: PreventHandwritingDataSharing + data: 1 + type: dword when: - - rule_18_8_22_1_2 + - rule_18_8_22_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.22.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.22.1.2 + - patch - name: "SCORED | 18.8.22.1.3 | PATCH | L2 Ensure Turn off handwriting recognition error reporting is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports - name: PreventHandwritingErrorReports - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports + name: PreventHandwritingErrorReports + data: 1 + type: dword when: - - rule_18_8_22_1_3 + - rule_18_8_22_1_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.3 + - patch - name: "SCORED | 18.8.22.1.4 | PATCH | L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard - name: ExitOnMSICW - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard + name: ExitOnMSICW + data: 1 + type: dword when: - - rule_18_8_22_1_4 + - rule_18_8_22_1_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.4 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.4 + - patch - name: "SCORED | 18.8.22.1.5 | PATCH | L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoWebServices - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoWebServices + data: 1 + type: dword when: - - rule_18_8_22_1_5 + - rule_18_8_22_1_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.22.1.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.22.1.5 + - patch - name: "SCORED | 18.8.22.1.6 | PATCH | L2 Ensure Turn off printing over HTTP is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers - name: DisableHTTPPrinting - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + name: DisableHTTPPrinting + data: 1 + type: dword when: - - rule_18_8_22_1_6 + - rule_18_8_22_1_6 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.6 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.6 + - patch - name: "SCORED | 18.8.22.1.7 | PATCH | L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control - name: NoRegistration - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control + name: NoRegistration + data: 1 + type: dword when: - - rule_18_8_22_1_7 + - rule_18_8_22_1_7 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.7 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.7 + - patch - name: "SCORED |18.8.22.1.8 | PATCH | L2 Ensure Turn off Search Companion content file updates is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Searchcompanion - name: DisableContentFileUpdates - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Searchcompanion + name: DisableContentFileUpdates + data: 1 + type: dword when: - - rule_18_8_22_1_8 + - rule_18_8_22_1_8 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.8 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.8 + - patch - name: "SCORED | 18.8.22.1.9 | PATCH | L2 Ensure Turn off the Order Prints picture task is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoOnlinePrintsWizard - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoOnlinePrintsWizard + data: 1 + type: dword when: - - rule_18_8_22_1_9 + - rule_18_8_22_1_9 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.9 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.9 + - patch - name: "SCORED | 18.8.22.1.10 | PATCH | L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoPublishingWizard - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoPublishingWizard + data: 1 + type: dword when: - - rule_18_8_22_1_10 + - rule_18_8_22_1_10 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.10 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.10 + - patch - name: "SCORED | 18.8.22.1.11 | PATCH | L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Messenger\Client - name: CEIP - data: 2 - type: dword + path: HKLM:\Software\Policies\Microsoft\Messenger\Client + name: CEIP + data: 2 + type: dword when: - - rule_18_8_22_1_11 + - rule_18_8_22_1_11 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.11 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.11 + - patch - name: "SCORED | 18.8.22.1.12 | PATCH | L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows - name: CEIPEnable - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows + name: CEIPEnable + data: 0 + type: dword when: - - rule_18_8_22_1_12 + - rule_18_8_22_1_12 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.12 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.12 + - patch - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled" block: - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting - name: Disabled - data: 1 - type: dword - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting - name: DoReport - data: 0 - type: dword - when: - - rule_18_8_22_1_13 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.13 - - patch + - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting + name: Disabled + data: 1 + type: dword + + - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting + name: DoReport + data: 0 + type: dword + when: + - rule_18_8_22_1_13 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.13 + - patch - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic" block: - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters - name: DevicePKInitBehavior - data: 0 - type: dword - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters - name: DevicePKInitEnabled - data: 1 - type: dword - when: - - rule_18_8_25_1 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.25.1 - - patch + - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + name: DevicePKInitBehavior + data: 0 + type: dword + + - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + name: DevicePKInitEnabled + data: 1 + type: dword + when: + - rule_18_8_25_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.25.1 + - patch - name: "SCORED | 18.8.26.1 | PATCH | L1 Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" win_regedit: @@ -1211,1569 +1160,1569 @@ data: 0 type: dword when: - - rule_18_8_26_1 + - rule_18_8_26_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.26.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.26.1 + - patch - name: "SCORED | 18.8.27.1 | PATCH | L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Control Panel\International - name: BlockUserInputMethodsForSignIn - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Control Panel\International + name: BlockUserInputMethodsForSignIn + data: 1 + type: dword when: - - rule_18_8_27_1 + - rule_18_8_27_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.27.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.27.1 + - patch - name: "SCORED | 18.8.28.1 | PATCH | L1 Ensure Block user from showing account details on sign-in is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: BlockUserFromShowingAccountDetailsOnSignin - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: BlockUserFromShowingAccountDetailsOnSignin + data: 1 + type: dword when: - - rule_18_8_28_1 + - rule_18_8_28_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.1 + - patch - name: "SCORED | 18.8.28.2 | PATCH | L1 Ensure Do not display network selection UI is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DontDisplayNetworkSelectionUI - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DontDisplayNetworkSelectionUI + data: 1 + type: dword when: - - rule_18_8_28_2 + - rule_18_8_28_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.2 + - patch - name: "SCORED | 18.8.28.3 | PATCH | L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DontEnumerateConnectedUsers - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DontEnumerateConnectedUsers + data: 1 + type: dword when: - - rule_18_8_28_3 + - rule_18_8_28_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.3 + - patch - name: "SCORED | 18.8.28.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: EnumerateLocalUsers - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: EnumerateLocalUsers + data: 0 + type: dword when: - - rule_18_8_28_4 + - rule_18_8_28_4 tags: - - level1-memberserver - - rule_18.8.28.4 - - patch + - level1-memberserver + - rule_18.8.28.4 + - patch - name: "SCORED | 18.8.28.5 | PATCH | L1 Ensure Turn off app notifications on the lock screen is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DisableLockScreenAppNotifications - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DisableLockScreenAppNotifications + data: 1 + type: dword when: - - rule_18_8_28_5 + - rule_18_8_28_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.5 + - patch - name: "SCORED | 18.8.28.6 | PATCH | L1 Ensure Turn off picture password sign-in is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: BlockDomainPicturePassword - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: BlockDomainPicturePassword + data: 1 + type: dword when: - - rule_18_8_28_6 + - rule_18_8_28_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.6 + - patch - name: "SCORED | 18.8.28.7 | PATCH | L1 Ensure Turn on convenience PIN sign-in is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: AllowDomainPINLogon - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: AllowDomainPINLogon + data: 0 + type: dword when: - - rule_18_8_28_7 + - rule_18_8_28_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.7 + - patch - name: "SCORED | 18.8.31.1 | PATCH | L2 Ensure Allow Clipboard synchronization across devices is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: AllowCrossDeviceClipboard - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: AllowCrossDeviceClipboard + data: 0 + type: dword when: - - rule_18_8_31_1 + - rule_18_8_31_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.31.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.31.1 + - patch - name: "SCORED | 18.8.31.2 | PATCH | L2 Ensure Allow upload of User Activities is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: UploadUserActivities - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: UploadUserActivities + data: 0 + type: dword when: - - rule_18_8_31_2 + - rule_18_8_31_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.31.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.31.2 + - patch - name: "SCORED | 18.8.34.6.1 | PATCH | L2 Ensure Allow network connectivity during connected-standby on battery is set to Disabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 - name: DCSettingIndex - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 + name: DCSettingIndex + data: 0 + type: dword when: - - rule_18_8_34_6_1 + - rule_18_8_34_6_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.34.6.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.34.6.1 + - patch - name: "SCORED | 18.8.34.6.2 | PATCH | L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 - name: ACSettingIndex - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 + name: ACSettingIndex + data: 0 + type: dword when: - - rule_18_8_34_6_2 + - rule_18_8_34_6_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.34.6.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.34.6.2 + - patch - name: "SCORED | 18.8.34.6.3 | PATCH | L1 Ensure Require a password when a computer wakes on battery is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 - name: DCSettingIndex - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + name: DCSettingIndex + data: 1 + type: dword when: - - rule_18_8_34_6_3 + - rule_18_8_34_6_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.34.6.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.34.6.3 + - patch - name: "SCORED | 18.8.34.6.4 | PATCH | L1 Ensure Require a password when a computer wakes plugged in is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 - name: ACSettingIndex - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + name: ACSettingIndex + data: 1 + type: dword when: - - rule_18_8_34_6_4 + - rule_18_8_34_6_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.34.6.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.34.6.4 + - patch - name: "SCORED | 18.8.36.1 | PATCH | L1 Ensure Configure Offer Remote Assistance is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fAllowUnsolicited - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fAllowUnsolicited + data: 0 + type: dword when: - - rule_18_8_36_1 + - rule_18_8_36_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.36.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.36.1 + - patch - name: "SCORED | 18.8.36.2 | PATCH | L1 Ensure Configure Solicited Remote Assistance is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fAllowToGetHelp - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fAllowToGetHelp + data: 0 + type: dword when: - - rule_18_8_36_2 + - rule_18_8_36_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.36.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.36.2 + - patch - name: "SCORED | 18.8.37.1 | PATCH | L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc - name: EnableAuthEpResolution - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + name: EnableAuthEpResolution + data: 1 + type: dword when: - - rule_18_8_37_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_37_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.8.37.1 - - patch + - level1-memberserver + - rule_18.8.37.1 + - patch - name: "SCORED | 18.8.37.2 | PATCH | L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc - name: RestrictRemoteClients - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + name: RestrictRemoteClients + data: 1 + type: dword when: - - rule_18_8_37_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_37_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-memberserver - - rule_18.8.37.2 - - patch + - level2-memberserver + - rule_18.8.37.2 + - patch - name: "SCORED | 18.8.47.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy - name: DisableQueryRemoteServer - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy + name: DisableQueryRemoteServer + data: 0 + type: dword when: - - rule_18_8_47_5_1 + - rule_18_8_47_5_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.47.5.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.5.1 + - patch - name: "SCORED | 18.8.47.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} - name: ScenarioExecutionEnabled - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} + name: ScenarioExecutionEnabled + data: 0 + type: dword when: - - rule_18_8_47_11_1 + - rule_18_8_47_11_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.47.11.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.11.1 + - patch - name: "SCORED | 18.8.49.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo - name: DisabledByGroupPolicy - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo + name: DisabledByGroupPolicy + data: 1 + type: dword when: - - rule_18_8_49_1 + - rule_18_8_49_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.49.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.49.1 + - patch - name: "SCORED | 18.8.52.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient - name: Enabled - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient + name: Enabled + data: 1 + type: dword when: - - rule_18_8_52_1_1 + - rule_18_8_52_1_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.52.1.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.52.1.1 + - patch - name: "SCORED | 18.8.52.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver - name: Enabled - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver + name: Enabled + data: 1 + type: dword when: - - rule_18_8_52_1_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_52_1_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-memberserver - - rule_18.8.52.1.2 - - patch + - level2-memberserver + - rule_18.8.52.1.2 + - patch - name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager - name: AllowSharedLocalAppData - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager + name: AllowSharedLocalAppData + data: 0 + type: dword when: - - rule_18_9_4_1 + - rule_18_9_4_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.4.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.4.1 + - patch - name: "SCORED | 18.9.6.1 | PATCH | L1 Ensure Allow Microsoft accounts to be optional is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: MSAOptional - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: MSAOptional + data: 1 + type: dword when: - - rule_18_9_6_1 + - rule_18_9_6_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.6.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.6.1 + - patch - name: "SCORED | 18.9.8.1 | PATCH | L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoAutoplayfornonVolume - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoAutoplayfornonVolume + data: 1 + type: dword when: - - rule_18_9_8_1 + - rule_18_9_8_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.8.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.8.1 + - patch - name: "SCORED | 18.9.8.2 | PATCH | L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoAutorun - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoAutorun + data: 1 + type: dword when: - - rule_18_9_8_2 + - rule_18_9_8_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.8.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.8.2 + - patch - name: "SCORED | 18.9.8.3 | PATCH | L1 Ensure Turn off Autoplay is set to Enabled All drives" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoDriveTypeAutoRun - data: 255 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoDriveTypeAutoRun + data: 255 + type: dword when: - - rule_18_9_8_3 + - rule_18_9_8_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.8.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.8.3 + - patch - name: "SCORED | 18.9.10.1.1 | PATCH | L1 Ensure Configure enhanced anti-spoofing is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures - name: EnhancedAntiSpoofing - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures + name: EnhancedAntiSpoofing + data: 1 + type: dword when: - - rule_18_9_10_1_1 + - rule_18_9_10_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.10.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.10.1.1 + - patch - name: "SCORED | 18.9.12.1 | PATCH | L2 Ensure Allow Use of Camera is set to Disabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Camera - name: AllowCamera - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Camera + name: AllowCamera + data: 1 + type: dword when: - - rule_18_9_12_1 + - rule_18_9_12_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.12.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.12.1 + - patch - name: "SCORED | 18.9.13.1 | PATCH | L1 Ensure Turn off Microsoft consumer experiences is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent - name: DisableWindowsConsumerFeatures - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent + name: DisableWindowsConsumerFeatures + data: 1 + type: dword when: - - rule_18_9_13_1 + - rule_18_9_13_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.13.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.13.1 + - patch - name: "SCORED | 18.9.14.1 | PATCH | L1 Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect - name: RequirePinForPairing - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect + name: RequirePinForPairing + data: 1 + type: dword when: - - rule_18_9_14_1 + - rule_18_9_14_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.14.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.14.1 + - patch - name: "SCORED | 18.9.15.1 | PATCH | L1 Ensure Do not display the password reveal button is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Credui - name: DisablePasswordReveal - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Credui + name: DisablePasswordReveal + data: 1 + type: dword when: - - rule_18_9_15_1 + - rule_18_9_15_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.15.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.15.1 + - patch - name: "SCORED | 18.9.15.2 | PATCH | L1 Ensure Enumerate administrator accounts on elevation is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui - name: EnumerateAdministrators - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui + name: EnumerateAdministrators + data: 0 + type: dword when: - - rule_18_9_15_2 + - rule_18_9_15_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.15.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.15.2 + - patch - name: "SCORED | 18.9.16.1 | PATCH | L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: AllowTelemetry - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: AllowTelemetry + data: 0 + type: dword when: - - rule_18_9_16_1 + - rule_18_9_16_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.16.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.16.1 + - patch - name: "SCORED | 18.9.16.2 | PATCH | L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: DisableEnterpriseAuthProxy - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: DisableEnterpriseAuthProxy + data: 0 + type: dword when: - - rule_18_9_16_2 + - rule_18_9_16_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.16.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.16.2 + - patch - name: "SCORED | 18.9.16.3 | PATCH | L1 Ensure Do not show feedback notifications is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: DoNotShowFeedbackNotifications - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: DoNotShowFeedbackNotifications + data: 1 + type: dword when: - - rule_18_9_16_3 + - rule_18_9_16_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.16.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.16.3 + - patch - name: "SCORED | 18.9.16.4 | PATCH | L1 Ensure Toggle user control over Insider builds is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds - name: AllowBuildPreview - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds + name: AllowBuildPreview + data: 0 + type: dword when: - - rule_18_9_16_4 + - rule_18_9_16_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.16.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.16.4 + - patch - name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application - name: Retention - data: 0 - type: string + path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application + name: Retention + data: 0 + type: string when: - - rule_18_9_26_1_1 + - rule_18_9_26_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.1.1 + - patch - name: "SCORED | 18.9.26.1.2 | PATCH | L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application - name: MaxSize - data: 65538 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application + name: MaxSize + data: 65538 + type: dword when: - - rule_18_9_26_1_2 + - rule_18_9_26_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.1.2 + - patch - name: "SCORED | 18.9.26.2.1 | PATCH | L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: Retention - data: 0 - type: string + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: Retention + data: 0 + type: string when: - - rule_18_9_26_2_1 + - rule_18_9_26_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.2.1 + - patch - name: "SCORED | 18.9.26.2.2 | PATCH | L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: MaxSize - data: 196608 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: MaxSize + data: 196608 + type: dword when: - - rule_18_9_26_2_2 + - rule_18_9_26_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.2.2 + - patch - name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup - name: Retention - data: 0 - type: string + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup + name: Retention + data: 0 + type: string when: - - rule_18_9_26_3_1 + - rule_18_9_26_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.3.1 + - patch - name: "SCORED | 18.9.26.3.2 | PATCH | L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup - name: MaxSize - data: 32768 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup + name: MaxSize + data: 32768 + type: dword when: - - rule_18_9_26_3_2 + - rule_18_9_26_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.3.2 + - patch - name: "SCORED | 18.9.26.4.1 | PATCH | L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: Retention - data: 0 - type: string + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: Retention + data: 0 + type: string when: - - rule_18_9_26_4_1 + - rule_18_9_26_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.4.1 + - patch - name: "SCORED | 18.9.26.4.2 | PATCH | L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: MaxSize - data: 65538 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: MaxSize + data: 65538 + type: dword when: - - rule_18_9_26_4_2 + - rule_18_9_26_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.4.2 + - patch - name: "SCORED | 18.9.30.2 | PATCH | L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoDataExecutionPrevention - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoDataExecutionPrevention + data: 0 + type: dword when: - - rule_18_9_30_2 + - rule_18_9_30_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.30.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.30.2 + - patch - name: "SCORED | 18.9.30.3 | PATCH | L1 Ensure Turn off heap termination on corruption is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoHeapTerminationOnCorruption - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoHeapTerminationOnCorruption + data: 0 + type: dword when: - - rule_18_9_30_3 + - rule_18_9_30_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.30.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.30.3 + - patch - name: "SCORED | 18.9.30.4 | PATCH | L1 Ensure Turn off shell protocol protected mode is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: PreXPSP2ShellProtocolBehavior - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: PreXPSP2ShellProtocolBehavior + data: 0 + type: dword when: - - rule_18_9_30_4 + - rule_18_9_30_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.30.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.30.4 + - patch - name: "SCORED | 18.9.39.2 | PATCH | L2 Ensure Turn off location is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors - name: DisableLocation - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors + name: DisableLocation + data: 1 + type: dword when: - - rule_18_9_39_2 + - rule_18_9_39_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.39.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.39.2 + - patch - name: "SCORED | 18.9.43.1 | PATCH | L2 Ensure Allow Message Service Cloud Sync is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Messaging - name: AllowMessageSync - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Messaging + name: AllowMessageSync + data: 0 + type: dword when: - - rule_18_9_43_1 + - rule_18_9_43_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.43.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.43.1 + - patch - name: "SCORED | 18.9.44.1 | PATCH | L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount - name: DisableUserAuth - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount + name: DisableUserAuth + data: 1 + type: dword when: - - rule_18_9_44_1 + - rule_18_9_44_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.44.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.44.1 + - patch - name: "SCORED | 18.9.52.1 | PATCH | L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive - name: DisableFileSyncNGSC - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive + name: DisableFileSyncNGSC + data: 1 + type: dword when: - - rule_18_9_52_1 + - rule_18_9_52_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.52.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.52.1 + - patch - name: "SCORED | 18.9.59.2.2 | PATCH | L1 Ensure Do not allow passwords to be saved is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DisablePasswordSaving - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DisablePasswordSaving + data: 1 + type: dword when: - - rule_18_9_59_2_2 + - rule_18_9_59_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.2.2 + - patch - name: "SCORED | 18.9.59.3.2.1 | PATCH | L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fSingleSessionPerUser - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fSingleSessionPerUser + data: 1 + type: dword when: - - rule_18_9_59_3_2_1 + - rule_18_9_59_3_2_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.2.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.2.1 + - patch - name: "SCORED | 18.9.59.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCcm - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableCcm + data: 1 + type: dword when: - - rule_18_9_59_3_3_1 + - rule_18_9_59_3_3_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.3.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.1 + - patch - name: "SCORED | 18.9.59.3.3.2 | PATCH | L1 Ensure Do not allow drive redirection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCdm - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableCdm + data: 1 + type: dword when: - - rule_18_9_59_3_3_2 + - rule_18_9_59_3_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.3.2 + - patch - name: "SCORED | 18.9.59.3.3.3 | PATCH | L2 Ensure Do not allow LPT port redirection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableLPT - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableLPT + data: 1 + type: dword when: - - rule_18_9_59_3_3_3 + - rule_18_9_59_3_3_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.3.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.3 + - patch - name: "SCORED | 18.9.59.3.3.4 | PATCH | L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisablePNPRedir - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisablePNPRedir + data: 1 + type: dword when: - - rule_18_9_59_3_3_4 + - rule_18_9_59_3_3_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.3.4 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.4 + - patch - name: "SCORED | 18.9.59.3.9.1 | PATCH | L1 Ensure Always prompt for password upon connection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fPromptForPassword - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fPromptForPassword + data: 1 + type: dword when: - - rule_18_9_59_3_9_1 + - rule_18_9_59_3_9_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.1 + - patch - name: "SCORED | 18.9.59.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fEncryptRPCTraffic - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fEncryptRPCTraffic + data: 1 + type: dword when: - - rule_18_9_59_3_9_2 + - rule_18_9_59_3_9_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.2 + - patch - name: "SCORED | 18.9.59.3.9.3 | PATCH | L1 Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: SecurityLayer - data: 2 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: SecurityLayer + data: 2 + type: dword when: - - rule_18_9_59_3_9_3 + - rule_18_9_59_3_9_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.3 + - patch - name: "SCORED | 18.9.59.3.9.4 | PATCH | L1 Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: UserAuthentication - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: UserAuthentication + data: 1 + type: dword when: - - rule_18_9_59_3_9_4 + - rule_18_9_59_3_9_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.4 + - patch - name: "SCORED | 18.9.59.3.9.5 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MinEncryptionLevel - data: 3 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MinEncryptionLevel + data: 3 + type: dword when: - - rule_18_9_59_3_9_5 + - rule_18_9_59_3_9_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.5 + - patch - name: "SCORED | 18.9.59.3.10.1 | PATCH | L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxIdleTime - data: 3600000 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxIdleTime + data: 3600000 + type: dword when: - - rule_18_9_59_3_10_1 + - rule_18_9_59_3_10_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.10.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.10.1 + - patch - name: "SCORED | 18.9.59.3.10.2 | PATCH | L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxDisconnectionTime - data: 28800000 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxDisconnectionTime + data: 28800000 + type: dword when: - - rule_18_9_59_3_10_2 + - rule_18_9_59_3_10_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.10.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.10.2 + - patch - name: "SCORED | 18.9.59.3.11.1 | PATCH | L1 Ensure Do not delete temp folders upon exit is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DeleteTempDirsOnExit - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DeleteTempDirsOnExit + data: 1 + type: dword when: - - rule_18_9_59_3_11_1 + - rule_18_9_59_3_11_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.11.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.11.1 + - patch - name: "SCORED | 18.9.59.3.11.2 | PATCH | L1 Ensure Do not use temporary folders per session is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: PerSessionTempDir - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: PerSessionTempDir + data: 1 + type: dword when: - - rule_18_9_59_3_11_2 + - rule_18_9_59_3_11_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.11.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.11.2 + - patch - name: "SCORED | 18.9.60.1 | PATCH | L1 Ensure Prevent downloading of enclosures is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds - name: DisableEnclosureDownload - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds + name: DisableEnclosureDownload + data: 1 + type: dword when: - - rule_18_9_60_1 + - rule_18_9_60_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.60.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.60.1 + - patch - name: "SCORED | 18.9.61.2 | PATCH | L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowCloudSearch - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowCloudSearch + data: 0 + type: dword when: - - rule_18_9_61_2 + - rule_18_9_61_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.61.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.61.2 + - patch - name: "SCORED | 18.9.61.3 | PATCH | L1 Ensure Allow indexing of encrypted files is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowIndexingEncryptedStoresOrItems - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowIndexingEncryptedStoresOrItems + data: 0 + type: dword when: - - rule_18_9_61_3 + - rule_18_9_61_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.61.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.61.3 + - patch - name: "SCORED | 18.9.66.1 | PATCH | L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform - name: NoGenTicket - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform + name: NoGenTicket + data: 1 + type: dword when: - - rule_18_9_66_1 + - rule_18_9_66_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.66.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.66.1 + - patch - name: "SCORED | 18.9.77.3.1 | PATCH | L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: LocalSettingOverrideSpynetReporting - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: LocalSettingOverrideSpynetReporting + data: 0 + type: dword when: - - rule_18_9_77_3_1 + - rule_18_9_77_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.3.1 + - patch - name: "SCORED | 18.9.77.3.2 | PATCH | L2 Ensure Join Microsoft MAPS is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: SpynetReporting - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: SpynetReporting + data: 0 + type: dword when: - - rule_18_9_77_3_2 + - rule_18_9_77_3_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.77.3.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.77.3.2 + - patch - name: "SCORED | 18.9.77.7.1 | PATCH | L1 Ensure Turn on behavior monitoring is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableBehaviorMonitoring - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableBehaviorMonitoring + data: 0 + type: dword when: - - rule_18_9_77_7_1 + - rule_18_9_77_7_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.7.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.7.1 + - patch - name: "SCORED | 18.9.77.9.1 | PATCH | L2 Ensure Configure Watson events is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting - name: DisableGenericRePorts - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting + name: DisableGenericRePorts + data: 1 + type: dword when: - - rule_18_9_77_9_1 + - rule_18_9_77_9_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.77.9.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.77.9.1 + - patch - name: "SCORED | 18.9.77.10.1 | PATCH | L1 Ensure Scan removable drives is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableRemovableDriveScanning - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableRemovableDriveScanning + data: 0 + type: dword when: - - rule_18_9_77_10_1 + - rule_18_9_77_10_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.10.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.10.1 + - patch - name: "SCORED | 18.9.77.10.2 | PATCH | L1 Ensure Turn on e-mail scanning is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableEmailScanning - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableEmailScanning + data: 0 + type: dword when: - - rule_18_9_77_10_2 + - rule_18_9_77_10_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.10.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.10.2 + - patch - name: "SCORED | 18.9.77.13.1.1 | PATCH | L1 Ensure Configure Attack Surface Reduction rules is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR - name: ExploitGuard_ASR_Rules - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR + name: ExploitGuard_ASR_Rules + data: 1 + type: dword when: - - rule_18_9_77_13_1_1 + - rule_18_9_77_13_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.13.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.13.1.1 + - patch - name: "SCORED | 18.9.77.13.1.2 | PATCH | L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - name: "{{ item }}" - data: 1 - type: string # aka REG_SZ + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules + name: "{{ item }}" + data: 1 + type: string loop: - - 26190899-1602-49e8-8b27-eb1d0a1ce869 - - 3b576869-a4ec-4529-8536-b80a7769e899 - - 5beb7efe-fd9a-4556-801d-275e5ffc04cc - - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - - d3e037e1-3eb8-44c8-a917-57927947596d - - d4f940ab-401b-4efc-aadc-ad5f3c50688a - when: - - rule_18_9_77_13_1_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.13.1.2 - - patch + - 26190899-1602-49e8-8b27-eb1d0a1ce869 + - 3b576869-a4ec-4529-8536-b80a7769e899 + - 5beb7efe-fd9a-4556-801d-275e5ffc04cc + - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 + - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c + - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b + - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 + - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 + - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 + - d3e037e1-3eb8-44c8-a917-57927947596d + - d4f940ab-401b-4efc-aadc-ad5f3c50688a + when: + - rule_18_9_77_13_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.13.1.2 + - patch - name: "SCORED | 18.9.77.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - name: EnableNetworkProtection - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + name: EnableNetworkProtection + data: 1 + type: dword when: - - rule_18_9_77_13_3_1 + - rule_18_9_77_13_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.13.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.13.3.1 + - patch - name: "SCORED | 18.9.77.14 | PATCH | L1 Ensure Configure detection for potentially unwanted applications is set to Enabled Block" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender - name: PUAProtection - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender + name: PUAProtection + data: 1 + type: dword when: - - rule_18_9_77_14 + - rule_18_9_77_14 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.14 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.14 + - patch - name: "SCORED | 18.9.77.15 | PATCH | L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender - name: DisableAntiSpyware - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender + name: DisableAntiSpyware + data: 0 + type: dword when: - - rule_18_9_77_15 + - rule_18_9_77_15 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.15 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.15 + - patch - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" block: - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: EnableSmartScreen - data: 1 - type: dword - - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: ShellSmartScreenLevel - data: Block - type: string - when: - - rule_18_9_80_1_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.80.1.1 - - patch + - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: EnableSmartScreen + data: 1 + type: dword + + - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: ShellSmartScreenLevel + data: Block + type: string + when: + - rule_18_9_80_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.80.1.1 + - patch - name: "SCORED | 18.9.84.1 | PATCH | L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace - name: AllowSuggestedAppsInWindowsInkWorkspace - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace + name: AllowSuggestedAppsInWindowsInkWorkspace + data: 0 + type: dword when: - - rule_18_9_84_1 + - rule_18_9_84_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.84.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.84.1 + - patch - name: "SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace - name: AllowWindowsInkWorkspace - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace + name: AllowWindowsInkWorkspace + data: 1 + type: dword when: - - rule_18_9_84_2 + - rule_18_9_84_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.84.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.84.2 + - patch - name: "SCORED | 18.9.85.1 | PATCH | L1 Ensure Allow user control over installs is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: EnableUserControl - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: EnableUserControl + data: 0 + type: dword when: - - rule_18_9_85_1 + - rule_18_9_85_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.85.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.85.1 + - patch - name: "SCORED | 18.9.85.2 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword when: - - rule_18_9_85_2 + - rule_18_9_85_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.85.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.85.2 + - patch - name: "SCORED | 18.9.85.3 | PATCH | L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: SafeForScripting - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: SafeForScripting + data: 0 + type: dword when: - - rule_18_9_85_3 + - rule_18_9_85_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.85.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.85.3 + - patch - name: "SCORED | 18.9.86.1 | PATCH | L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DisableAutomaticRestartSignOn - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableAutomaticRestartSignOn + data: 1 + type: dword when: - - rule_18_9_86_1 + - rule_18_9_86_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.86.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.86.1 + - patch - name: "SCORED | 18.9.95.1 | PATCH | L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging - name: EnableScriptBlockLogging - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging + name: EnableScriptBlockLogging + data: 0 + type: dword when: - - rule_18_9_95_1 + - rule_18_9_95_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.95.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.95.1 + - patch - name: "SCORED | 18.9.95.2 | PATCH | L1 Ensure Turn on PowerShell Transcription is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription - name: EnableTranscripting - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription + name: EnableTranscripting + data: 0 + type: dword when: - - rule_18_9_95_2 + - rule_18_9_95_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.95.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.95.2 + - patch - name: "SCORED | 18.9.97.1.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowBasic - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowBasic + data: 0 + type: dword when: - - rule_18_9_97_1_1 - - not win_skip_for_test + - rule_18_9_97_1_1 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.1.1 + - patch - name: "SCORED | 18.9.97.1.2 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowUnencryptedTraffic - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowUnencryptedTraffic + data: 0 + type: dword when: - - rule_18_9_97_1_2 - - not win_skip_for_test + - rule_18_9_97_1_2 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.1.2 + - patch - name: "SCORED | 18.9.97.1.3 | PATCH | L1 Ensure Disallow Digest authentication is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowDigest - data: 0 - type: dword - when: rule_18_9_97_1_3 + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowDigest + data: 0 + type: dword + when: + - rule_18_9_97_1_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.1.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.1.3 + - patch - name: "SCORED | 18.9.97.2.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowBasic - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowBasic + data: 0 + type: dword when: - - rule_18_9_97_2_1 - - not win_skip_for_test + - rule_18_9_97_2_1 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.2.1 + - patch -#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +# This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart - name: "SCORED | 18.9.97.2.2 | PATCH | L2 Ensure Allow remote server management through WinRM is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowAutoConfig - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowAutoConfig + data: 1 + type: dword when: - - rule_18_9_97_2_2 - - not win_skip_for_test + - rule_18_9_97_2_2 + - not win_skip_for_test tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.97.2.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.97.2.2 + - patch - name: "SCORED | 18.9.97.2.3 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowUnencryptedTraffic - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowUnencryptedTraffic + data: 0 + type: dword when: - - rule_18_9_97_2_3 - - not win_skip_for_test + - rule_18_9_97_2_3 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.2.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.2.3 + - patch - name: "SCORED | 18.9.97.2.4 | PATCH | L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: DisableRunAs - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: DisableRunAs + data: 1 + type: dword when: - - rule_18_9_97_2_4 + - rule_18_9_97_2_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.2.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.2.4 + - patch -#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +# This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart - name: "SCORED | 18.9.98.1 | PATCH | L2 Ensure Allow Remote Shell Access is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs - name: AllowRemoteShellAccess - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs + name: AllowRemoteShellAccess + data: 1 + type: dword when: - - rule_18_9_98_1 - - not win_skip_for_test + - rule_18_9_98_1 + - not win_skip_for_test tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.98.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.98.1 + - patch - name: "SCORED | 18.9.99.2.1 | PATCH | L1 Ensure Prevent users from modifying settings is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - name: DisallowExploitProtectionOverride - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + name: DisallowExploitProtectionOverride + data: 1 + type: dword when: - - rule_18_9_99_2_1 + - rule_18_9_99_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.99.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.99.2.1 + - patch - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds" block: - - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuilds - data: 1 - type: dword - - - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuildsPolicyValue - data: 0 - type: dword - when: - - rule_18_9_102_1_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.1.1 - - patch + - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuilds + data: 1 + type: dword + + - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuildsPolicyValue + data: 0 + type: dword + when: + - rule_18_9_102_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.1 + - patch - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" block: - - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdates - data: 1 - type: dword - - - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdatesPeriodInDays - data: 180 - type: dword - - - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: BranchReadinessLevel - data: 16 - type: dword - when: - - rule_18_9_102_1_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.1.2 - - patch + - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: DeferFeatureUpdates + data: 1 + type: dword + + - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: DeferFeatureUpdatesPeriodInDays + data: 180 + type: dword + + - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: BranchReadinessLevel + data: 16 + type: dword + when: + - rule_18_9_102_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.2 + - patch - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days" block: - - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - name: DeferQualityUpdates - data: 1 - type: dword - - - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - name: DeferQualityUpdatesPeriodInDays - data: 0 - type: dword - when: + - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + name: DeferQualityUpdates + data: 1 + type: dword + + - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + name: DeferQualityUpdatesPeriodInDays + data: 0 + type: dword + when: - rule_18_9_102_1_3 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.1.3 - - patch + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.3 + - patch - name: "SCORED | 18.9.102.2 | PATCH | L1 Ensure Configure Automatic Updates is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoUpdate - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoUpdate + data: 0 + type: dword when: - - rule_18_9_102_2 + - rule_18_9_102_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.2 + - patch - name: "SCORED | 18.9.102.3 | PATCH | L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: ScheduledInstallDay - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: ScheduledInstallDay + data: 0 + type: dword when: - - rule_18_9_102_3 + - rule_18_9_102_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.3 + - patch - name: "SCORED | 18.9.102.4 | PATCH | L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoRebootWithLoggedOnUsers - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoRebootWithLoggedOnUsers + data: 0 + type: dword when: - - rule_18_9_102_4 + - rule_18_9_102_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.4 - - patch - + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.4 + - patch diff --git a/tasks/section19.yml b/tasks/section19.yml index 1869611..b5db2dc 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -1,345 +1,345 @@ --- - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" block: - - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string + - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveActive + data: 1 + type: string - - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string + - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveActive + data: 1 + type: string when: - - rule_19_1_3_1 + - rule_19_1_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.1.3.1 + - patch - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" block: - - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: SCRNSAVE.EXE - data: scrnsave.scr - type: string + - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: SCRNSAVE.EXE + data: scrnsave.scr + type: string - - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: SCRNSAVE.EXE - data: scrnsave.scr - type: string + - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: SCRNSAVE.EXE + data: scrnsave.scr + type: string when: - - rule_19_1_3_2 + - rule_19_1_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.1.3.2 + - patch - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" block: - - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string + - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaverIsSecure + data: 1 + type: string - - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string + - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaverIsSecure + data: 1 + type: string when: - - rule_19_1_3_3 + - rule_19_1_3_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.1.3.3 + - patch - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" block: - - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: 900 - type: string + - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveTimeOut + data: 900 + type: string - - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: 900 - type: string + - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveTimeOut + data: 900 + type: string when: - - rule_19_1_3_4 + - rule_19_1_3_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.1.3.4 + - patch - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" block: - - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword + - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + name: NoToastApplicationNotificationOnLockScreen + data: 1 + type: dword - - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword + - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + name: NoToastApplicationNotificationOnLockScreen + data: 1 + type: dword when: - - rule_19_5_1_1 + - rule_19_5_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.5.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.5.1.1 + - patch - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" block: - - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword + - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 + name: NoImplicitFeedback + data: 1 + type: dword - - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword + - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 + name: NoImplicitFeedback + data: 1 + type: dword when: - - rule_19_6_6_1_1 + - rule_19_6_6_1_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.6.6.1.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_19.6.6.1.1 + - patch - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" block: - - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 2 - type: dword + - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + name: SaveZoneInformation + data: 2 + type: dword - - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" - win_regedit: - path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 2 - type: dword + - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + win_regedit: + path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + name: SaveZoneInformation + data: 2 + type: dword when: - - rule_19_7_4_1 + - rule_19_7_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.4.1 + - patch - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" block: - - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword + - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments + name: ScanWithAntiVirus + data: 3 + type: dword - - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" - win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword + - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + win_regedit: + path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments + name: ScanWithAntiVirus + data: 3 + type: dword when: - - rule_19_7_4_2 + - rule_19_7_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.4.2 + - patch - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" block: - - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword + - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: ConfigureWindowsSpotlight + data: 2 + type: dword - - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword + - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: ConfigureWindowsSpotlight + data: 2 + type: dword when: - - rule_19_7_7_1 + - rule_19_7_7_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.7.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.7.1 + - patch - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" block: - - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword + - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableThirdPartySuggestions + data: 1 + type: dword - - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword + - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableThirdPartySuggestions + data: 1 + type: dword when: - - rule_19_7_7_2 + - rule_19_7_7_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.7.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.7.2 + - patch - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" block: - - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword + - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableTailoredExperiencesWithDiagnosticData + data: 1 + type: dword - - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword + - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableTailoredExperiencesWithDiagnosticData + data: 1 + type: dword when: - - rule_19_7_7_3 + - rule_19_7_7_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.7.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_19.7.7.3 + - patch - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" block: - - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword + - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableWindowsSpotlightFeatures + data: 1 + type: dword - - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword + - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableWindowsSpotlightFeatures + data: 1 + type: dword when: - - rule_19_7_7_4 + - rule_19_7_7_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.7.4 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_19.7.7.4 + - patch - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" block: - - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword + - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoInplaceSharing + data: 1 + type: dword - - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" - win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword + - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + win_regedit: + path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoInplaceSharing + data: 1 + type: dword when: - - rule_19_7_26_1 + - rule_19_7_26_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.26.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.26.1 + - patch - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" block: - - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword + - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword - - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword + - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword when: - - rule_19_7_41_1 + - rule_19_7_41_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.41.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.41.1 + - patch - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" block: - - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword + - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer + name: PreventCodecDownload + data: 1 + type: dword - - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword + - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer + name: PreventCodecDownload + data: 1 + type: dword when: - - rule_19_7_45_2_1 + - rule_19_7_45_2_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.45.2.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_19.7.45.2.1 + - patch