From 9fca2c4c2bb03939f0489f5f686fb42cdb297042 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Wed, 28 Apr 2021 08:53:01 -0400 Subject: [PATCH 01/24] issue #32 fix Signed-off-by: George Nalen --- tasks/section18.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 2b4c964..ad6cdf6 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -304,7 +304,7 @@ state: present value: AutoAdminLogon data: 0 - datatype: dword + datatype: string when: - rule_18_4_1 tags: From 50ef25cf5bc36f455ab33ffb90772aa654fe77c5 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 28 Jun 2021 13:45:54 -0400 Subject: [PATCH 02/24] Issue #37 fix Signed-off-by: George Nalen --- tasks/section18.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index ad6cdf6..32c0265 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -2150,8 +2150,8 @@ when: - rule_18_9_59_3_11_1 tags: - - level2-domaincontroller - - level2-memberserver + - level1-domaincontroller + - level1-memberserver - rule_18.9.59.3.11.1 - patch From b97be765db1ad5b80c2c7093a7a3bb17717c2b5f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 28 Jun 2021 13:48:57 -0400 Subject: [PATCH 03/24] Issue #38 fix Signed-off-by: George Nalen --- tasks/section18.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 32c0265..8ee93f3 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -28,17 +28,12 @@ - patch - name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" - block: - - name: "SCORED | 18.1.2.2 | AUDIT | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_1_2_2_audit - - - name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" - command: "echo true" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\InputPersonalization + name: "AllowInputPersonalization" + data: "0" + type: dword when: - - is_implemented - rule_18_1_2_2 tags: - level1-domaincontroller From 91a5320a9fdc45a59356566b0eef0e0b5ac404e5 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 28 Jun 2021 13:53:23 -0400 Subject: [PATCH 04/24] Issue #39 fix Signed-off-by: George Nalen --- tasks/section18.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 8ee93f3..1d81c61 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -175,17 +175,12 @@ - patch - name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - block: - - name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_3_1_audit - - - name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LocalAccountTokenFilterPolicy + data: 0 + type: dword when: - - is_implemented - rule_18_3_1 - not ansible_windows_domain_role == "Primary domain controller" tags: From fc563a66d697e67b8dacc5d490e6569f299414d5 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 28 Jun 2021 13:59:03 -0400 Subject: [PATCH 05/24] Issue #40 fix Signed-off-by: George Nalen --- defaults/main.yml | 11 ++++++++++- tasks/section02.yml | 4 ++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 8382e3e..3b3fa30 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -445,6 +445,15 @@ rule_19_7_26_1: true rule_19_7_41_1: true rule_19_7_45_2_1: true +# Section 2 Variables + +# 2.3.1.5 +# win19cis_admin_username is the name the administrator account will be renamed to +win19cis_admin_username: admin + +# 2.3.1.6 +# win19cis_guest_username is the name the guest account will be renamed to +win19cis_guest_username: guest # This SID is the same for standalone, member, domain controller for 'Administrators' group sedebugprivilege: "*S-1-5-32-544" @@ -517,4 +526,4 @@ public_firewall_log_size: 16,384 # 18.3.6 # netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType # Options are B-node value of 1, P-node value of 2, M-node value of 4, H-node value of 8. P-node is the recommended setting from CIS -netbt_nodetype: 2 \ No newline at end of file +netbt_nodetype: 2 diff --git a/tasks/section02.yml b/tasks/section02.yml index b2bbce8..70dcf66 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -704,7 +704,7 @@ win_security_policy: section: System Access key: newadministratorname - value: GeorgeSharp + value: "{{ win19cis_admin_username }}" when: - rule_2_3_1_5 - not win_skip_for_test @@ -718,7 +718,7 @@ win_security_policy: section: System Access key: NewGuestName - value: BobCooper + value: "{{ win19cis_guest_username }}" when: - rule_2_3_1_6 tags: From b0481aea764e64b0e3d65160adef17d4d92c1543 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 28 Jun 2021 14:00:34 -0400 Subject: [PATCH 06/24] Issue #41 fix Signed-off-by: George Nalen --- tasks/section02.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section02.yml b/tasks/section02.yml index 70dcf66..06a6c46 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -623,7 +623,7 @@ - name: "SCORED | 2.2.47 | PATCH | L1 Ensure Synchronize directory service data is set to No One DC only" win_user_right: name: SeSyncAgentPrivilege - users: + users: [] action: set when: - rule_2_2_47 From 78b5a46b9c130add200123aed6705f0c49c85020 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 28 Jun 2021 14:03:45 -0400 Subject: [PATCH 07/24] Issue #42 fix Signed-off-by: George Nalen --- defaults/main.yml | 5 +++++ tasks/section02.yml | 25 ++++++++++++++++++------- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3b3fa30..7e70af2 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -445,8 +445,13 @@ rule_19_7_26_1: true rule_19_7_41_1: true rule_19_7_45_2_1: true + # Section 2 Variables +# 2.2.18 +# is_hyperv_installed is Hyper-V installed +is_hyperv_installed: false + # 2.3.1.5 # win19cis_admin_username is the name the administrator account will be renamed to win19cis_admin_username: admin diff --git a/tasks/section02.yml b/tasks/section02.yml index 06a6c46..45c9106 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -216,15 +216,26 @@ - patch - name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" - win_user_right: - name: SeCreateSymbolicLinkPrivilege - users: - - Administrators - - NT VIRTUAL MACHINE\Virtual Machines - action: set + block: + - name: "SCORED | 2.2.18 | PATCH | (L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | No Hyper-v" + win_user_right: + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + action: set + when: not is_hyperv_installed + + - name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only | With Hyper-v" + win_user_right: + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + - NT VIRTUAL MACHINE\Virtual Machines + action: set + when: is_hyperv_installed when: - rule_2_2_18 - - ansible_windows_domain_role == "Member server" + - not ansible_windows_domain_role == "Primary domain controller" tags: - level1-memberserver - rule_2.2.18 From fa00602b7b5c9f5b35fdb8d0f1bfa04b39c0bbf7 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 28 Jun 2021 15:21:58 -0400 Subject: [PATCH 08/24] Edited win19cis_guest_username default value Signed-off-by: George Nalen --- defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 7e70af2..9cd5cd3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -454,11 +454,11 @@ is_hyperv_installed: false # 2.3.1.5 # win19cis_admin_username is the name the administrator account will be renamed to -win19cis_admin_username: admin +win19cis_admin_username: adminchangethis # 2.3.1.6 # win19cis_guest_username is the name the guest account will be renamed to -win19cis_guest_username: guest +win19cis_guest_username: guestchangethis # This SID is the same for standalone, member, domain controller for 'Administrators' group sedebugprivilege: "*S-1-5-32-544" From 0379a6b21578bb6f5ab36f2ca280f12ae5f18071 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 28 Jun 2021 15:33:39 -0400 Subject: [PATCH 09/24] defaults/main.yml linting updates Signed-off-by: George Nalen --- .ansible-lint | 11 +++++++++++ .cache/roles/Windows-2019-CIS | 1 + .yamllint | 20 ++++++++++++++++++++ defaults/main.yml | 4 ++-- 4 files changed, 34 insertions(+), 2 deletions(-) create mode 100755 .ansible-lint create mode 120000 .cache/roles/Windows-2019-CIS create mode 100755 .yamllint diff --git a/.ansible-lint b/.ansible-lint new file mode 100755 index 0000000..f2a7e7c --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,11 @@ +parseable: true +quiet: true +skip_list: + - '204' + - '305' + - '303' + - '403' + - '306' + - '602' +use_default_rules: true +verbosity: 0 diff --git a/.cache/roles/Windows-2019-CIS b/.cache/roles/Windows-2019-CIS new file mode 120000 index 0000000..c25bddb --- /dev/null +++ b/.cache/roles/Windows-2019-CIS @@ -0,0 +1 @@ +../.. \ No newline at end of file diff --git a/.yamllint b/.yamllint new file mode 100755 index 0000000..93378b9 --- /dev/null +++ b/.yamllint @@ -0,0 +1,20 @@ +--- +ignore: | + tests/ + molecule/ + .gitlab-ci.yml + *molecule.yml + +extends: default + +rules: + indentation: + spaces: 4 + truthy: disable + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + line-length: disable diff --git a/defaults/main.yml b/defaults/main.yml index 9cd5cd3..5cfef95 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -35,10 +35,10 @@ workaround_for_ssg_benchmark: true # tweak role to run in a non-privileged container system_is_container: no -#set to false to skip tasks that either have not been developed or cannot be automated +# set to false to skip tasks that either have not been developed or cannot be automated is_implemented: false -#set to false to skip long running tasks +# set to false to skip long running tasks long_running: false win_skip_for_test: false From a2d21dc5d63fe37f3c6db33ec57e3bcca7c66a3b Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 28 Jun 2021 15:38:40 -0400 Subject: [PATCH 10/24] section1 linting fixes Signed-off-by: George Nalen --- tasks/section01.yml | 108 ++++++++++++++++++++++---------------------- 1 file changed, 55 insertions(+), 53 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index 8ea7d90..a1fb085 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -15,12 +15,12 @@ key: PasswordHistorySize value: "{{ passwordhistorysize }}" when: - - rule_1_1_1 + - rule_1_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.1 + - patch - name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" block: @@ -38,12 +38,12 @@ key: MaximumPasswordAge value: "{{ maximumpasswordage }}" when: - - rule_1_1_2 + - rule_1_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.2 + - patch - name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" block: @@ -61,12 +61,12 @@ key: MinimumPasswordAge value: "{{ minimumpasswordage }}" when: - - rule_1_1_3 + - rule_1_1_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.3 + - patch - name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" block: @@ -83,12 +83,13 @@ section: System Access key: MinimumPasswordLength value: "{{ minimumpasswordlength }}" - when: rule_1_1_4 + when: + - rule_1_1_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.4 + - patch - name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled" win_security_policy: @@ -96,26 +97,27 @@ key: PasswordComplexity value: 1 when: - - rule_1_1_5 + - rule_1_1_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.5 + - patch - name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled" win_security_policy: - section: System Access - key: ClearTextPassword - value: "0" + section: System Access + key: ClearTextPassword + value: "0" when: - - rule_1_1_6 + - rule_1_1_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.6 + - patch +# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" block: - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" @@ -128,31 +130,31 @@ - name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" win_security_policy: - section: System Access - key: LockoutDuration - value: "{{ lockoutduration }}" + section: System Access + key: LockoutDuration + value: "{{ lockoutduration }}" when: - - rule_1_2_1 - - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp + - rule_1_2_1 + - is_implemented tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.2.1 + - patch -#This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable +# This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable - name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" win_security_policy: section: System Access key: LockoutBadCount value: "{{ lockoutbadcount }}" when: - - rule_1_2_2 + - rule_1_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.2.2 + - patch - name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" block: @@ -170,9 +172,9 @@ key: ResetLockoutCount value: "{{ resetlockoutcount }}" when: - - rule_1_2_3 + - rule_1_2_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.2.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.2.3 + - patch From fa1591808a5d8e15940a6895567293aa23558dbb Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 28 Jun 2021 16:15:08 -0400 Subject: [PATCH 11/24] section 2 lint fixes Signed-off-by: George Nalen --- tasks/section02.yml | 2092 ++++++++++++++++++++++--------------------- 1 file changed, 1047 insertions(+), 1045 deletions(-) diff --git a/tasks/section02.yml b/tasks/section02.yml index 45c9106..36f8841 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1,45 +1,46 @@ --- - name: "SCORED | 2.2.1 | PATCH | L1 Ensure Access Credential Manager as a trusted caller is set to No One" win_user_right: - name: SeTrustedCredManAccessPrivilege - users: [] - action: set + name: SeTrustedCredManAccessPrivilege + users: [] + action: set when: - - rule_2_2_1 + - rule_2_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.1 + - patch - name: "SCORED | 2.2.2 & 2.2.3 | PATCH | L1 Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" win_user_right: - name: SeNetworkLogonRight - users: - - Administrators - - Authenticated Users - action: set + name: SeNetworkLogonRight + users: + - Administrators + - Authenticated Users + action: set when: - - rule_2_2_2 or rule_2_2_3 + - rule_2_2_2 or + rule_2_2_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.2 - - rule_2.2.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.2 + - rule_2.2.3 + - patch - name: "SCORED | 2.2.4 | PATCH | L1 Ensure Act as part of the operating system is set to No One" win_user_right: - name: SeTcbPrivilege - users: [] - action: set + name: SeTcbPrivilege + users: [] + action: set when: - - rule_2_2_4 + - rule_2_2_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.4 + - patch - name: "SCORED | 2.2.5 | PATCH | L1 Ensure Add workstations to domain is set to Administrators DC only" win_user_right: @@ -47,173 +48,174 @@ users: Administrators action: set when: - - rule_2_2_5 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_5 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.5 - - patch + - level1-domaincontroller + - rule_2.2.5 + - patch - name: "SCORED | 2.2.6 | PATCH | L1 Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" win_user_right: - name: SeIncreaseQuotaPrivilege - users: - - Administrators - - Local Service - - Network Service - action: set + name: SeIncreaseQuotaPrivilege + users: + - Administrators + - Local Service + - Network Service + action: set when: - - rule_2_2_6 + - rule_2_2_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.6 + - patch - name: "SCORED | 2.2.7 | PATCH | L1 Ensure Allow log on locally is set to Administrators" win_user_right: - name: SeInteractiveLogonRight - users: - - Administrators - action: set + name: SeInteractiveLogonRight + users: + - Administrators + action: set when: - - rule_2_2_7 + - rule_2_2_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.7 + - patch - name: "SCORED | 2.2.8 & 2.2.9 | PATCH | L1 Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" win_user_right: - name: SeRemoteInteractiveLogonRight - users: - - Administrators - - Remote Desktop Users - action: set + name: SeRemoteInteractiveLogonRight + users: + - Administrators + - Remote Desktop Users + action: set when: - - rule_2_2_8 or rule_2_2_9 + - rule_2_2_8 or + rule_2_2_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.8 - - rule_2.2.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.8 + - rule_2.2.9 + - patch - name: "SCORED | 2.2.10 | PATCH | L1 Ensure Back up files and directories is set to Administrators" win_user_right: - name: SeBackupPrivilege - users: - - Administrators - action: set + name: SeBackupPrivilege + users: + - Administrators + action: set when: - - rule_2_2_10 + - rule_2_2_10 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.10 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.10 + - patch - name: "SCORED | 2.2.11 | PATCH | L1 Ensure Change the system time is set to Administrators LOCAL SERVICE" win_user_right: - name: SeSystemTimePrivilege - users: - - Administrators - - Local Service - action: set + name: SeSystemTimePrivilege + users: + - Administrators + - Local Service + action: set when: - - rule_2_2_11 + - rule_2_2_11 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.11 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.11 + - patch - name: "SCORED | 2.2.12 | PATCH | L1 Ensure Change the time zone is set to Administrators LOCAL SERVICE" win_user_right: - name: SeTimeZonePrivilege - users: - - Administrators - - Local Service - action: set + name: SeTimeZonePrivilege + users: + - Administrators + - Local Service + action: set when: - - rule_2_2_12 + - rule_2_2_12 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.12 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.12 + - patch - name: "SCORED | 2.2.13 | PATCH | L1 Ensure Create a pagefile is set to Administrators" win_user_right: - name: SeCreatePagefilePrivilege - users: - - Administrators - action: set + name: SeCreatePagefilePrivilege + users: + - Administrators + action: set when: - - rule_2_2_13 + - rule_2_2_13 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.13 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.13 + - patch - name: "SCORED | 2.2.14 | PATCH | L1 Ensure Create a token object is set to No One" win_user_right: - name: SeCreateTokenPrivilege - users: [] - action: set + name: SeCreateTokenPrivilege + users: [] + action: set when: - - rule_2_2_14 + - rule_2_2_14 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.14 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.14 + - patch - name: "SCORED | 2.2.15 | PATCH | L1 Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" win_user_right: - name: SeCreateGlobalPrivilege - users: - - Administrators - - Local Service - - Network Service - - Service - action: set + name: SeCreateGlobalPrivilege + users: + - Administrators + - Local Service + - Network Service + - Service + action: set when: - - rule_2_2_15 + - rule_2_2_15 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.15 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.15 + - patch - name: "SCORED | 2.2.16 | PATCH | L1 Ensure Create permanent shared objects is set to No One" win_user_right: - name: SeCreatePermanentPrivilege - users: [] - action: set + name: SeCreatePermanentPrivilege + users: [] + action: set when: - - rule_2_2_16 + - rule_2_2_16 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.16 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.16 + - patch - name: "SCORED | 2.2.17 | PATCH | L1 Ensure Create symbolic links is set to Administrators DC only" win_user_right: - name: SeCreateSymbolicLinkPrivilege - users: - - Administrators - action: set + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + action: set when: - - rule_2_2_17 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_17 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.17 - - patch + - level1-domaincontroller + - rule_2.2.17 + - patch - name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" block: @@ -234,1406 +236,1406 @@ action: set when: is_hyperv_installed when: - - rule_2_2_18 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_18 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_2.2.18 - - patch + - level1-memberserver + - rule_2.2.18 + - patch - name: "SCORED | 2.2.19 | PATCH | L1 Ensure Debug programs is set to Administrators" win_user_right: - name: SeDebugPrivilege - users: - - Administrators - action: set + name: SeDebugPrivilege + users: + - Administrators + action: set when: - - rule_2_2_19 + - rule_2_2_19 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.19 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.19 + - patch - #Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes +# Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes - name: "SCORED | 2.2.20 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests DC only" win_user_right: - name: SeDenyNetworkLogonRight - users: - - Guests - action: set - when: - - rule_2_2_20 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - level1-domaincontroller - - rule_2.2.20 - - patch + name: SeDenyNetworkLogonRight + users: + - Guests + action: set + when: + - rule_2_2_20 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - rule_2.2.20 + - patch - name: "SCORED | 2.2.21 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" win_user_right: - name: SeDenyNetworkLogonRight - users: - - Guests - #- Local Account - #- Administrators - action: set - when: - - rule_2_2_21 - - ansible_windows_domain_member - tags: - - level1-memberserver - - rule_2.2.21 - - patch + name: SeDenyNetworkLogonRight + users: + - Guests + # - Local Account + # - Administrators + action: set + when: + - rule_2_2_21 + - ansible_windows_domain_member + tags: + - level1-memberserver + - rule_2.2.21 + - patch - name: "SCORED | 2.2.22 | PATCH | L1 Ensure Deny log on as a batch job to include Guests" win_user_right: - name: SeDenyBatchLogonRight - users: - - Guests - action: set + name: SeDenyBatchLogonRight + users: + - Guests + action: set when: - - rule_2_2_22 + - rule_2_2_22 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.22 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.22 + - patch - name: "SCORED | 2.2.23 | PATCH | L1 Ensure Deny log on as a service to include Guests" win_user_right: - name: SeDenyServiceLogonRight - users: - - Guests - action: set + name: SeDenyServiceLogonRight + users: + - Guests + action: set when: - - rule_2_2_23 + - rule_2_2_23 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.23 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.23 + - patch - name: "SCORED | 2.2.24 | PATCH | L1 Ensure Deny log on locally to include Guests" win_user_right: name: SeDenyInteractiveLogonRight users: - - Guests + - Guests action: set when: - - rule_2_2_24 + - rule_2_2_24 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.24 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.24 + - patch - name: "SCORED | 2.2.25 | PATCH | L1 Ensure Deny log on through Remote Desktop Services to include Guests DC only" win_user_right: - name: SeDenyRemoteInteractiveLogonRight - users: - - Guests - #- Local Account - action: set + name: SeDenyRemoteInteractiveLogonRight + users: + - Guests + # - Local Account + action: set when: - - rule_2_2_25 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_25 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.25 - - patch + - level1-domaincontroller + - rule_2.2.25 + - patch - name: "SCORED | 2.2.26 | PATCH | L1 Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" win_user_right: - name: SeDenyRemoteInteractiveLogonRight - users: - - Guests - #- Local Account - action: set + name: SeDenyRemoteInteractiveLogonRight + users: + - Guests + # - Local Account + action: set when: - - rule_2_2_26 - - ansible_windows_domain_member + - rule_2_2_26 + - ansible_windows_domain_member tags: - - level1-memberserver - - rule_2.2.26 - - patch + - level1-memberserver + - rule_2.2.26 + - patch - name: "SCORED | 2.2.27 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" win_user_right: - name: SeEnableDelegationPrivilege - users: Administrators - action: set + name: SeEnableDelegationPrivilege + users: Administrators + action: set when: - - rule_2_2_27 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_27 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.27 - - patch + - level1-domaincontroller + - rule_2.2.27 + - patch - name: "SCORED | 2.2.28 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" win_user_right: - name: SeEnableDelegationPrivilege - users: [] - action: set + name: SeEnableDelegationPrivilege + users: [] + action: set when: - - rule_2_2_28 - - ansible_windows_domain_member + - rule_2_2_28 + - ansible_windows_domain_member tags: - - level1-memberserver - - rule_2.2.28 - - patch + - level1-memberserver + - rule_2.2.28 + - patch - name: "SCORED | 2.2.29 | PATCH | L1 Ensure Force shutdown from a remote system is set to Administrators" win_user_right: name: SeRemoteShutdownPrivilege users: - - Administrators + - Administrators action: set when: - - rule_2_2_29 + - rule_2_2_29 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.29 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.29 + - patch - name: "SCORED | 2.2.30 | PATCH | L1 Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" win_user_right: - name: SeAuditPrivilege - users: - - Local Service - - Network Service - action: set + name: SeAuditPrivilege + users: + - Local Service + - Network Service + action: set when: - - rule_2_2_30 + - rule_2_2_30 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.30 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.30 + - patch - name: "SCORED | 2.2.31 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" win_user_right: - name: SeImpersonatePrivilege - users: - - Administrators - - Local Service - - Network Service - - Service - action: set + name: SeImpersonatePrivilege + users: + - Administrators + - Local Service + - Network Service + - Service + action: set when: - - rule_2_2_31 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_31 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.31 - - patch + - level1-domaincontroller + - rule_2.2.31 + - patch - name: "SCORED | 2.2.32 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" win_user_right: - name: SeImpersonatePrivilege - users: - - Administrators - - IIS_IUSRS - - Local Service - - Network Service - - Service - action: set - when: - - rule_2_2_32 - - ansible_windows_domain_member - tags: - - level1-memberserver - - rule_2.2.32 - - patch + name: SeImpersonatePrivilege + users: + - Administrators + - IIS_IUSRS + - Local Service + - Network Service + - Service + action: set + when: + - rule_2_2_32 + - ansible_windows_domain_member + tags: + - level1-memberserver + - rule_2.2.32 + - patch - name: "SCORED | 2.2.33 | PATCH | L1 Ensure Increase scheduling priority is set to Administrators Window ManagerWindow Manager Group" win_user_right: - name: SeIncreaseBasePriorityPrivilege - users: - - Administrators - - Window Manager\Window Manager Group - action: set + name: SeIncreaseBasePriorityPrivilege + users: + - Administrators + - Window Manager\Window Manager Group + action: set when: - - rule_2_2_33 + - rule_2_2_33 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.33 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.33 + - patch - name: "SCORED | 2.2.34 | PATCH | L1 Ensure Load and unload device drivers is set to Administrators" win_user_right: - name: SeLoadDriverPrivilege - users: - - Administrators - action: set + name: SeLoadDriverPrivilege + users: + - Administrators + action: set when: - - rule_2_2_34 + - rule_2_2_34 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.34 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.34 + - patch - name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" win_user_right: - name: SeLockMemoryPrivilege - users: [] - action: set + name: SeLockMemoryPrivilege + users: [] + action: set when: - - rule_2_2_35 + - rule_2_2_35 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.35 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.35 + - patch - name: "SCORED | 2.2.36 | PATCH | L2 Ensure Log on as a batch job is set to Administrators DC Only" win_user_right: - name: SeBatchLogonRight - users: Administrators - action: set + name: SeBatchLogonRight + users: Administrators + action: set when: - - rule_2_2_36 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_36 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level2-domaincontroller - - rule_2.2.36 - - patch + - level2-domaincontroller + - rule_2.2.36 + - patch - name: "SCORED | 2.2.37 & 2.2.38 | PATCH | L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" win_user_right: - name: SeSecurityPrivilege - users: - - Administrators - action: set + name: SeSecurityPrivilege + users: + - Administrators + action: set when: - - rule_2_2_37 or rule_2_2_38 + - rule_2_2_37 or + rule_2_2_38 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.37 - - rule_2.2.38 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.37 + - rule_2.2.38 + - patch - name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" win_user_right: - name: SeReLabelPrivilege - users: [] - action: set + name: SeReLabelPrivilege + users: [] + action: set when: - - rule_2_2_39 + - rule_2_2_39 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.39 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.39 + - patch - name: "SCORED | 2.2.40 | PATCH | L1 Ensure Modify firmware environment values is set to Administrators" win_user_right: - name: SeSystemEnvironmentPrivilege - users: - - Administrators - action: set + name: SeSystemEnvironmentPrivilege + users: + - Administrators + action: set when: - - rule_2_2_40 + - rule_2_2_40 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.40 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.40 + - patch - name: "SCORED | 2.2.41 | PATCH | L1 Ensure Perform volume maintenance tasks is set to Administrators" win_user_right: - name: SeManageVolumePrivilege - users: - - Administrators - action: set + name: SeManageVolumePrivilege + users: + - Administrators + action: set when: - - rule_2_2_41 + - rule_2_2_41 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.41 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.41 + - patch - name: "SCORED | 2.2.42 | PATCH | L1 Ensure Profile single process is set to Administrators" win_user_right: - name: SeProfileSingleProcessPrivilege - users: - - Administrators - action: set + name: SeProfileSingleProcessPrivilege + users: + - Administrators + action: set when: - - rule_2_2_42 + - rule_2_2_42 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.42 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.42 + - patch - name: "SCORED | 2.2.43 | PATCH | L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" win_user_right: - name: SeSystemProfilePrivilege - users: - - Administrators - - NT SERVICE\WdiServiceHost - action: set + name: SeSystemProfilePrivilege + users: + - Administrators + - NT SERVICE\WdiServiceHost + action: set when: - - rule_2_2_43 + - rule_2_2_43 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.43 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.43 + - patch - name: "SCORED | 2.2.44 | PATCH | L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" win_user_right: - name: SeAssignPrimaryTokenPrivilege - users: - - LOCAL SERVICE - - NETWORK SERVICE - action: set + name: SeAssignPrimaryTokenPrivilege + users: + - LOCAL SERVICE + - NETWORK SERVICE + action: set when: - - rule_2_2_44 + - rule_2_2_44 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.44 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.44 + - patch - name: "SCORED | 2.2.45 | PATCH | L1 Ensure Restore files and directories is set to Administrators" win_user_right: - name: SeRestorePrivilege - users: - - Administrators - action: set + name: SeRestorePrivilege + users: + - Administrators + action: set when: - - rule_2_2_45 + - rule_2_2_45 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.45 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.45 + - patch - name: "SCORED | 2.2.46 | PATCH | L1 Ensure Shut down the system is set to Administrators" win_user_right: - name: SeShutdownPrivilege - users: - - Administrators - action: set + name: SeShutdownPrivilege + users: + - Administrators + action: set when: - - rule_2_2_46 + - rule_2_2_46 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.46 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.46 + - patch - name: "SCORED | 2.2.47 | PATCH | L1 Ensure Synchronize directory service data is set to No One DC only" win_user_right: - name: SeSyncAgentPrivilege - users: [] - action: set + name: SeSyncAgentPrivilege + users: [] + action: set when: - - rule_2_2_47 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_47 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.47 - - patch + - level1-domaincontroller + - rule_2.2.47 + - patch - name: "SCORED | 2.2.48 | PATCH | L1 Ensure Take ownership of files or other objects is set to Administrators" win_user_right: - name: SeTakeOwnershipPrivilege - users: - - Administrators - action: set + name: SeTakeOwnershipPrivilege + users: + - Administrators + action: set when: - - rule_2_2_48 + - rule_2_2_48 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.48 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.48 + - patch - name: "SCORED | 2.3.1.1 | PATCH | L1 Ensure Accounts Administrator account status is set to Disabled MS only" win_security_policy: - section: System Access - key: EnableAdminAccount - value: 0 + section: System Access + key: EnableAdminAccount + value: 0 when: - - rule_2_3_1_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_1_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_2.3.1.1 - - patch + - level1-memberserver + - rule_2.3.1.1 + - patch - name: "SCORED | 2.3.1.2 | PATCH | L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: NoConnectedUser - data: 3 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: NoConnectedUser + data: 3 + type: dword when: - - rule_2_3_1_2 + - rule_2_3_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.2 + - patch - name: "SCORED | 2.3.1.3 | PATCH | L1 Ensure Accounts Guest account status is set to Disabled MS only" win_security_policy: - section: System Access - key: EnableGuestAccount - value: 0 + section: System Access + key: EnableGuestAccount + value: 0 when: - - rule_2_3_1_3 + - rule_2_3_1_3 tags: - - level1-memberserver - - rule_2.3.1.3 - - patch + - level1-memberserver + - rule_2.3.1.3 + - patch - name: "SCORED | 2.3.1.4 | PATCH | L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: LimitBlankPasswordUse - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: LimitBlankPasswordUse + data: 1 + type: dword when: - - rule_2_3_1_4 + - rule_2_3_1_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.1.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.4 + - patch - name: "SCORED | 2.3.1.5 | PATCH | L1 Configure Accounts Rename administrator account" win_security_policy: - section: System Access - key: newadministratorname - value: "{{ win19cis_admin_username }}" + section: System Access + key: newadministratorname + value: "{{ win19cis_admin_username }}" when: - - rule_2_3_1_5 - - not win_skip_for_test + - rule_2_3_1_5 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.1.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.5 + - patch - name: "SCORED | 2.3.1.6 | PATCH | L1 Configure Accounts Rename guest account" win_security_policy: - section: System Access - key: NewGuestName - value: "{{ win19cis_guest_username }}" + section: System Access + key: NewGuestName + value: "{{ win19cis_guest_username }}" when: - - rule_2_3_1_6 + - rule_2_3_1_6 tags: - - level1-domaincontroller - - level1-memberservers - - rule_2.3.1.6 - - patch + - level1-domaincontroller + - level1-memberservers + - rule_2.3.1.6 + - patch - name: "SCORED | 2.3.2.1 | PATCH | L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: SCENoApplyLegacyAuditPolicy - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: SCENoApplyLegacyAuditPolicy + data: 1 + type: dword when: - - rule_2_3_2_1 + - rule_2_3_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.2.1 + - patch - name: "SCORED | 2.3.2.2 | PATCH | L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: CrashOnAuditFail - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: CrashOnAuditFail + data: 0 + type: dword when: - - rule_2_3_2_2 + - rule_2_3_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.2.2 + - patch - name: "SCORED | 2.3.4.1 | PATCH | L1 Ensure Devices Allowed to format and eject removable media is set to Administrators" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: AllocateDASD - data: 0 - type: string + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: AllocateDASD + data: 0 + type: string when: - - rule_2_3_4_1 + - rule_2_3_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.4.1 + - patch - name: "SCORED | 2.3.4.2 | PATCH | L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers - name: AddPrinterDrivers - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers + name: AddPrinterDrivers + data: 1 + type: dword when: - - rule_2_3_4_2 + - rule_2_3_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.4.2 + - patch - name: "SCORED | 2.3.5.1 | PATCH | L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa - name: SubmitControl - data: 0 - type: dword + path: HKLM:\System\CurrentControlSet\Control\Lsa + name: SubmitControl + data: 0 + type: dword when: - - rule_2_3_5_1 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_5_1 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.3.5.1 - - patch + - level1-domaincontroller + - rule_2.3.5.1 + - patch - name: "SCORED | 2.3.5.2 | PATCH | L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters - name: LDAPServerIntegrity - data: 2 - type: dword + path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters + name: LDAPServerIntegrity + data: 2 + type: dword when: - - rule_2_3_5_2 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_5_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.3.5.2 - - patch + - level1-domaincontroller + - rule_2.3.5.2 + - patch - name: "SCORED | 2.3.5.3 | PATCH | L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" win_regedit: - path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters - name: RefusePasswordChange - data: 0 - type: dword + path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters + name: RefusePasswordChange + data: 0 + type: dword when: - - rule_2_3_5_3 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_5_3 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.3.5.3 - - patch + - level1-domaincontroller + - rule_2.3.5.3 + - patch - name: "SCORED | 2.3.6.1 | PATCH | L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: RequireSignOrSeal - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: RequireSignOrSeal + data: 1 + type: dword when: - - rule_2_3_6_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.1 + - patch - name: "SCORED | 2.3.6.2 | PATCH | L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: sealsecurechannel - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: sealsecurechannel + data: 1 + type: dword when: - - rule_2_3_6_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.2 + - patch - name: "SCORED | 2.3.6.3 | PATCH | L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: signsecurechannel - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: signsecurechannel + data: 1 + type: dword when: - - rule_2_3_6_3 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_3 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.3 + - patch - name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: disablepasswordchange - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: disablepasswordchange + data: 0 + type: dword when: - - rule_2_3_6_4 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_4 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.4 + - patch - name: "SCORED | 2.3.6.5 | PATCH | L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: MaximumPasswordAge - data: 30 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: MaximumPasswordAge + data: 30 + type: dword when: - - rule_2_3_6_5 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_5 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.5 + - patch - name: "SCORED | 2.3.6.6 | PATCH | L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: RequireStrongKey - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: RequireStrongKey + data: 1 + type: dword when: - - rule_2_3_6_6 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_6 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.6 + - patch - name: "SCORED | 2.3.7.1 | PATCH | L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DisableCAD - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableCAD + data: 0 + type: dword when: - - rule_2_3_7_1 + - rule_2_3_7_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.1 + - patch - name: "SCORED | 2.3.7.2 | PATCH | L1 Ensure Interactive logon Dont display last signed-in is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DontDisplayLastUserName - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DontDisplayLastUserName + data: 1 + type: dword when: - - rule_2_3_7_2 + - rule_2_3_7_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.2 + - patch - name: "SCORED | 2.3.7.3 | PATCH | L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: InactivityTimeoutSecs - data: 900 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: InactivityTimeoutSecs + data: 900 + type: dword when: - - rule_2_3_7_3 + - rule_2_3_7_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.3 + - patch - name: "SCORED | 2.3.7.4 | PATCH | L1 Configure Interactive logon Message text for users attempting to log on" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: LegalNoticeText - data: "{{ legalnoticetext }}" - type: string + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LegalNoticeText + data: "{{ legalnoticetext }}" + type: string when: - - rule_2_3_7_4 + - rule_2_3_7_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.4 + - patch - name: "SCORED | 2.3.7.5 | PATCH | L1 Configure Interactive logon Message title for users attempting to log on" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: LegalNoticeCaption - data: "{{ legalnoticecaption }}" - type: string + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LegalNoticeCaption + data: "{{ legalnoticecaption }}" + type: string when: - - rule_2_3_7_5 + - rule_2_3_7_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.5 + - patch - name: "SCORED | 2.3.7.6 | PATCH | L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: cachedlogonscount - data: 1 - type: string + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: cachedlogonscount + data: 1 + type: string when: - - rule_2_3_7_6 + - rule_2_3_7_6 tags: - - level2-memberserver - - rule_2.3.7.6 - - patch + - level2-memberserver + - rule_2.3.7.6 + - patch - name: "SCORED | 2.3.7.7 | PATCH | L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: PasswordExpiryWarning - data: 14 - type: dword + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: PasswordExpiryWarning + data: 14 + type: dword when: - - rule_2_3_7_7 + - rule_2_3_7_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.7 + - patch - name: "SCORED | 2.3.7.8 | PATCH | L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ForceUnlockLogon - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ForceUnlockLogon + data: 1 + type: dword when: - - rule_2_3_7_8 - - ansible_windows_domain_role == "Member server" + - rule_2_3_7_8 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.7.8 - - patch + - level1-memberserver + - rule_2.3.7.8 + - patch - name: "SCORED | 2.3.7.9 | PATCH | L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: scremoveoption - data: 1 - type: string + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: scremoveoption + data: 1 + type: string when: - - rule_2_3_7_9 + - rule_2_3_7_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.9 + - patch - name: "SCORED | 2.3.8.1 | PATCH | L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: RequireSecuritySignature - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: RequireSecuritySignature + data: 1 + type: dword when: - - rule_2_3_8_1 + - rule_2_3_8_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.8.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.8.1 + - patch - name: "SCORED | 2.3.8.2 | PATCH | L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: EnableSecuritySignature - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: EnableSecuritySignature + data: 1 + type: dword when: - - rule_2_3_8_2 + - rule_2_3_8_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.8.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.8.2 + - patch - name: "SCORED | 2.3.8.3 | PATCH | L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: EnablePlainTextPassword - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: EnablePlainTextPassword + data: 0 + type: dword when: - - rule_2_3_8_3 + - rule_2_3_8_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.8.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.8.3 + - patch - name: "SCORED | 2.3.9.1 | PATCH | L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: autodisconnect - data: 15 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: autodisconnect + data: 15 + type: dword when: - - rule_2_3_9_1 + - rule_2_3_9_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.9.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.1 + - patch - name: "SCORED | 2.3.9.2 | PATCH | L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: requiresecuritysignature - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: requiresecuritysignature + data: 1 + type: dword when: - - rule_2_3_9_2 + - rule_2_3_9_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.9.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.2 + - patch - name: "SCORED | 2.3.9.3 | PATCH | L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: enablesecuritysignature - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: enablesecuritysignature + data: 1 + type: dword when: - - rule_2_3_9_3 + - rule_2_3_9_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.9.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.3 + - patch - name: "SCORED | 2.3.9.4 | PATCH | L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: enableforcedlogoff - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: enableforcedlogoff + data: 1 + type: dword when: - - rule_2_3_9_4 + - rule_2_3_9_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.9.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.4 + - patch - name: "SCORED | 2.3.9.5 | PATCH | L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: SMBServerNameHardeningLevel - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: SMBServerNameHardeningLevel + data: 1 + type: dword when: - - rule_2_3_9_5 - - ansible_windows_domain_role == "Member server" + - rule_2_3_9_5 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.9.5 - - patch + - level1-memberserver + - rule_2.3.9.5 + - patch - name: "SCORED | 2.3.10.1 | PATCH | L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled" win_security_policy: - section: System Access - key: LSAAnonymousNameLookup - value: 0 + section: System Access + key: LSAAnonymousNameLookup + value: 0 when: - - rule_2_3_10_1 + - rule_2_3_10_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.1 + - patch - name: "SCORED | 2.3.10.2 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: RestrictAnonymousSAM - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: RestrictAnonymousSAM + data: 1 + type: dword when: - - rule_2_3_10_2 - - ansible_windows_domain_role == "Member server" + - rule_2_3_10_2 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.10.2 - - patch + - level1-memberserver + - rule_2.3.10.2 + - patch - name: "SCORED | 2.3.10.3 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: RestrictAnonymous - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: RestrictAnonymous + data: 1 + type: dword when: - - rule_2_3_10_3 - - ansible_windows_domain_role == "Member server" + - rule_2_3_10_3 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.10.3 - - patch + - level1-memberserver + - rule_2.3.10.3 + - patch - name: "SCORED | 2.3.10.4 | PATCH | L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: DisableDomainCreds - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: DisableDomainCreds + data: 1 + type: dword when: - - rule_2_3_10_4 + - rule_2_3_10_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_2.3.10.4 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_2.3.10.4 + - patch - name: "SCORED | 2.3.10.5 | PATCH | L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: EveryoneIncludesAnonymous - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: EveryoneIncludesAnonymous + data: 0 + type: dword when: - - rule_2_3_10_5 + - rule_2_3_10_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.5 + - patch - name: "SCORED | 2.3.10.6 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously DC only" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionPipes - data: "" - type: multistring + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionPipes + data: "" + type: multistring when: - - rule_2_3_10_6 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_10_6 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.3.10.6 - - patch + - level1-domaincontroller + - rule_2.3.10.6 + - patch - name: "SCORED | 2.3.10.7 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously MS only" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionPipes - data: "" - type: multistring + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionPipes + data: "" + type: multistring when: - - rule_2_3_10_7 - - ansible_windows_domain_role == "Member server" + - rule_2_3_10_7 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.10.7 - - patch + - level1-memberserver + - rule_2.3.10.7 + - patch - name: "SCORED | 2.3.10.8 | PATCH | L1 Configure Network access Remotely accessible registry paths" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] - type: multistring + path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths + name: "Machine" + data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] + type: multistring when: - - rule_2_3_10_8 + - rule_2_3_10_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.8 + - patch - name: "SCORED | 2.3.10.9 | PATCH | L1 Configure Network access Remotely accessible registry paths and sub-paths" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] - type: multistring + path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths + name: "Machine" + data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] + type: multistring when: - - rule_2_3_10_9 + - rule_2_3_10_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.9 + - patch - name: "SCORED | 2.3.10.10 | PATCH | L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: RestrictNullSessAccess - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: RestrictNullSessAccess + data: 1 + type: dword when: - - rule_2_3_10_10 + - rule_2_3_10_10 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.10 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.10 + - patch - name: "SCORED | 2.3.10.11 | PATCH | L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa - name: RestrictRemoteSAM - data: "O:BAG:BAD:(A;;RC;;;BA)" - type: string + path: HKLM:\System\CurrentControlSet\Control\Lsa + name: RestrictRemoteSAM + data: "O:BAG:BAD:(A;;RC;;;BA)" + type: string when: - - rule_2_3_10_11 + - rule_2_3_10_11 tags: - - level1-memberserver - - rule_2.3.10.11 - - patch + - level1-memberserver + - rule_2.3.10.11 + - patch - name: "SCORED | 2.3.10.12 | PATCH | L1 Ensure Network access Shares that can be accessed anonymously is set to None" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionShares - data: "" - type: multistring + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionShares + data: "" + type: multistring when: - - rule_2_3_10_12 + - rule_2_3_10_12 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.12 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.12 + - patch - name: "SCORED | 2.3.10.13 | PATCH | L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: ForceGuest - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: ForceGuest + data: 0 + type: dword when: - - rule_2_3_10_13 + - rule_2_3_10_13 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.13 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.13 + - patch - name: "SCORED | 2.3.11.1 | PATCH | L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: UseMachineId - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: UseMachineId + data: 1 + type: dword when: - - rule_2_3_11_1 + - rule_2_3_11_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.1 + - patch - name: "SCORED | 2.3.11.2 | PATCH | L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: allownullsessionfallback - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: allownullsessionfallback + data: 0 + type: dword when: - - rule_2_3_11_2 + - rule_2_3_11_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.2 + - patch - name: "SCORED | 2.3.11.3 | PATCH | L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U - name: AllowOnlineID - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U + name: AllowOnlineID + data: 0 + type: dword when: - - rule_2_3_11_3 + - rule_2_3_11_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.3 + - patch - name: "SCORED | 2.3.11.4 | PATCH | L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters - name: SupportedEncryptionTypes - data: 2147483640 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters + name: SupportedEncryptionTypes + data: 2147483640 + type: dword when: - - rule_2_3_11_4 + - rule_2_3_11_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.4 + - patch - name: "SCORED | 2.3.11.5 | PATCH | L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: NoLMHash - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: NoLMHash + data: 1 + type: dword when: - - rule_2_3_11_5 + - rule_2_3_11_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.5 + - patch - name: "SCORED | 2.3.11.6 | PATCH | L1 Ensure Network security Force logoff when logon hours expire is set to Enabled" win_regedit: - path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters - name: EnableForcedLogOff - data: 1 - type: dword + path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters + name: EnableForcedLogOff + data: 1 + type: dword when: - - rule_2_3_11_6 + - rule_2_3_11_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.6 + - patch - name: "SCORED | 2.3.11.7 | PATCH | L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: LMCompatibilityLevel - data: 5 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: LMCompatibilityLevel + data: 5 + type: dword when: - - rule_2_3_11_7 + - rule_2_3_11_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.7 + - patch - name: "SCORED | 2.3.11.8 | PATCH | L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Ldap - name: LDAPClientIntegrity - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Ldap + name: LDAPClientIntegrity + data: 1 + type: dword when: - - rule_2_3_11_8 + - rule_2_3_11_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.8 + - patch - name: "SCORED | 2.3.11.9 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: NTLMMinClientSec - data: 537395200 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: NTLMMinClientSec + data: 537395200 + type: dword when: - - rule_2_3_11_9 + - rule_2_3_11_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.9 + - patch - name: "SCORED | 2.3.11.10 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: NTLMMinServerSec - data: 537395200 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: NTLMMinServerSec + data: 537395200 + type: dword when: - - rule_2_3_11_10 + - rule_2_3_11_10 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.10 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.10 + - patch - name: "SCORED | 2.3.13.1 | PATCH | L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ShutdownWithoutLogon - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ShutdownWithoutLogon + data: 0 + type: dword when: - - rule_2_3_13_1 + - rule_2_3_13_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.13.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.13.1 + - patch - name: "SCORED | 2.3.15.1 | PATCH | L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel - name: ObCaseInsensitive - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel + name: ObCaseInsensitive + data: 1 + type: dword when: - - rule_2_3_15_1 + - rule_2_3_15_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.15.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.15.1 + - patch - name: "SCORED | 2.3.15.2 | PATCH | L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager - name: ProtectionMode - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Session Manager + name: ProtectionMode + data: 1 + type: dword when: - - rule_2_3_15_2 + - rule_2_3_15_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.15.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.15.2 + - patch - name: "SCORED | 2.3.17.1 | PATCH | L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: FilterAdministratorToken - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: FilterAdministratorToken + data: 1 + type: dword when: - - rule_2_3_17_1 + - rule_2_3_17_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.1 + - patch - name: "SCORED | 2.3.17.2 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ConsentPromptBehaviorAdmin - data: 2 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ConsentPromptBehaviorAdmin + data: 2 + type: dword when: - - rule_2_3_17_2 + - rule_2_3_17_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.2 + - patch - name: "SCORED | 2.3.17.3 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ConsentPromptBehaviorUser - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ConsentPromptBehaviorUser + data: 0 + type: dword when: - - rule_2_3_17_3 + - rule_2_3_17_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.3 + - patch - name: "SCORED | 2.3.17.4 | PATCH | L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableInstallerDetection - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableInstallerDetection + data: 1 + type: dword when: - - rule_2_3_17_4 + - rule_2_3_17_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.4 + - patch - name: "SCORED | 2.3.17.5 | PATCH | L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableSecureUIAPaths - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableSecureUIAPaths + data: 1 + type: dword when: - - rule_2_3_17_5 + - rule_2_3_17_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.5 + - patch - name: "SCORED | 2.3.17.6 | PATCH | L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableLUA - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableLUA + data: 1 + type: dword when: - - rule_2_3_17_6 + - rule_2_3_17_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.6 + - patch - name: "SCORED | 2.3.17.7 | PATCH | L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: PromptOnSecureDesktop - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: PromptOnSecureDesktop + data: 1 + type: dword when: - - rule_2_3_17_7 + - rule_2_3_17_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.7 + - patch - name: "SCORED | 2.3.17.8 | PATCH | L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableVirtualization - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableVirtualization + data: 1 + type: dword when: - - rule_2_3_17_8 + - rule_2_3_17_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.8 - - patch - + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.8 + - patch From 1b36f47610bf29043d8c7694ed2a1e64cc30ed4e Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 28 Jun 2021 16:40:14 -0400 Subject: [PATCH 12/24] Section 9 lint fixes Signed-off-by: George Nalen --- tasks/section09.yml | 458 ++++++++++++++++++++++---------------------- 1 file changed, 229 insertions(+), 229 deletions(-) diff --git a/tasks/section09.yml b/tasks/section09.yml index 4901180..c2bd4a2 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -1,362 +1,362 @@ --- - name: "SCORED | 9.1.1 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" win_firewall: - state: enabled - profile: Domain + state: enabled + profile: Domain when: - - rule_9_1_1 + - rule_9_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.1 + - patch - name: "SCORED | 9.1.2 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - name: DefaultInboundAction - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DefaultInboundAction + data: 1 + type: dword when: - - rule_9_1_2 + - rule_9_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.2 + - patch - name: "SCORED | 9.1.3 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - name: DefaultOutboundAction - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DefaultOutboundAction + data: 0 + type: dword when: - - rule_9_1_3 + - rule_9_1_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.3 + - patch - name: "SCORED | 9.1.4 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - name: DisableNotifications - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DisableNotifications + data: 1 + type: dword when: - - rule_9_1_4 + - rule_9_1_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.4 + - patch # title has slashes switched - name: "SCORED | 9.1.5 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogFilePath - data: '{{ domain_firewall_log_path }}' - type: string + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFilePath + data: '{{ domain_firewall_log_path }}' + type: string when: - - rule_9_1_5 + - rule_9_1_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.5 + - patch - name: "SCORED | 9.1.6 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogFileSize - data: '{{ domain_firewall_log_size }}' - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFileSize + data: '{{ domain_firewall_log_size }}' + type: dword when: - - rule_9_1_6 + - rule_9_1_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.6 + - patch - name: "SCORED | 9.1.7 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogDroppedPackets - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword when: - - rule_9_1_7 + - rule_9_1_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.7 + - patch - name: "SCORED | 9.1.8 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogSuccessfulConnections - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword when: - - rule_9_1_8 + - rule_9_1_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.7 + - patch - name: "SCORED | 9.2.1 | PATCH | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" win_firewall: - state: enabled - profile: Private + state: enabled + profile: Private when: - - rule_9_2_1 + - rule_9_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.1 + - patch - name: "SCORED | 9.2.2 | PATCH | (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile - name: DefaultInboundAction - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DefaultInboundAction + data: 1 + type: dword when: - - rule_9_2_2 + - rule_9_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.2 + - patch - name: "SCORED | 9.2.3 | PATCH | (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile - name: DefaultOutboundAction - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DefaultOutboundAction + data: 0 + type: dword when: - - rule_9_2_3 + - rule_9_2_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.3 + - patch - name: "SCORED | 9.2.4 | PATCH | (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile - name: DisableNotifications - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DisableNotifications + data: 1 + type: dword when: - - rule_9_2_4 + - rule_9_2_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.4 + - patch # title has slashes switched - name: "SCORED | 9.2.5 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogFilePath - data: '{{ private_firewall_log_path }}' - type: string + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFilePath + data: '{{ private_firewall_log_path }}' + type: string when: - - rule_9_2_5 + - rule_9_2_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.5 + - patch - name: "SCORED | 9.2.6 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogFileSize - data: '{{ private_firewall_log_size }}' - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFileSize + data: '{{ private_firewall_log_size }}' + type: dword when: - - rule_9_2_6 + - rule_9_2_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.6 + - patch - name: "SCORED | 9.2.7 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogDroppedPackets - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword when: - - rule_9_2_7 + - rule_9_2_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.7 + - patch - name: "SCORED | 9.2.8 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogSuccessfulConnections - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword when: - - rule_9_2_8 + - rule_9_2_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.8 + - patch - name: "SCORED | 9.3.1 | PATCH | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" win_firewall: - state: enabled - profile: Public + state: enabled + profile: Public when: - - rule_9_3_1 + - rule_9_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.1 + - patch - name: "SCORED | 9.3.2 | PATCH | (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: DefaultInboundAction - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DefaultInboundAction + data: 1 + type: dword when: - - rule_9_3_2 + - rule_9_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.2 + - patch - name: "SCORED | 9.3.3 | PATCH | (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: DefaultOutboundAction - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DefaultOutboundAction + data: 0 + type: dword when: - - rule_9_3_3 + - rule_9_3_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.3 + - patch - name: "SCORED | 9.3.4 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: DisableNotifications - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DisableNotifications + data: 1 + type: dword when: - - rule_9_3_4 + - rule_9_3_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.4 + - patch - name: "SCORED | 9.3.5 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: AllowLocalPolicyMerge - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: AllowLocalPolicyMerge + data: 0 + type: dword when: - - rule_9_3_5 - - not win_skip_for_test + - rule_9_3_5 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.5 + - patch - name: "SCORED | 9.3.6 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: AllowLocalIPsecPolicyMerge - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: AllowLocalIPsecPolicyMerge + data: 0 + type: dword when: - - rule_9_3_6 + - rule_9_3_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.6 + - patch # title has slashes switched - name: "SCORED | 9.3.7 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogFilePath - data: '{{ public_firewall_log_path }}' - type: string + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFilePath + data: '{{ public_firewall_log_path }}' + type: string when: - - rule_9_3_7 + - rule_9_3_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.7 + - patch - name: "SCORED | 9.3.8 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogFileSize - data: '{{ public_firewall_log_size }}' - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFileSize + data: '{{ public_firewall_log_size }}' + type: dword when: - - rule_9_3_8 + - rule_9_3_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.8 + - patch - name: "SCORED | 9.3.9 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogDroppedPackets - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword when: - - rule_9_3_9 + - rule_9_3_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.9 + - patch - name: "SCORED | 9.3.10 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogSuccessfulConnections - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword when: - - rule_9_3_10 + - rule_9_3_10 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.10 - - patch \ No newline at end of file + - level1-domaincontroller + - level1-memberserver + - rule_9.3.10 + - patch From b1b203208eb4ffbb11a8befaae48e2ff8419e6a3 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Mon, 28 Jun 2021 16:47:04 -0400 Subject: [PATCH 13/24] Section 17 lint fixes Signed-off-by: George Nalen --- tasks/section17.yml | 343 ++++++++++++++++++++++---------------------- 1 file changed, 173 insertions(+), 170 deletions(-) diff --git a/tasks/section17.yml b/tasks/section17.yml index f4c0695..685c64e 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -17,13 +17,13 @@ when: "'Failure' not in rule_17_1_1_audit.stdout" changed_when: "'Failure' not in rule_17_1_1_audit.stdout" when: - - rule_17_1_1 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_1_1 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.1.1 + - patch - name: "SCORED | 17.1.2 | PATCH | L1 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' DC Only" block: @@ -41,12 +41,12 @@ win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /failure:enable when: "'Failure' not in rule_17_1_2_audit.stdout" when: - - rule_17_1_2 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_1_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.1.2 - - patch + - level1-domaincontroller + - rule_17.1.2 + - patch - name: "SCORED | 17.1.3 | PATCH | L1 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'" block: @@ -64,12 +64,12 @@ win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /failure:enable when: "'Failure' not in rule_17_1_3_audit.stdout" when: - - rule_17_1_3 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_1_3 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.1.2 - - patch + - level1-domaincontroller + - rule_17.1.2 + - patch - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" block: @@ -87,13 +87,13 @@ win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable when: "'Failure' not in rule_17_2_1_audit.stdout" when: - - rule_17_2_1 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_1 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.2.1 + - patch - name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to include Success DC only" block: @@ -108,12 +108,12 @@ changed_when: "'Success' not in rule_17_2_2_audit.stdout" when: "'Success' not in rule_17_2_2_audit.stdout" when: - - rule_17_2_2 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.2.2 - - patch + - level1-domaincontroller + - rule_17.2.2 + - patch - name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to include Success DC only" block: @@ -127,12 +127,12 @@ win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable when: "'Success' not in rule_17_2_3_audit.stdout" when: - - rule_17_2_3 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_3 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.2.3 - - patch + - level1-domaincontroller + - rule_17.2.3 + - patch - name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to include Success DC only" block: @@ -146,12 +146,12 @@ win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable when: "'Success' not in rule_17_2_4_audit.stdout" when: - - rule_17_2_4 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_4 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.2.4 - - patch + - level1-domaincontroller + - rule_17.2.4 + - patch - name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to include Success" block: @@ -165,12 +165,12 @@ win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable when: "'Success' not in rule_17_2_5_audit.stdout" when: - - rule_17_2_5 + - rule_17_2_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.2.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.2.5 + - patch - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure" block: @@ -188,12 +188,12 @@ win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable when: "'Failure' not in rule_17_2_6_audit.stdout" when: - - rule_17_2_6 + - rule_17_2_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.2.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.2.6 + - patch - name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to include Success" block: @@ -207,12 +207,12 @@ win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable when: "'Success' not in rule_17_3_1_audit.stdout" when: - - rule_17_3_1 + - rule_17_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.3.1 + - patch - name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to include Success" block: @@ -226,12 +226,12 @@ win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable when: "'Success' not in rule_17_3_2_audit.stdout" when: - - rule_17_3_2 + - rule_17_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.3.2 + - patch - name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to include Failure DC only" block: @@ -245,11 +245,11 @@ win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable when: "'Success' not in rule_17_4_1_audit.stdout" when: - - rule_17_4_1 + - rule_17_4_1 tags: - - level1-domaincontroller - - rule_17.4.1 - - patch + - level1-domaincontroller + - rule_17.4.1 + - patch - name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to include Success DC only" block: @@ -263,11 +263,11 @@ win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable when: "'Success' not in rule_17_4_2_audit.stdout" when: - - rule_17_4_2 + - rule_17_4_2 tags: - - level1-domaincontroller - - rule_17.4.2 - - patch + - level1-domaincontroller + - rule_17.4.2 + - patch - name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to include Failure" block: @@ -281,12 +281,12 @@ win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable when: "'Failure' not in rule_17_5_1_audit.stdout" when: - - rule_17_5_1 + - rule_17_5_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.1 + - patch - name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to include Success" block: @@ -300,17 +300,17 @@ win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable when: "'Success' not in rule_17_5_2_audit.stdout" when: - - rule_17_5_2 + - rule_17_5_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.2 + - patch - name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to include Success" block: - name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to include Success" - win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" changed_when: false failed_when: false register: rule_17_5_3_audit @@ -319,12 +319,12 @@ win_shell: AuditPol /set /subcategory:"Logoff" /success:enable when: "'Success' not in rule_17_5_3_audit.stdout" when: - - rule_17_5_3 + - rule_17_5_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.3 + - patch - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure" block: @@ -342,12 +342,12 @@ win_shell: AuditPol /set /subcategory:"Logon" /failure:enable when: "'Failure' not in rule_17_5_4_audit.stdout" when: - - rule_17_5_4 + - rule_17_5_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.4 + - patch - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" block: @@ -365,12 +365,12 @@ win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable when: "'Failure' not in rule_17_5_5_audit.stdout" when: - - rule_17_5_5 + - rule_17_5_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.5 + - patch - name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to include Success" block: @@ -384,12 +384,12 @@ win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable when: "'Success' not in rule_17_5_6_audit.stdout" when: - - rule_17_5_6 + - rule_17_5_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.6 + - patch - name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Detailed File Share is set to include Failure" block: @@ -403,12 +403,12 @@ win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable when: "'Failure' not in rule_17_6_1_audit.stdout" when: - - rule_17_6_1 + - rule_17_6_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.6.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.6.1 + - patch - name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit File Share is set to Success and Failure" block: @@ -421,22 +421,25 @@ - name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit File Share is set to Success and Failure" win_shell: AuditPol /set /subcategory:"File Share" /failure:enable when: "'Failure' not in rule_17_6_2_audit.stdout" + when: + - rule_17_6_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.6.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.6.2 + - patch - name: "SCORED | 17.6.3 | PATCH | L1 Ensure Audit Other Object Access Events is set to Success and Failure" win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure - when: rule_17_6_3 + when: + - rule_17_6_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.6.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.6.3 + - patch - name: "SCORED | 17.6.4 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" block: @@ -450,12 +453,12 @@ win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable when: "'Success' not in rule_17_6_4_audit.stdout" when: - - rule_17_6_4 + - rule_17_6_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.6.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.6.4 + - patch - name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to include Success" block: @@ -469,12 +472,12 @@ win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable when: "'Success' not in rule_17_7_1_audit.stdout" when: - - rule_17_7_1 + - rule_17_7_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.1 + - patch - name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to include Success" block: @@ -488,12 +491,12 @@ win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable when: "'Success' not in rule_17_7_2_audit.stdout" when: - - rule_17_7_2 + - rule_17_7_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.2 + - patch - name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to include Success" block: @@ -507,12 +510,12 @@ win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable when: "'Success' not in rule_17_7_3_audit.stdout" when: - - rule_17_7_3 + - rule_17_7_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.3 + - patch - name: "SCORED | 17.7.4 | PATCH | L1 Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure" block: @@ -530,12 +533,12 @@ win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable when: "'Failure' not in rule_17_7_4_audit.stdout" when: - - rule_17_7_4 + - rule_17_7_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.4 + - patch - name: "SCORED | 17.7.5 | PATCH | L1 Ensure Audit Other Policy Change Events is set to include Failure" block: @@ -549,12 +552,12 @@ win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable when: "'Success' not in rule_17_7_5_audit.stdout" when: - - rule_17_7_5 + - rule_17_7_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.5 + - patch - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" block: @@ -572,12 +575,12 @@ win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable when: "'Failure' not in rule_17_8_1_audit.stdout" when: - - rule_17_8_1 + - rule_17_8_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.8.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.8.1 + - patch - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure" block: @@ -595,12 +598,12 @@ win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable when: "'Failure' not in rule_17_9_1_audit.stdout" when: - - rule_17_9_1 + - rule_17_9_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.9.1 + - patch - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure" block: @@ -618,12 +621,12 @@ win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable when: "'Failure' not in rule_17_9_2_audit.stdout" when: - - rule_17_9_2 + - rule_17_9_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.9.2 + - patch - name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to include Success" block: @@ -637,12 +640,12 @@ win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable when: "'Success' not in rule_17_9_3_audit.stdout" when: - - rule_17_9_3 + - rule_17_9_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.9.3 + - patch - name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to include Success" block: @@ -656,12 +659,12 @@ win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable when: "'Success' not in rule_17_9_4_audit.stdout" when: - - rule_17_9_4 + - rule_17_9_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.9.4 + - patch - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure" block: @@ -681,9 +684,9 @@ changed_when: "'Failure' not in rule_17_9_5_audit.stdout" when: "'Failure' not in rule_17_9_5_audit.stdout" when: - - rule_17_9_5 + - rule_17_9_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.9.5 + - patch From 3734f8663d52549c62d1eb12fae25b8e8bc27ed4 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 29 Jun 2021 08:06:06 -0400 Subject: [PATCH 14/24] Section 19 lint fixes Signed-off-by: George Nalen --- tasks/section19.yml | 510 ++++++++++++++++++++++---------------------- 1 file changed, 255 insertions(+), 255 deletions(-) diff --git a/tasks/section19.yml b/tasks/section19.yml index 1869611..b5db2dc 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -1,345 +1,345 @@ --- - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" block: - - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string + - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveActive + data: 1 + type: string - - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string + - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveActive + data: 1 + type: string when: - - rule_19_1_3_1 + - rule_19_1_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.1.3.1 + - patch - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" block: - - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: SCRNSAVE.EXE - data: scrnsave.scr - type: string + - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: SCRNSAVE.EXE + data: scrnsave.scr + type: string - - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: SCRNSAVE.EXE - data: scrnsave.scr - type: string + - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: SCRNSAVE.EXE + data: scrnsave.scr + type: string when: - - rule_19_1_3_2 + - rule_19_1_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.1.3.2 + - patch - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" block: - - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string + - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaverIsSecure + data: 1 + type: string - - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string + - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaverIsSecure + data: 1 + type: string when: - - rule_19_1_3_3 + - rule_19_1_3_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.1.3.3 + - patch - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" block: - - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: 900 - type: string + - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveTimeOut + data: 900 + type: string - - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: 900 - type: string + - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveTimeOut + data: 900 + type: string when: - - rule_19_1_3_4 + - rule_19_1_3_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.1.3.4 + - patch - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" block: - - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword + - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + name: NoToastApplicationNotificationOnLockScreen + data: 1 + type: dword - - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword + - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + name: NoToastApplicationNotificationOnLockScreen + data: 1 + type: dword when: - - rule_19_5_1_1 + - rule_19_5_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.5.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.5.1.1 + - patch - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" block: - - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword + - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 + name: NoImplicitFeedback + data: 1 + type: dword - - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword + - name: "SCORED | 19.6.6.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 + name: NoImplicitFeedback + data: 1 + type: dword when: - - rule_19_6_6_1_1 + - rule_19_6_6_1_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.6.6.1.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_19.6.6.1.1 + - patch - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" block: - - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 2 - type: dword + - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + name: SaveZoneInformation + data: 2 + type: dword - - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" - win_regedit: - path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 2 - type: dword + - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + win_regedit: + path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + name: SaveZoneInformation + data: 2 + type: dword when: - - rule_19_7_4_1 + - rule_19_7_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.4.1 + - patch - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" block: - - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword + - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments + name: ScanWithAntiVirus + data: 3 + type: dword - - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" - win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword + - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + win_regedit: + path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments + name: ScanWithAntiVirus + data: 3 + type: dword when: - - rule_19_7_4_2 + - rule_19_7_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.4.2 + - patch - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" block: - - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword + - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: ConfigureWindowsSpotlight + data: 2 + type: dword - - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword + - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: ConfigureWindowsSpotlight + data: 2 + type: dword when: - - rule_19_7_7_1 + - rule_19_7_7_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.7.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.7.1 + - patch - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" block: - - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword + - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableThirdPartySuggestions + data: 1 + type: dword - - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword + - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableThirdPartySuggestions + data: 1 + type: dword when: - - rule_19_7_7_2 + - rule_19_7_7_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.7.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.7.2 + - patch - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" block: - - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword + - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableTailoredExperiencesWithDiagnosticData + data: 1 + type: dword - - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword + - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableTailoredExperiencesWithDiagnosticData + data: 1 + type: dword when: - - rule_19_7_7_3 + - rule_19_7_7_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.7.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_19.7.7.3 + - patch - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" block: - - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword + - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableWindowsSpotlightFeatures + data: 1 + type: dword - - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword + - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableWindowsSpotlightFeatures + data: 1 + type: dword when: - - rule_19_7_7_4 + - rule_19_7_7_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.7.4 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_19.7.7.4 + - patch - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" block: - - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword + - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoInplaceSharing + data: 1 + type: dword - - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" - win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword + - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + win_regedit: + path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoInplaceSharing + data: 1 + type: dword when: - - rule_19_7_26_1 + - rule_19_7_26_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.26.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.26.1 + - patch - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" block: - - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword + - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword - - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword + - name: "SCORED | 19.7.41.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword when: - - rule_19_7_41_1 + - rule_19_7_41_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.41.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.41.1 + - patch - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" block: - - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword + - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer + name: PreventCodecDownload + data: 1 + type: dword - - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword + - name: "SCORED | 19.7.45.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer + name: PreventCodecDownload + data: 1 + type: dword when: - - rule_19_7_45_2_1 + - rule_19_7_45_2_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.45.2.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_19.7.45.2.1 + - patch From 3f3f1abf967c267611042328a2bc315119a6448f Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 29 Jun 2021 11:46:20 -0400 Subject: [PATCH 15/24] Section 18 lint fixes Signed-off-by: George Nalen --- tasks/section18.yml | 3514 ++++++++++++++++++++++--------------------- 1 file changed, 1759 insertions(+), 1755 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 1d81c61..918a000 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1,31 +1,31 @@ --- - name: "SCORED | 18.1.1.1 | PATCH | L1 Ensure Prevent enabling lock screen camera is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Personalization - name: NoLockScreenCamera - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Personalization + name: NoLockScreenCamera + data: 1 + type: dword when: - - rule_18_1_1_1 + - rule_18_1_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.1.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.1.1.1 + - patch - name: "SCORED | 18.1.1.2 | PATCH | L1 Ensure Prevent enabling lock screen slide show is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Personalization - name: NoLockScreenSlideshow - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Personalization + name: NoLockScreenSlideshow + data: 1 + type: dword when: - - rule_18_1_1_2 + - rule_18_1_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.1.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.1.1.2 + - patch - name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow users to enable online speech recognition services is set to Disabled" win_regedit: @@ -34,12 +34,12 @@ data: "0" type: dword when: - - rule_18_1_2_2 + - rule_18_1_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.1.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.1.2.2 + - patch - name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" block: @@ -52,13 +52,13 @@ - name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" command: "echo true" when: - - is_implemented - - rule_18_1_3 + - is_implemented + - rule_18_1_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.1.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.1.3 + - patch - name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" block: @@ -71,13 +71,13 @@ - name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" command: "echo true" when: - - is_implemented - - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_2_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.2.1 - - patch + - level1-memberserver + - rule_18.2.1 + - patch - name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" block: @@ -90,13 +90,13 @@ - name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" command: "echo true" when: - - is_implemented - - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_2_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.2.2 - - patch + - level1-memberserver + - rule_18.2.2 + - patch - name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" block: @@ -109,13 +109,13 @@ - name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" command: "echo true" when: - - is_implemented - - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_2_3 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.2.3 - - patch + - level1-memberserver + - rule_18.2.3 + - patch - name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" block: @@ -128,13 +128,13 @@ - name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" command: "echo true" when: - - is_implemented - - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_2_4 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.2.4 - - patch + - level1-memberserver + - rule_18.2.4 + - patch - name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" block: @@ -147,13 +147,13 @@ - name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" command: "echo true" when: - - is_implemented - - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_2_5 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.2.5 - - patch + - level1-memberserver + - rule_18.2.5 + - patch - name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" block: @@ -166,13 +166,13 @@ - name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" command: "echo true" when: - - is_implemented - - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_2_6 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.2.6 - - patch + - level1-memberserver + - rule_18.2.6 + - patch - name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" win_regedit: @@ -181,12 +181,12 @@ data: 0 type: dword when: - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_3_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.3.1 - - patch + - level1-memberserver + - rule_18.3.1 + - patch - name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" block: @@ -199,13 +199,13 @@ - name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" command: "echo true" when: - - is_implemented - - rule_18_3_2 + - is_implemented + - rule_18_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.2 + - patch - name: "SCORED | 18.3.3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" win_regedit: @@ -216,12 +216,12 @@ state: present notify: reboot_windows when: - - rule_18_3_3 + - rule_18_3_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.3 + - patch - name: "SCORED | 18.3.4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" win_regedit: @@ -231,12 +231,12 @@ type: dword state: present when: - - rule_18_3_4 + - rule_18_3_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.4 + - patch - name: "SCORED | 18.3.5 | PATCH | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" block: @@ -249,13 +249,13 @@ - name: "SCORED | 18.3.5 | PATCH | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" command: "echo true" when: - - is_implemented - - rule_18_3_5 - - ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_3_5 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_18.3.5 - - patch + - level1-domaincontroller + - rule_18.3.5 + - patch - name: "SCORED | 18.3.6 | PATCH | L1 Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'" win_regedit: @@ -265,12 +265,12 @@ data: "{{ netbt_nodetype }}" datatype: dword when: - - rule_18_3_6 + - rule_18_3_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.6 + - patch - name: "SCORED | 18.3.7 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" win_regedit: @@ -280,12 +280,12 @@ data: 0 datatype: dword when: - - rule_18_3_7 + - rule_18_3_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.7 + - patch - name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" @@ -296,12 +296,12 @@ data: 0 datatype: string when: - - rule_18_4_1 + - rule_18_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.1 + - patch - name: "SCORED | 18.4.2 | PATCH | L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" win_regedit: @@ -311,12 +311,12 @@ data: 2 datatype: dword when: - - rule_18_4_2 + - rule_18_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.2 + - patch - name: "SCORED | 18.4.3 | PATCH | L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" win_regedit: @@ -326,12 +326,12 @@ data: 2 datatype: dword when: - - rule_18_4_3 + - rule_18_4_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.3 + - patch - name: "SCORED | 18.4.4 | PATCH | L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" win_regedit: @@ -341,858 +341,862 @@ data: 0 datatype: dword when: - - rule_18_4_4 + - rule_18_4_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.4 + - patch - name: "SCORED | 18.4.5 | PATCH | L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present - value: KeepAliveTime - data: 300000 - datatype: dword + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: KeepAliveTime + data: 300000 + datatype: dword when: - - rule_18_4_5 + - rule_18_4_5 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.4.5 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.4.5 + - patch - name: "SCORED | 18.4.6 | PATCH | L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters - state: present - name: NoNameReleaseOnDemand - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters + state: present + name: NoNameReleaseOnDemand + data: 1 + type: dword when: - - rule_18_4_6 + - rule_18_4_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.6 + - patch - name: "SCORED | 18.4.7 | PATCH | L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - state: present - name: PerformRouterDiscovery - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + state: present + name: PerformRouterDiscovery + data: 0 + type: dword when: - - rule_18_4_7 + - rule_18_4_7 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.4.7 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.4.7 + - patch - name: "SCORED | 18.4.8 | PATCH | L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager - name: SafeDllSearchMode - data: 1 - type: dword - state: present + path: HKLM:\System\Currentcontrolset\Control\Session Manager + name: SafeDllSearchMode + data: 1 + type: dword + state: present when: - - rule_18_4_8 + - rule_18_4_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.8 + - patch - name: "SCORED | 18.4.9 | PATCH | L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ScreenSaverGracePeriod - data: 5 - type: string - state: present + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ScreenSaverGracePeriod + data: 5 + type: string + state: present when: - - rule_18_4_9 + - rule_18_4_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.9 + - patch - name: "SCORED | 18.4.10 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters - name: TcpMaxDataRetransmissions - data: 3 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters + name: TcpMaxDataRetransmissions + data: 3 + type: dword when: - - rule_18_4_10 + - rule_18_4_10 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.4.10 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.4.10 + - patch - name: "SCORED | 18.4.11 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - name: TcpMaxDataRetransmissions - data: 3 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + name: TcpMaxDataRetransmissions + data: 3 + type: dword when: - - rule_18_4_11 + - rule_18_4_11 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.11 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.11 + - patch - name: "SCORED | 18.4.12 | PATCH | L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security - name: WarningLevel - data: 90 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security + name: WarningLevel + data: 90 + type: dword when: - - rule_18_4_12 + - rule_18_4_12 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.12 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.12 + - patch - name: "SCORED | 18.5.4.1 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient - name: EnableMulticast - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient + name: EnableMulticast + data: 0 + type: dword when: - - rule_18_5_4_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_5_4_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.4.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.5.4.1 + - patch - name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System - name: EnableFontProviders - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: EnableFontProviders + data: 0 + type: dword when: - - rule_18_5_5_1 + - rule_18_5_5_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.5.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.5.5.1 + - patch - name: "SCORED | 18.5.8.1 | PATCH | L1 Ensure Enable insecure guest logons is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation - name: AllowInsecureGuestAuth - data: 0 - type: dword - when: rule_18_5_8_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation + name: AllowInsecureGuestAuth + data: 0 + type: dword + when: + - rule_18_5_8_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.8.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.8.1 + - patch - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" block: - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowLLTDIOOndomain - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowLLTDIOOnPublicNet - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: EnableLLTDIO - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: ProhibitLLTDIOOnPrivateNet - data: 0 - type: dword - when: - - rule_18_5_9_1 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.9.1 - - patch + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowLLTDIOOndomain + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowLLTDIOOnPublicNet + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: EnableLLTDIO + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: ProhibitLLTDIOOnPrivateNet + data: 0 + type: dword + when: + - rule_18_5_9_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.9.1 + - patch - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled" block: - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowRspndrOnDomain - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowRspndrOnPublicNet - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: EnableRspndr - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: ProhibitRspndrOnPrivateNet - data: 0 - type: dword - when: - - rule_18_5_9_2 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.9.2 - - patch + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowRspndrOnDomain + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowRspndrOnPublicNet + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: EnableRspndr + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: ProhibitRspndrOnPrivateNet + data: 0 + type: dword + when: + - rule_18_5_9_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.9.2 + - patch - name: "SCORED | 18.5.10.2 | PATCH | L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Peernet - name: Disabled - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Peernet + name: Disabled + data: 1 + type: dword when: - - rule_18_5_10_2 + - rule_18_5_10_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.10.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.10.2 + - patch - name: "SCORED | 18.5.11.2 | PATCH | L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections - name: NC_AllowNetBridge_NLA - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + name: NC_AllowNetBridge_NLA + data: 0 + type: dword when: - - rule_18_5_11_2 + - rule_18_5_11_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.11.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.11.2 + - patch - name: "SCORED | 18.5.11.3 | PATCH | L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections - name: NC_ShowSharedAccessUI - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections + name: NC_ShowSharedAccessUI + data: 0 + type: dword when: - - rule_18_5_11_3 + - rule_18_5_11_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.11.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.11.3 + - patch - name: "SCORED | 18.5.11.4 | PATCH | L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections - name: NC_StdDomainUserSetLocation - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + name: NC_StdDomainUserSetLocation + data: 1 + type: dword when: - - rule_18_5_11_4 + - rule_18_5_11_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.11.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.11.4 + - patch - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" block: - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths - name: "\\\\*\\NETLOGON" - data: "RequireMutualAuthentication=1, RequireIntegrity=1" - type: string - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths - name: "\\\\*\\SYSVOL" - data: "RequireMutualAuthentication=1, RequireIntegrity=1" - type: string - when: - - rule_18_5_14_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.14.1 - - patch + - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + name: "\\\\*\\NETLOGON" + data: "RequireMutualAuthentication=1, RequireIntegrity=1" + type: string + + - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + name: "\\\\*\\SYSVOL" + data: "RequireMutualAuthentication=1, RequireIntegrity=1" + type: string + when: + - rule_18_5_14_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.5.14.1 + - patch - name: "SCORED | 18.5.19.2.1 | PATCH | L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" win_regedit: - path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters - name: DisabledComponents - data: 255 - type: dword + path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters + name: DisabledComponents + data: 255 + type: dword when: - - rule_18_5_19_2_1 + - rule_18_5_19_2_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.19.2.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.5.19.2.1 + - patch - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" block: - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: EnableRegistrars - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableUPnPRegistrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableInBand802DOT11Registrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableFlashConfigRegistrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableWPDRegistrar - data: 0 - type: dword - when: - - rule_18_5_20_1 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.20.1 - - patch + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: EnableRegistrars + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableUPnPRegistrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableInBand802DOT11Registrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableFlashConfigRegistrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableWPDRegistrar + data: 0 + type: dword + when: + - rule_18_5_20_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.20.1 + - patch - name: "SCORED | 18.5.20.2 | PATCH | L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui - name: DisableWcnUi - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui + name: DisableWcnUi + data: 1 + type: dword when: - - rule_18_5_20_2 + - rule_18_5_20_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.20.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.5.20.2 + - patch - name: "SCORED | 18.5.21.1 | PATCH | L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy - name: fMinimizeConnections - data: 3 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + name: fMinimizeConnections + data: 3 + type: dword when: - - rule_18_5_21_1 + - rule_18_5_21_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.21.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.21.1 + - patch - name: "SCORED | 18.5.21.2 | PATCH | L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy - name: fBlockNonDomain - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + name: fBlockNonDomain + data: 1 + type: dword when: - - rule_18_5_21_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_5_21_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-memberserver - - rule_18.5.21.2 - - patch + - level2-memberserver + - rule_18.5.21.2 + - patch - name: "SCORED | 18.7.1.1 | PATCH | L2 Ensure Turn off notifications network usage is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications - name: NoCloudApplicationNotification - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + name: NoCloudApplicationNotification + data: 1 + type: dword when: - - rule_18_7_1_1 + - rule_18_7_1_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.7.1.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.7.1.1 + - patch - name: "SCORED | 18.8.3.1 | PATCH | L1 Ensure Include command line in process creation events is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit - name: ProcessCreationIncludeCmdLine_Enabled - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit + name: ProcessCreationIncludeCmdLine_Enabled + data: 0 + type: dword when: - - rule_18_8_3_1 + - rule_18_8_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.3.1 + - patch - name: "SCORED | 18.8.4.1 | PATCH | L1 Ensure Encryption Oracle Remediation is set to Enabled Force Updated Clients" win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters - name: AllowEncryptionOracle - data: 0 - type: dword + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters + name: AllowEncryptionOracle + data: 0 + type: dword when: - - rule_18_8_4_1 + - rule_18_8_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.4.1 + - patch - name: "SCORED | 18.8.4.2 | PATCH | L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation - name: AllowProtectedCreds - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation + name: AllowProtectedCreds + data: 1 + type: dword when: - - rule_18_8_4_2 + - rule_18_8_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.4.2 + - patch - name: "SCORED | 18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: EnableVirtualizationBasedSecurity - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: EnableVirtualizationBasedSecurity + data: 1 + type: dword when: - - rule_18_8_5_1 + - rule_18_8_5_1 tags: - - ngws-domaincontroller - - ngws-memberserver - - rule_18.8.5.1 - - patch + - ngws-domaincontroller + - ngws-memberserver + - rule_18.8.5.1 + - patch - name: "SCORED | 18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: RequirePlatformSecurityFeatures - data: 3 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: RequirePlatformSecurityFeatures + data: 3 + type: dword when: - - rule_18_8_5_2 + - rule_18_8_5_2 tags: - - ngws-domaincontroller - - ngws-memberserver - - rule_18.8.5.2 - - patch + - ngws-domaincontroller + - ngws-memberserver + - rule_18.8.5.2 + - patch - name: "SCORED | 18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: HypervisorEnforcedCodeIntegrity - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: HypervisorEnforcedCodeIntegrity + data: 1 + type: dword when: - - rule_18_8_5_3 + - rule_18_8_5_3 tags: - - ngws-domaincontroller - - ngws-memberserver - - rule_18.8.5.3 - - patch + - ngws-domaincontroller + - ngws-memberserver + - rule_18.8.5.3 + - patch - name: "SCORED | 18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: HVCIMATRequired - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: HVCIMATRequired + data: 1 + type: dword when: - - rule_18_8_5_4 + - rule_18_8_5_4 tags: - - ngws-domaincontroller - - ngws-memberserver - - rule_18.8.5.4 - - patch + - ngws-domaincontroller + - ngws-memberserver + - rule_18.8.5.4 + - patch - name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: LsaCfgFlags - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: LsaCfgFlags + data: 1 + type: dword when: - - rule_18_8_5_5 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_5_5 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - ngws-memberserver - - rule_18.8.5.5 - - patch + - ngws-memberserver + - rule_18.8.5.5 + - patch - name: "SCORED | 18.8.5.6 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Disabled DC Only" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: LsaCfgFlags - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: LsaCfgFlags + data: 0 + type: dword when: - - rule_18_8_5_6 - - ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_5_6 + - ansible_windows_domain_role == "Primary domain controller" tags: - - ngws-domaincontroller - - rule_18.8.5.6 - - patch + - ngws-domaincontroller + - rule_18.8.5.6 + - patch - name: "SCORED | 18.8.5.7 | PATCH | NG Ensure Turn On Virtualization Based Security Secure Launch Configuration is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: ConfigureSystemGuardLaunch - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: ConfigureSystemGuardLaunch + data: 1 + type: dword when: - - rule_18_8_5_7 + - rule_18_8_5_7 tags: - - ngws-domaincontroller - - ngws-memberserver - - rule_18.8.5.7 - - patch + - ngws-domaincontroller + - ngws-memberserver + - rule_18.8.5.7 + - patch - name: "SCORED | 18.8.14.1 | PATCH | L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" win_regedit: - path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch - name: DriverLoadPolicy - data: 3 - type: dword + path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch + name: DriverLoadPolicy + data: 3 + type: dword when: - - rule_18_8_14_1 + - rule_18_8_14_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.14.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.14.1 + - patch - name: "SCORED | 18.8.21.2 | PATCH | L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} - name: NoBackgroundPolicy - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + name: NoBackgroundPolicy + data: 0 + type: dword when: - - rule_18_8_21_2 + - rule_18_8_21_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.21.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.2 + - patch - name: "SCORED | 18.8.21.3 | PATCH | L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} - name: NoGPOListChanges - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + name: NoGPOListChanges + data: 0 + type: dword when: - - rule_18_8_21_3 + - rule_18_8_21_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.21.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.3 + - patch - name: "SCORED | 18.8.21.4 | PATCH | L1 Ensure Continue experiences on this device is set to Disabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System - name: EnableCdp - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: EnableCdp + data: 0 + type: dword when: - - rule_18_8_21_4 + - rule_18_8_21_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.21.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.4 + - patch - name: "SCORED | 18.8.21.5 | PATCH | L1 Ensure Turn off background refresh of Group Policy is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy - state: absent - delete_key: yes + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy + state: absent + delete_key: yes when: - - rule_18_8_21_5 + - rule_18_8_21_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.21.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.5 + - patch - name: "SCORED | 18.8.22.1.1 | PATCH | L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers - name: DisableWebPnPDownload - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + name: DisableWebPnPDownload + data: 1 + type: dword when: - - rule_18_8_22_1_1 + - rule_18_8_22_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.22.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.22.1.1 + - patch - name: "SCORED | 18.8.22.1.2 | PATCH | L2 Ensure Turn off handwriting personalization data sharing is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc - name: PreventHandwritingDataSharing - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc + name: PreventHandwritingDataSharing + data: 1 + type: dword when: - - rule_18_8_22_1_2 + - rule_18_8_22_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.22.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.22.1.2 + - patch - name: "SCORED | 18.8.22.1.3 | PATCH | L2 Ensure Turn off handwriting recognition error reporting is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports - name: PreventHandwritingErrorReports - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports + name: PreventHandwritingErrorReports + data: 1 + type: dword when: - - rule_18_8_22_1_3 + - rule_18_8_22_1_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.3 + - patch - name: "SCORED | 18.8.22.1.4 | PATCH | L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard - name: ExitOnMSICW - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard + name: ExitOnMSICW + data: 1 + type: dword when: - - rule_18_8_22_1_4 + - rule_18_8_22_1_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.4 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.4 + - patch - name: "SCORED | 18.8.22.1.5 | PATCH | L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoWebServices - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoWebServices + data: 1 + type: dword when: - - rule_18_8_22_1_5 + - rule_18_8_22_1_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.22.1.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.22.1.5 + - patch - name: "SCORED | 18.8.22.1.6 | PATCH | L2 Ensure Turn off printing over HTTP is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers - name: DisableHTTPPrinting - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + name: DisableHTTPPrinting + data: 1 + type: dword when: - - rule_18_8_22_1_6 + - rule_18_8_22_1_6 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.6 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.6 + - patch - name: "SCORED | 18.8.22.1.7 | PATCH | L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control - name: NoRegistration - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control + name: NoRegistration + data: 1 + type: dword when: - - rule_18_8_22_1_7 + - rule_18_8_22_1_7 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.7 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.7 + - patch - name: "SCORED |18.8.22.1.8 | PATCH | L2 Ensure Turn off Search Companion content file updates is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Searchcompanion - name: DisableContentFileUpdates - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Searchcompanion + name: DisableContentFileUpdates + data: 1 + type: dword when: - - rule_18_8_22_1_8 + - rule_18_8_22_1_8 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.8 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.8 + - patch - name: "SCORED | 18.8.22.1.9 | PATCH | L2 Ensure Turn off the Order Prints picture task is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoOnlinePrintsWizard - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoOnlinePrintsWizard + data: 1 + type: dword when: - - rule_18_8_22_1_9 + - rule_18_8_22_1_9 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.9 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.9 + - patch - name: "SCORED | 18.8.22.1.10 | PATCH | L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoPublishingWizard - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoPublishingWizard + data: 1 + type: dword when: - - rule_18_8_22_1_10 + - rule_18_8_22_1_10 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.10 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.10 + - patch - name: "SCORED | 18.8.22.1.11 | PATCH | L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Messenger\Client - name: CEIP - data: 2 - type: dword + path: HKLM:\Software\Policies\Microsoft\Messenger\Client + name: CEIP + data: 2 + type: dword when: - - rule_18_8_22_1_11 + - rule_18_8_22_1_11 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.11 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.11 + - patch - name: "SCORED | 18.8.22.1.12 | PATCH | L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows - name: CEIPEnable - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows + name: CEIPEnable + data: 0 + type: dword when: - - rule_18_8_22_1_12 + - rule_18_8_22_1_12 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.12 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.12 + - patch - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled" block: - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting - name: Disabled - data: 1 - type: dword - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting - name: DoReport - data: 0 - type: dword - when: - - rule_18_8_22_1_13 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.13 - - patch + - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting + name: Disabled + data: 1 + type: dword + + - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting + name: DoReport + data: 0 + type: dword + when: + - rule_18_8_22_1_13 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.13 + - patch - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic" block: - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters - name: DevicePKInitBehavior - data: 0 - type: dword - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters - name: DevicePKInitEnabled - data: 1 - type: dword - when: - - rule_18_8_25_1 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.25.1 - - patch + - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + name: DevicePKInitBehavior + data: 0 + type: dword + + - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + name: DevicePKInitEnabled + data: 1 + type: dword + when: + - rule_18_8_25_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.25.1 + - patch - name: "SCORED | 18.8.26.1 | PATCH | L1 Ensure Enumeration policy for external devices incompatible with Kernel DMA Protection is set to Enabled Block All" win_regedit: @@ -1201,1569 +1205,1569 @@ data: 0 type: dword when: - - rule_18_8_26_1 + - rule_18_8_26_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.26.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.26.1 + - patch - name: "SCORED | 18.8.27.1 | PATCH | L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Control Panel\International - name: BlockUserInputMethodsForSignIn - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Control Panel\International + name: BlockUserInputMethodsForSignIn + data: 1 + type: dword when: - - rule_18_8_27_1 + - rule_18_8_27_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.27.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.27.1 + - patch - name: "SCORED | 18.8.28.1 | PATCH | L1 Ensure Block user from showing account details on sign-in is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: BlockUserFromShowingAccountDetailsOnSignin - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: BlockUserFromShowingAccountDetailsOnSignin + data: 1 + type: dword when: - - rule_18_8_28_1 + - rule_18_8_28_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.1 + - patch - name: "SCORED | 18.8.28.2 | PATCH | L1 Ensure Do not display network selection UI is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DontDisplayNetworkSelectionUI - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DontDisplayNetworkSelectionUI + data: 1 + type: dword when: - - rule_18_8_28_2 + - rule_18_8_28_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.2 + - patch - name: "SCORED | 18.8.28.3 | PATCH | L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DontEnumerateConnectedUsers - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DontEnumerateConnectedUsers + data: 1 + type: dword when: - - rule_18_8_28_3 + - rule_18_8_28_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.3 + - patch - name: "SCORED | 18.8.28.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: EnumerateLocalUsers - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: EnumerateLocalUsers + data: 0 + type: dword when: - - rule_18_8_28_4 + - rule_18_8_28_4 tags: - - level1-memberserver - - rule_18.8.28.4 - - patch + - level1-memberserver + - rule_18.8.28.4 + - patch - name: "SCORED | 18.8.28.5 | PATCH | L1 Ensure Turn off app notifications on the lock screen is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DisableLockScreenAppNotifications - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DisableLockScreenAppNotifications + data: 1 + type: dword when: - - rule_18_8_28_5 + - rule_18_8_28_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.5 + - patch - name: "SCORED | 18.8.28.6 | PATCH | L1 Ensure Turn off picture password sign-in is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: BlockDomainPicturePassword - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: BlockDomainPicturePassword + data: 1 + type: dword when: - - rule_18_8_28_6 + - rule_18_8_28_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.6 + - patch - name: "SCORED | 18.8.28.7 | PATCH | L1 Ensure Turn on convenience PIN sign-in is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: AllowDomainPINLogon - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: AllowDomainPINLogon + data: 0 + type: dword when: - - rule_18_8_28_7 + - rule_18_8_28_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.7 + - patch - name: "SCORED | 18.8.31.1 | PATCH | L2 Ensure Allow Clipboard synchronization across devices is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: AllowCrossDeviceClipboard - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: AllowCrossDeviceClipboard + data: 0 + type: dword when: - - rule_18_8_31_1 + - rule_18_8_31_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.31.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.31.1 + - patch - name: "SCORED | 18.8.31.2 | PATCH | L2 Ensure Allow upload of User Activities is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: UploadUserActivities - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: UploadUserActivities + data: 0 + type: dword when: - - rule_18_8_31_2 + - rule_18_8_31_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.31.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.31.2 + - patch - name: "SCORED | 18.8.34.6.1 | PATCH | L2 Ensure Allow network connectivity during connected-standby on battery is set to Disabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 - name: DCSettingIndex - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 + name: DCSettingIndex + data: 0 + type: dword when: - - rule_18_8_34_6_1 + - rule_18_8_34_6_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.34.6.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.34.6.1 + - patch - name: "SCORED | 18.8.34.6.2 | PATCH | L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 - name: ACSettingIndex - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 + name: ACSettingIndex + data: 0 + type: dword when: - - rule_18_8_34_6_2 + - rule_18_8_34_6_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.34.6.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.34.6.2 + - patch - name: "SCORED | 18.8.34.6.3 | PATCH | L1 Ensure Require a password when a computer wakes on battery is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 - name: DCSettingIndex - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + name: DCSettingIndex + data: 1 + type: dword when: - - rule_18_8_34_6_3 + - rule_18_8_34_6_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.34.6.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.34.6.3 + - patch - name: "SCORED | 18.8.34.6.4 | PATCH | L1 Ensure Require a password when a computer wakes plugged in is set to Enabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 - name: ACSettingIndex - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + name: ACSettingIndex + data: 1 + type: dword when: - - rule_18_8_34_6_4 + - rule_18_8_34_6_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.34.6.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.34.6.4 + - patch - name: "SCORED | 18.8.36.1 | PATCH | L1 Ensure Configure Offer Remote Assistance is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fAllowUnsolicited - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fAllowUnsolicited + data: 0 + type: dword when: - - rule_18_8_36_1 + - rule_18_8_36_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.36.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.36.1 + - patch - name: "SCORED | 18.8.36.2 | PATCH | L1 Ensure Configure Solicited Remote Assistance is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fAllowToGetHelp - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fAllowToGetHelp + data: 0 + type: dword when: - - rule_18_8_36_2 + - rule_18_8_36_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.36.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.36.2 + - patch - name: "SCORED | 18.8.37.1 | PATCH | L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc - name: EnableAuthEpResolution - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + name: EnableAuthEpResolution + data: 1 + type: dword when: - - rule_18_8_37_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_37_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.8.37.1 - - patch + - level1-memberserver + - rule_18.8.37.1 + - patch - name: "SCORED | 18.8.37.2 | PATCH | L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc - name: RestrictRemoteClients - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + name: RestrictRemoteClients + data: 1 + type: dword when: - - rule_18_8_37_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_37_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-memberserver - - rule_18.8.37.2 - - patch + - level2-memberserver + - rule_18.8.37.2 + - patch - name: "SCORED | 18.8.47.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy - name: DisableQueryRemoteServer - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy + name: DisableQueryRemoteServer + data: 0 + type: dword when: - - rule_18_8_47_5_1 + - rule_18_8_47_5_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.47.5.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.5.1 + - patch - name: "SCORED | 18.8.47.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} - name: ScenarioExecutionEnabled - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} + name: ScenarioExecutionEnabled + data: 0 + type: dword when: - - rule_18_8_47_11_1 + - rule_18_8_47_11_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.47.11.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.11.1 + - patch - name: "SCORED | 18.8.49.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo - name: DisabledByGroupPolicy - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo + name: DisabledByGroupPolicy + data: 1 + type: dword when: - - rule_18_8_49_1 + - rule_18_8_49_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.49.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.49.1 + - patch - name: "SCORED | 18.8.52.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient - name: Enabled - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient + name: Enabled + data: 1 + type: dword when: - - rule_18_8_52_1_1 + - rule_18_8_52_1_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.52.1.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.52.1.1 + - patch - name: "SCORED | 18.8.52.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver - name: Enabled - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver + name: Enabled + data: 1 + type: dword when: - - rule_18_8_52_1_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_52_1_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-memberserver - - rule_18.8.52.1.2 - - patch + - level2-memberserver + - rule_18.8.52.1.2 + - patch - name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager - name: AllowSharedLocalAppData - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager + name: AllowSharedLocalAppData + data: 0 + type: dword when: - - rule_18_9_4_1 + - rule_18_9_4_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.4.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.4.1 + - patch - name: "SCORED | 18.9.6.1 | PATCH | L1 Ensure Allow Microsoft accounts to be optional is set to Enabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: MSAOptional - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: MSAOptional + data: 1 + type: dword when: - - rule_18_9_6_1 + - rule_18_9_6_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.6.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.6.1 + - patch - name: "SCORED | 18.9.8.1 | PATCH | L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoAutoplayfornonVolume - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoAutoplayfornonVolume + data: 1 + type: dword when: - - rule_18_9_8_1 + - rule_18_9_8_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.8.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.8.1 + - patch - name: "SCORED | 18.9.8.2 | PATCH | L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoAutorun - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoAutorun + data: 1 + type: dword when: - - rule_18_9_8_2 + - rule_18_9_8_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.8.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.8.2 + - patch - name: "SCORED | 18.9.8.3 | PATCH | L1 Ensure Turn off Autoplay is set to Enabled All drives" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoDriveTypeAutoRun - data: 255 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoDriveTypeAutoRun + data: 255 + type: dword when: - - rule_18_9_8_3 + - rule_18_9_8_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.8.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.8.3 + - patch - name: "SCORED | 18.9.10.1.1 | PATCH | L1 Ensure Configure enhanced anti-spoofing is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures - name: EnhancedAntiSpoofing - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures + name: EnhancedAntiSpoofing + data: 1 + type: dword when: - - rule_18_9_10_1_1 + - rule_18_9_10_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.10.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.10.1.1 + - patch - name: "SCORED | 18.9.12.1 | PATCH | L2 Ensure Allow Use of Camera is set to Disabled" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Camera - name: AllowCamera - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Camera + name: AllowCamera + data: 1 + type: dword when: - - rule_18_9_12_1 + - rule_18_9_12_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.12.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.12.1 + - patch - name: "SCORED | 18.9.13.1 | PATCH | L1 Ensure Turn off Microsoft consumer experiences is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent - name: DisableWindowsConsumerFeatures - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent + name: DisableWindowsConsumerFeatures + data: 1 + type: dword when: - - rule_18_9_13_1 + - rule_18_9_13_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.13.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.13.1 + - patch - name: "SCORED | 18.9.14.1 | PATCH | L1 Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect - name: RequirePinForPairing - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect + name: RequirePinForPairing + data: 1 + type: dword when: - - rule_18_9_14_1 + - rule_18_9_14_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.14.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.14.1 + - patch - name: "SCORED | 18.9.15.1 | PATCH | L1 Ensure Do not display the password reveal button is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Credui - name: DisablePasswordReveal - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Credui + name: DisablePasswordReveal + data: 1 + type: dword when: - - rule_18_9_15_1 + - rule_18_9_15_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.15.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.15.1 + - patch - name: "SCORED | 18.9.15.2 | PATCH | L1 Ensure Enumerate administrator accounts on elevation is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui - name: EnumerateAdministrators - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui + name: EnumerateAdministrators + data: 0 + type: dword when: - - rule_18_9_15_2 + - rule_18_9_15_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.15.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.15.2 + - patch - name: "SCORED | 18.9.16.1 | PATCH | L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: AllowTelemetry - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: AllowTelemetry + data: 0 + type: dword when: - - rule_18_9_16_1 + - rule_18_9_16_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.16.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.16.1 + - patch - name: "SCORED | 18.9.16.2 | PATCH | L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: DisableEnterpriseAuthProxy - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: DisableEnterpriseAuthProxy + data: 0 + type: dword when: - - rule_18_9_16_2 + - rule_18_9_16_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.16.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.16.2 + - patch - name: "SCORED | 18.9.16.3 | PATCH | L1 Ensure Do not show feedback notifications is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: DoNotShowFeedbackNotifications - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: DoNotShowFeedbackNotifications + data: 1 + type: dword when: - - rule_18_9_16_3 + - rule_18_9_16_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.16.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.16.3 + - patch - name: "SCORED | 18.9.16.4 | PATCH | L1 Ensure Toggle user control over Insider builds is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds - name: AllowBuildPreview - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds + name: AllowBuildPreview + data: 0 + type: dword when: - - rule_18_9_16_4 + - rule_18_9_16_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.16.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.16.4 + - patch - name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application - name: Retention - data: 0 - type: string + path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application + name: Retention + data: 0 + type: string when: - - rule_18_9_26_1_1 + - rule_18_9_26_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.1.1 + - patch - name: "SCORED | 18.9.26.1.2 | PATCH | L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application - name: MaxSize - data: 65538 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application + name: MaxSize + data: 65538 + type: dword when: - - rule_18_9_26_1_2 + - rule_18_9_26_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.1.2 + - patch - name: "SCORED | 18.9.26.2.1 | PATCH | L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: Retention - data: 0 - type: string + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: Retention + data: 0 + type: string when: - - rule_18_9_26_2_1 + - rule_18_9_26_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.2.1 + - patch - name: "SCORED | 18.9.26.2.2 | PATCH | L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: MaxSize - data: 196608 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: MaxSize + data: 196608 + type: dword when: - - rule_18_9_26_2_2 + - rule_18_9_26_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.2.2 + - patch - name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup - name: Retention - data: 0 - type: string + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup + name: Retention + data: 0 + type: string when: - - rule_18_9_26_3_1 + - rule_18_9_26_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.3.1 + - patch - name: "SCORED | 18.9.26.3.2 | PATCH | L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup - name: MaxSize - data: 32768 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup + name: MaxSize + data: 32768 + type: dword when: - - rule_18_9_26_3_2 + - rule_18_9_26_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.3.2 + - patch - name: "SCORED | 18.9.26.4.1 | PATCH | L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: Retention - data: 0 - type: string + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: Retention + data: 0 + type: string when: - - rule_18_9_26_4_1 + - rule_18_9_26_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.4.1 + - patch - name: "SCORED | 18.9.26.4.2 | PATCH | L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: MaxSize - data: 65538 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: MaxSize + data: 65538 + type: dword when: - - rule_18_9_26_4_2 + - rule_18_9_26_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.4.2 + - patch - name: "SCORED | 18.9.30.2 | PATCH | L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoDataExecutionPrevention - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoDataExecutionPrevention + data: 0 + type: dword when: - - rule_18_9_30_2 + - rule_18_9_30_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.30.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.30.2 + - patch - name: "SCORED | 18.9.30.3 | PATCH | L1 Ensure Turn off heap termination on corruption is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoHeapTerminationOnCorruption - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoHeapTerminationOnCorruption + data: 0 + type: dword when: - - rule_18_9_30_3 + - rule_18_9_30_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.30.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.30.3 + - patch - name: "SCORED | 18.9.30.4 | PATCH | L1 Ensure Turn off shell protocol protected mode is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: PreXPSP2ShellProtocolBehavior - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: PreXPSP2ShellProtocolBehavior + data: 0 + type: dword when: - - rule_18_9_30_4 + - rule_18_9_30_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.30.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.30.4 + - patch - name: "SCORED | 18.9.39.2 | PATCH | L2 Ensure Turn off location is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors - name: DisableLocation - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors + name: DisableLocation + data: 1 + type: dword when: - - rule_18_9_39_2 + - rule_18_9_39_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.39.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.39.2 + - patch - name: "SCORED | 18.9.43.1 | PATCH | L2 Ensure Allow Message Service Cloud Sync is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Messaging - name: AllowMessageSync - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Messaging + name: AllowMessageSync + data: 0 + type: dword when: - - rule_18_9_43_1 + - rule_18_9_43_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.43.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.43.1 + - patch - name: "SCORED | 18.9.44.1 | PATCH | L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount - name: DisableUserAuth - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount + name: DisableUserAuth + data: 1 + type: dword when: - - rule_18_9_44_1 + - rule_18_9_44_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.44.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.44.1 + - patch - name: "SCORED | 18.9.52.1 | PATCH | L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive - name: DisableFileSyncNGSC - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive + name: DisableFileSyncNGSC + data: 1 + type: dword when: - - rule_18_9_52_1 + - rule_18_9_52_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.52.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.52.1 + - patch - name: "SCORED | 18.9.59.2.2 | PATCH | L1 Ensure Do not allow passwords to be saved is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DisablePasswordSaving - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DisablePasswordSaving + data: 1 + type: dword when: - - rule_18_9_59_2_2 + - rule_18_9_59_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.2.2 + - patch - name: "SCORED | 18.9.59.3.2.1 | PATCH | L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fSingleSessionPerUser - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fSingleSessionPerUser + data: 1 + type: dword when: - - rule_18_9_59_3_2_1 + - rule_18_9_59_3_2_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.2.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.2.1 + - patch - name: "SCORED | 18.9.59.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCcm - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableCcm + data: 1 + type: dword when: - - rule_18_9_59_3_3_1 + - rule_18_9_59_3_3_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.3.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.1 + - patch - name: "SCORED | 18.9.59.3.3.2 | PATCH | L1 Ensure Do not allow drive redirection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCdm - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableCdm + data: 1 + type: dword when: - - rule_18_9_59_3_3_2 + - rule_18_9_59_3_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.3.2 + - patch - name: "SCORED | 18.9.59.3.3.3 | PATCH | L2 Ensure Do not allow LPT port redirection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableLPT - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableLPT + data: 1 + type: dword when: - - rule_18_9_59_3_3_3 + - rule_18_9_59_3_3_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.3.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.3 + - patch - name: "SCORED | 18.9.59.3.3.4 | PATCH | L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisablePNPRedir - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisablePNPRedir + data: 1 + type: dword when: - - rule_18_9_59_3_3_4 + - rule_18_9_59_3_3_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.3.4 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.4 + - patch - name: "SCORED | 18.9.59.3.9.1 | PATCH | L1 Ensure Always prompt for password upon connection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fPromptForPassword - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fPromptForPassword + data: 1 + type: dword when: - - rule_18_9_59_3_9_1 + - rule_18_9_59_3_9_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.1 + - patch - name: "SCORED | 18.9.59.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fEncryptRPCTraffic - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fEncryptRPCTraffic + data: 1 + type: dword when: - - rule_18_9_59_3_9_2 + - rule_18_9_59_3_9_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.2 + - patch - name: "SCORED | 18.9.59.3.9.3 | PATCH | L1 Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: SecurityLayer - data: 2 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: SecurityLayer + data: 2 + type: dword when: - - rule_18_9_59_3_9_3 + - rule_18_9_59_3_9_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.3 + - patch - name: "SCORED | 18.9.59.3.9.4 | PATCH | L1 Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: UserAuthentication - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: UserAuthentication + data: 1 + type: dword when: - - rule_18_9_59_3_9_4 + - rule_18_9_59_3_9_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.4 + - patch - name: "SCORED | 18.9.59.3.9.5 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MinEncryptionLevel - data: 3 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MinEncryptionLevel + data: 3 + type: dword when: - - rule_18_9_59_3_9_5 + - rule_18_9_59_3_9_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.5 + - patch - name: "SCORED | 18.9.59.3.10.1 | PATCH | L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxIdleTime - data: 3600000 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxIdleTime + data: 3600000 + type: dword when: - - rule_18_9_59_3_10_1 + - rule_18_9_59_3_10_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.10.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.10.1 + - patch - name: "SCORED | 18.9.59.3.10.2 | PATCH | L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxDisconnectionTime - data: 28800000 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxDisconnectionTime + data: 28800000 + type: dword when: - - rule_18_9_59_3_10_2 + - rule_18_9_59_3_10_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.10.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.10.2 + - patch - name: "SCORED | 18.9.59.3.11.1 | PATCH | L1 Ensure Do not delete temp folders upon exit is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DeleteTempDirsOnExit - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DeleteTempDirsOnExit + data: 1 + type: dword when: - - rule_18_9_59_3_11_1 + - rule_18_9_59_3_11_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.11.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.11.1 + - patch - name: "SCORED | 18.9.59.3.11.2 | PATCH | L1 Ensure Do not use temporary folders per session is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: PerSessionTempDir - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: PerSessionTempDir + data: 1 + type: dword when: - - rule_18_9_59_3_11_2 + - rule_18_9_59_3_11_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.11.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.11.2 + - patch - name: "SCORED | 18.9.60.1 | PATCH | L1 Ensure Prevent downloading of enclosures is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds - name: DisableEnclosureDownload - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds + name: DisableEnclosureDownload + data: 1 + type: dword when: - - rule_18_9_60_1 + - rule_18_9_60_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.60.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.60.1 + - patch - name: "SCORED | 18.9.61.2 | PATCH | L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowCloudSearch - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowCloudSearch + data: 0 + type: dword when: - - rule_18_9_61_2 + - rule_18_9_61_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.61.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.61.2 + - patch - name: "SCORED | 18.9.61.3 | PATCH | L1 Ensure Allow indexing of encrypted files is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowIndexingEncryptedStoresOrItems - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowIndexingEncryptedStoresOrItems + data: 0 + type: dword when: - - rule_18_9_61_3 + - rule_18_9_61_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.61.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.61.3 + - patch - name: "SCORED | 18.9.66.1 | PATCH | L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform - name: NoGenTicket - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform + name: NoGenTicket + data: 1 + type: dword when: - - rule_18_9_66_1 + - rule_18_9_66_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.66.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.66.1 + - patch - name: "SCORED | 18.9.77.3.1 | PATCH | L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: LocalSettingOverrideSpynetReporting - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: LocalSettingOverrideSpynetReporting + data: 0 + type: dword when: - - rule_18_9_77_3_1 + - rule_18_9_77_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.3.1 + - patch - name: "SCORED | 18.9.77.3.2 | PATCH | L2 Ensure Join Microsoft MAPS is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: SpynetReporting - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: SpynetReporting + data: 0 + type: dword when: - - rule_18_9_77_3_2 + - rule_18_9_77_3_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.77.3.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.77.3.2 + - patch - name: "SCORED | 18.9.77.7.1 | PATCH | L1 Ensure Turn on behavior monitoring is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableBehaviorMonitoring - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableBehaviorMonitoring + data: 0 + type: dword when: - - rule_18_9_77_7_1 + - rule_18_9_77_7_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.7.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.7.1 + - patch - name: "SCORED | 18.9.77.9.1 | PATCH | L2 Ensure Configure Watson events is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting - name: DisableGenericRePorts - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting + name: DisableGenericRePorts + data: 1 + type: dword when: - - rule_18_9_77_9_1 + - rule_18_9_77_9_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.77.9.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.77.9.1 + - patch - name: "SCORED | 18.9.77.10.1 | PATCH | L1 Ensure Scan removable drives is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableRemovableDriveScanning - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableRemovableDriveScanning + data: 0 + type: dword when: - - rule_18_9_77_10_1 + - rule_18_9_77_10_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.10.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.10.1 + - patch - name: "SCORED | 18.9.77.10.2 | PATCH | L1 Ensure Turn on e-mail scanning is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableEmailScanning - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableEmailScanning + data: 0 + type: dword when: - - rule_18_9_77_10_2 + - rule_18_9_77_10_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.10.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.10.2 + - patch - name: "SCORED | 18.9.77.13.1.1 | PATCH | L1 Ensure Configure Attack Surface Reduction rules is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR - name: ExploitGuard_ASR_Rules - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR + name: ExploitGuard_ASR_Rules + data: 1 + type: dword when: - - rule_18_9_77_13_1_1 + - rule_18_9_77_13_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.13.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.13.1.1 + - patch - name: "SCORED | 18.9.77.13.1.2 | PATCH | L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - name: "{{ item }}" - data: 1 - type: string # aka REG_SZ + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules + name: "{{ item }}" + data: 1 + type: string loop: - - 26190899-1602-49e8-8b27-eb1d0a1ce869 - - 3b576869-a4ec-4529-8536-b80a7769e899 - - 5beb7efe-fd9a-4556-801d-275e5ffc04cc - - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - - d3e037e1-3eb8-44c8-a917-57927947596d - - d4f940ab-401b-4efc-aadc-ad5f3c50688a - when: - - rule_18_9_77_13_1_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.13.1.2 - - patch + - 26190899-1602-49e8-8b27-eb1d0a1ce869 + - 3b576869-a4ec-4529-8536-b80a7769e899 + - 5beb7efe-fd9a-4556-801d-275e5ffc04cc + - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 + - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c + - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b + - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 + - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 + - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 + - d3e037e1-3eb8-44c8-a917-57927947596d + - d4f940ab-401b-4efc-aadc-ad5f3c50688a + when: + - rule_18_9_77_13_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.13.1.2 + - patch - name: "SCORED | 18.9.77.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - name: EnableNetworkProtection - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + name: EnableNetworkProtection + data: 1 + type: dword when: - - rule_18_9_77_13_3_1 + - rule_18_9_77_13_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.13.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.13.3.1 + - patch - name: "SCORED | 18.9.77.14 | PATCH | L1 Ensure Configure detection for potentially unwanted applications is set to Enabled Block" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender - name: PUAProtection - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender + name: PUAProtection + data: 1 + type: dword when: - - rule_18_9_77_14 + - rule_18_9_77_14 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.14 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.14 + - patch - name: "SCORED | 18.9.77.15 | PATCH | L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender - name: DisableAntiSpyware - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender + name: DisableAntiSpyware + data: 0 + type: dword when: - - rule_18_9_77_15 + - rule_18_9_77_15 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.15 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.15 + - patch - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" block: - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: EnableSmartScreen - data: 1 - type: dword - - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: ShellSmartScreenLevel - data: Block - type: string - when: - - rule_18_9_80_1_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.80.1.1 - - patch + - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: EnableSmartScreen + data: 1 + type: dword + + - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: ShellSmartScreenLevel + data: Block + type: string + when: + - rule_18_9_80_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.80.1.1 + - patch - name: "SCORED | 18.9.84.1 | PATCH | L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace - name: AllowSuggestedAppsInWindowsInkWorkspace - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace + name: AllowSuggestedAppsInWindowsInkWorkspace + data: 0 + type: dword when: - - rule_18_9_84_1 + - rule_18_9_84_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.84.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.84.1 + - patch - name: "SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace - name: AllowWindowsInkWorkspace - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace + name: AllowWindowsInkWorkspace + data: 1 + type: dword when: - - rule_18_9_84_2 + - rule_18_9_84_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.84.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.84.2 + - patch - name: "SCORED | 18.9.85.1 | PATCH | L1 Ensure Allow user control over installs is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: EnableUserControl - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: EnableUserControl + data: 0 + type: dword when: - - rule_18_9_85_1 + - rule_18_9_85_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.85.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.85.1 + - patch - name: "SCORED | 18.9.85.2 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword when: - - rule_18_9_85_2 + - rule_18_9_85_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.85.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.85.2 + - patch - name: "SCORED | 18.9.85.3 | PATCH | L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: SafeForScripting - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: SafeForScripting + data: 0 + type: dword when: - - rule_18_9_85_3 + - rule_18_9_85_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.85.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.85.3 + - patch - name: "SCORED | 18.9.86.1 | PATCH | L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DisableAutomaticRestartSignOn - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableAutomaticRestartSignOn + data: 1 + type: dword when: - - rule_18_9_86_1 + - rule_18_9_86_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.86.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.86.1 + - patch - name: "SCORED | 18.9.95.1 | PATCH | L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging - name: EnableScriptBlockLogging - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging + name: EnableScriptBlockLogging + data: 0 + type: dword when: - - rule_18_9_95_1 + - rule_18_9_95_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.95.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.95.1 + - patch - name: "SCORED | 18.9.95.2 | PATCH | L1 Ensure Turn on PowerShell Transcription is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription - name: EnableTranscripting - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription + name: EnableTranscripting + data: 0 + type: dword when: - - rule_18_9_95_2 + - rule_18_9_95_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.95.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.95.2 + - patch - name: "SCORED | 18.9.97.1.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowBasic - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowBasic + data: 0 + type: dword when: - - rule_18_9_97_1_1 - - not win_skip_for_test + - rule_18_9_97_1_1 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.1.1 + - patch - name: "SCORED | 18.9.97.1.2 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowUnencryptedTraffic - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowUnencryptedTraffic + data: 0 + type: dword when: - - rule_18_9_97_1_2 - - not win_skip_for_test + - rule_18_9_97_1_2 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.1.2 + - patch - name: "SCORED | 18.9.97.1.3 | PATCH | L1 Ensure Disallow Digest authentication is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowDigest - data: 0 - type: dword - when: rule_18_9_97_1_3 + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowDigest + data: 0 + type: dword + when: + - rule_18_9_97_1_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.1.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.1.3 + - patch - name: "SCORED | 18.9.97.2.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowBasic - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowBasic + data: 0 + type: dword when: - - rule_18_9_97_2_1 - - not win_skip_for_test + - rule_18_9_97_2_1 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.2.1 + - patch -#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +# This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart - name: "SCORED | 18.9.97.2.2 | PATCH | L2 Ensure Allow remote server management through WinRM is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowAutoConfig - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowAutoConfig + data: 1 + type: dword when: - - rule_18_9_97_2_2 - - not win_skip_for_test + - rule_18_9_97_2_2 + - not win_skip_for_test tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.97.2.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.97.2.2 + - patch - name: "SCORED | 18.9.97.2.3 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowUnencryptedTraffic - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowUnencryptedTraffic + data: 0 + type: dword when: - - rule_18_9_97_2_3 - - not win_skip_for_test + - rule_18_9_97_2_3 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.2.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.2.3 + - patch - name: "SCORED | 18.9.97.2.4 | PATCH | L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: DisableRunAs - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: DisableRunAs + data: 1 + type: dword when: - - rule_18_9_97_2_4 + - rule_18_9_97_2_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.2.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.2.4 + - patch -#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +# This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart - name: "SCORED | 18.9.98.1 | PATCH | L2 Ensure Allow Remote Shell Access is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs - name: AllowRemoteShellAccess - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs + name: AllowRemoteShellAccess + data: 1 + type: dword when: - - rule_18_9_98_1 - - not win_skip_for_test + - rule_18_9_98_1 + - not win_skip_for_test tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.98.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.98.1 + - patch - name: "SCORED | 18.9.99.2.1 | PATCH | L1 Ensure Prevent users from modifying settings is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - name: DisallowExploitProtectionOverride - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + name: DisallowExploitProtectionOverride + data: 1 + type: dword when: - - rule_18_9_99_2_1 + - rule_18_9_99_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.99.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.99.2.1 + - patch - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds" block: - - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuilds - data: 1 - type: dword - - - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuildsPolicyValue - data: 0 - type: dword - when: - - rule_18_9_102_1_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.1.1 - - patch + - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuilds + data: 1 + type: dword + + - name: "SCORED | 18.9.102.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuildsPolicyValue + data: 0 + type: dword + when: + - rule_18_9_102_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.1 + - patch - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" block: - - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdates - data: 1 - type: dword - - - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdatesPeriodInDays - data: 180 - type: dword - - - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: BranchReadinessLevel - data: 16 - type: dword - when: - - rule_18_9_102_1_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.1.2 - - patch + - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: DeferFeatureUpdates + data: 1 + type: dword + + - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: DeferFeatureUpdatesPeriodInDays + data: 180 + type: dword + + - name: "SCORED | 18.9.102.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: BranchReadinessLevel + data: 16 + type: dword + when: + - rule_18_9_102_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.2 + - patch - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days" block: - - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - name: DeferQualityUpdates - data: 1 - type: dword - - - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - name: DeferQualityUpdatesPeriodInDays - data: 0 - type: dword - when: + - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + name: DeferQualityUpdates + data: 1 + type: dword + + - name: "SCORED | 18.9.102.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + name: DeferQualityUpdatesPeriodInDays + data: 0 + type: dword + when: - rule_18_9_102_1_3 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.1.3 - - patch + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.3 + - patch - name: "SCORED | 18.9.102.2 | PATCH | L1 Ensure Configure Automatic Updates is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoUpdate - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoUpdate + data: 0 + type: dword when: - - rule_18_9_102_2 + - rule_18_9_102_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.2 + - patch - name: "SCORED | 18.9.102.3 | PATCH | L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: ScheduledInstallDay - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: ScheduledInstallDay + data: 0 + type: dword when: - - rule_18_9_102_3 + - rule_18_9_102_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.3 + - patch - name: "SCORED | 18.9.102.4 | PATCH | L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoRebootWithLoggedOnUsers - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoRebootWithLoggedOnUsers + data: 0 + type: dword when: - - rule_18_9_102_4 + - rule_18_9_102_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.4 - - patch - + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.4 + - patch From 5bce70ed919c682bc3c1fe403d7c585ca2d8abb4 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 29 Jun 2021 11:48:02 -0400 Subject: [PATCH 16/24] updated meta file Signed-off-by: George Nalen --- meta/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/main.yml b/meta/main.yml index 793e52d..6f1de9e 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,6 +4,7 @@ galaxy_info: description: "Ansible role to apply Windows Server 2019 CIS Benchmark" company: "MindPoint Group" license: MIT + role_name: windows_2019_cis min_ansible_version: 2.6 platforms: From 6c6959200869861b980dc2956fa7f2d297953be9 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 29 Jun 2021 12:38:42 -0400 Subject: [PATCH 17/24] Updated meta platform Signed-off-by: George Nalen --- .cache/roles/Windows-2019-CIS | 1 - meta/main.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) delete mode 120000 .cache/roles/Windows-2019-CIS diff --git a/.cache/roles/Windows-2019-CIS b/.cache/roles/Windows-2019-CIS deleted file mode 120000 index c25bddb..0000000 --- a/.cache/roles/Windows-2019-CIS +++ /dev/null @@ -1 +0,0 @@ -../.. \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml index 6f1de9e..c6e3de7 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -8,7 +8,7 @@ galaxy_info: min_ansible_version: 2.6 platforms: - - name: Windows Server + - name: Windows versions: - 2019 From 39f6714184ff89a4609bb27bb469aaf2274ab183 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 29 Jun 2021 12:43:54 -0400 Subject: [PATCH 18/24] implemented 18.1.3 Signed-off-by: George Nalen --- tasks/section18.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 918a000..705b7d7 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -42,17 +42,12 @@ - patch - name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" - block: - - name: "SCORED | 18.1.3 | AUDIT | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_1_2_2_audit - - - name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer + name: AllowOnlineTips + data: 0 + type: dword when: - - is_implemented - rule_18_1_3 tags: - level2-domaincontroller From 99f658ff9835a418cf6199df398f528466c71514 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 29 Jun 2021 12:45:48 -0400 Subject: [PATCH 19/24] implemented 18.2.1 Signed-off-by: George Nalen --- tasks/section18.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 705b7d7..ad09425 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -56,19 +56,14 @@ - patch - name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - block: - - name: "SCORED | 18.2.1 | AUDIT | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_2_1_audit - - - name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA} + name: DllName + data: C:\Program Files\LAPS\CSE\AdmPwd.dll + type: string when: - - is_implemented - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.1 From 12b2a10c41026a9e22dae220d9866a8f978d80ef Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 29 Jun 2021 12:47:05 -0400 Subject: [PATCH 20/24] implemented 18.2.2 Signed-off-by: George Nalen --- tasks/section18.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index ad09425..4842dfd 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -70,19 +70,14 @@ - patch - name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - block: - - name: "SCORED | 18.2.2 | AUDIT | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_2_2_audit - - - name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PwdExpirationProtectionEnabled + data: 1 + type: dword when: - - is_implemented - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.2 From d27125f74050b99adfa4b59fc75876fa2b639e71 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 29 Jun 2021 12:48:14 -0400 Subject: [PATCH 21/24] implemented 18.2.3 Signed-off-by: George Nalen --- tasks/section18.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 4842dfd..ee7875a 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -84,19 +84,14 @@ - patch - name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - block: - - name: "SCORED | 18.2.3 | AUDIT | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_2_3_audit - - - name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: AdmPwdEnabled + data: 1 + type: dword when: - - is_implemented - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.3 From 19da7c57eae5c0fe0c43fe0467feb3c5938f0639 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 29 Jun 2021 12:51:49 -0400 Subject: [PATCH 22/24] implemented 18.2.4 through 18.2.6 Signed-off-by: George Nalen --- defaults/main.yml | 12 +++++++++++ tasks/section18.yml | 51 ++++++++++++++++----------------------------- 2 files changed, 30 insertions(+), 33 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 5cfef95..237d569 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -528,7 +528,19 @@ public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' # To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB public_firewall_log_size: 16,384 +# Control 18.2.5 +# laps_passwordlength is the LAPS tool password length. +# To conform to CIS standards please use a min value of 15 and max value of 127 +laps_passwordlength: 15 + +# Control 18.2.6 +# laps_passwordagedays is the LAPS tool password age in days +# To conform to CIS standards please use a max value of 30 +laps_passwordagedays: 30 + # 18.3.6 # netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType # Options are B-node value of 1, P-node value of 2, M-node value of 4, H-node value of 8. P-node is the recommended setting from CIS netbt_nodetype: 2 + + diff --git a/tasks/section18.yml b/tasks/section18.yml index ee7875a..a5f8445 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -98,57 +98,42 @@ - patch - name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - block: - - name: "SCORED | 18.2.4 | AUDIT | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_2_4_audit - - - name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordComplexity + data: 4 + type: dword when: - - is_implemented - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.4 - patch - name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - block: - - name: "SCORED | 18.2.5 | AUDIT | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_2_5_audit - - - name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordLength + data: "{{ laps_passwordlength }}" + type: dword when: - - is_implemented - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Member Server" tags: - level1-memberserver - rule_18.2.5 - patch - name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - block: - - name: "SCORED | 18.2.6 | AUDIT | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_3_6_audit - - - name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd + name: PasswordAgeDays + data: "{{ laps_passwordagedays }}" + type: dword when: - - is_implemented - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" + - ansible_windows_domain_role == "Memmber Server" tags: - level1-memberserver - rule_18.2.6 From 727a839adc66e5c1c842e9e913c641ce16c9b34e Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 29 Jun 2021 12:52:41 -0400 Subject: [PATCH 23/24] implemented 18.3.2 Signed-off-by: George Nalen --- tasks/section18.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index a5f8445..ab2f974 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -154,17 +154,12 @@ - patch - name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" - block: - - name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_3_2_audit - - - name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended" - command: "echo true" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10 + name: Start + data: 4 + type: dword when: - - is_implemented - rule_18_3_2 tags: - level1-domaincontroller From e22bf4434102f853d18e61931b0db044e58e3fd5 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Tue, 29 Jun 2021 12:53:26 -0400 Subject: [PATCH 24/24] implemented 18.3.5 Signed-off-by: George Nalen --- tasks/section18.yml | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index ab2f974..bbdf407 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -199,17 +199,12 @@ - patch - name: "SCORED | 18.3.5 | PATCH | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" - block: - - name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" - command: "echo true" - changed_when: false - failed_when: false - register: rule_18_3_5_audit - - - name: "SCORED | 18.3.5 | PATCH | L1 Ensure Extended Protection for LDAP Authentication Domain Controllers only is set to Enabled Enabled always recommended DC Only" - command: "echo true" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters + name: LdapEnforceChannelBinding + data: 1 + type: dword when: - - is_implemented - rule_18_3_5 - ansible_windows_domain_role == "Primary domain controller" tags: