diff --git a/ChangeLog.md b/ChangeLog.md index 7a4731d..e27c1e9 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -2,6 +2,14 @@ ## Release 2.0.1 +March 2024 Update +Thank you @MrSteve81 for the enhancements to this release! + - Improved 19.x section logic for Windows local user SIDs and HKU support. + - Reboot handler and logic Improvement with skip_reboot var feature. + - win_skip_for_test var update with additional description and supported controls of 2.2.20, 2.2.25, and 2.2.26. + - Mislabeled control fix for win22cis_rule_18_9_7_2 + - Improved logic for win22cis_cloud_based_system 1.2.x controls. + February 2024 Update - Issues Addressed: - [#27](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/27) - Thank you @SwaffelSmurf diff --git a/defaults/main.yml b/defaults/main.yml index b151064..435440b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -37,20 +37,11 @@ min_ansible_version: "2.10" # may fail in some cases. complexity_high: true -# Show "changed" for complex items not remediated per complexity-high setting -# to make them stand out. "changed" items on a second run of the role would -# indicate items requiring manual review. -audit_complex: true - # We've defined disruption-high to indicate items that are likely to cause # disruption in a normal workflow. These items can be remediated automatically # but are disabled by default to avoid disruption. disruption_high: false -# Show "changed" for disruptive items not remediated per disruption-high -# setting to make them stand out. -audit_disruptive: false - # Tweak role to run in a non-privileged container system_is_container: false @@ -60,16 +51,23 @@ long_running: false # win_skip_for_test is used in the playbook to skip over WINRM-based controls that # may cause WINRM Basic Connection Type to be disabled. # Setting win_skip_for_test to 'false' will enable Secure Connection types only. -# win22cis_rule_2_3_1_4 -# win22cis_rule_9_3_5 -# win22cis_rule_18_10_89_1_1 -# win22cis_rule_18_10_89_1_2 -# win22cis_rule_18_10_89_2_1 -# win22cis_rule_18_10_89_2_2 -# win22cis_rule_18_10_89_2_3 -# win22cis_rule_18_10_90_1 +# win22cis_rule_2_2_25 - Breaks Local Admin Connection +# win22cis_rule_2_2_26 - Breaks Local Admin Connection +# win22cis_rule_2_3_1_4 - Rename default administrator account +# win22cis_rule_9_3_5 - Enables Firewall Public Rules *Breaks Reboot* +# win22cis_rule_18_10_89_1_1 - Disables WinRM Allow Client Basic Auth +# win22cis_rule_18_10_89_1_2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control. +# win22cis_rule_18_10_89_2_1 - Disables WinRM Allow Service Basic Auth +# win22cis_rule_18_10_89_2_2 - Disables Remote Server Management through WinRM +# win22cis_rule_18_10_89_2_3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control. +# win22cis_rule_18_10_90_1 - Disables Remote Shell Access win_skip_for_test: true +# Changes will be made that will require a system reboot. +# The following option will allow whether or not to skip the reboot. +# Default: true +skip_reboot: true + # These variables correspond with the CIS Rule IDs defined in the CIS and allow you to enable/disable specific rules. # PLEASE NOTE: These work in coordination with the level1 and level2 group variables. You must enable an entire group # in order for the variables below to take effect. @@ -118,6 +116,8 @@ win22cis_rule_2_2_21: true win22cis_rule_2_2_22: true win22cis_rule_2_2_23: true win22cis_rule_2_2_24: true +# Setting win22cis_rule_2_2_25 and win22cis_rule_2_2_26 Control To True Will Break Ansible Connection +# Setting win_skip_for_test: true -- will skip the controls here even if they are set to true. win22cis_rule_2_2_25: true win22cis_rule_2_2_26: true win22cis_rule_2_2_27: true @@ -355,7 +355,7 @@ win22cis_rule_18_9_5_4: true win22cis_rule_18_9_5_5: true win22cis_rule_18_9_5_6: true win22cis_rule_18_9_5_7: true -win22cis_rule_18_8_7_2: true +win22cis_rule_18_9_7_2: true win22cis_rule_18_9_13_1: true win22cis_rule_18_9_19_2: true win22cis_rule_18_9_19_3: true diff --git a/handlers/main.yml b/handlers/main.yml index 0cb78d6..80d01dc 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,7 @@ --- -- name: reboot_windows - ansible.windows.win_reboot: - reboot_timeout: 3600 +- name: change_requires_reboot + ansible.builtin.set_fact: + reboot_host: true + tags: + - always diff --git a/meta/main.yml b/meta/main.yml index ddc4dae..4dfa6b1 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: - author: "George Nalen, Mark Bolwell, Stephen Williams, Frederick Witty Jr." + author: "Stephen Williams, Frederick Witty Jr." description: "Ansible role to apply Windows Server 2022 CIS Benchmark" company: "MindPoint Group" license: MIT diff --git a/tasks/post.yml b/tasks/post.yml new file mode 100644 index 0000000..4aa3351 --- /dev/null +++ b/tasks/post.yml @@ -0,0 +1,36 @@ +--- + +- name: "POST | Flush Handlers" + ansible.builtin.meta: flush_handlers + tags: + - always + +- name: "POST | Reboot System Options" + block: + - name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False" + ansible.windows.win_reboot: + reboot_timeout: 3600 + when: + - reboot_host + - not skip_reboot + + - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set" + ansible.builtin.debug: + msg: + - "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually." + - "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results." + changed_when: true + when: + - reboot_host + - skip_reboot + + - name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count" + ansible.builtin.import_tasks: + file: warning_facts.yml + when: + - reboot_host + - skip_reboot + vars: + warn_control_id: Reboot_Required + tags: + - always diff --git a/tasks/prelim.yml b/tasks/prelim.yml index c19f64e..4a28327 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -49,3 +49,40 @@ windows_installation_type: "{{ get_windows_installation_type.value | default('') }}" tags: - always + + +- name: PRELIM | Retrieve Default NTUSER and All Local User Hive Data + block: + - name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile) + ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT + changed_when: false + failed_when: false + + - name: PRELIM | Pull All Username and SIDs + ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID } + changed_when: false + failed_when: false + register: all_users + + - name: PRELIM | Create Results List Fact For Username And SIDs + ansible.builtin.set_fact: + username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}" + + - name: PRELIM | Load All User Hives From Username And SIDs List + ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT + changed_when: false + failed_when: false + loop: "{{ username_and_sid_results_list }}" + + - name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS + ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"} + changed_when: false + failed_when: false + register: current_users_loaded_hku + + - name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS + ansible.builtin.set_fact: + hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}" + when: win22cis_section19 + tags: + - always diff --git a/tasks/section01.yml b/tasks/section01.yml index 91c4eef..1d9aa7b 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -190,9 +190,7 @@ ansible.builtin.import_tasks: file: section01_cloud_lockout_order.yml when: - - win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - win22cis_cloud_based_system tags: - section01_cloud_lockout_order @@ -228,9 +226,7 @@ - win22cis_bad_login_lockout_count > 0 when: - win22cis_rule_1_2_2 - - not win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - not win22cis_cloud_based_system tags: - level1-domaincontroller - level1-memberserver @@ -245,9 +241,8 @@ value: "{{ win22cis_allow_admin_account_lockout }}" when: - win22cis_rule_1_2_3 - - not win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - win2022cis_is_domain_member + - not win22cis_cloud_based_system tags: - level1-memberserver - rule_1.2.3 @@ -284,9 +279,7 @@ - win22cis_account_lockout_counter_reset <= win22cis_account_lockout_duration when: - win22cis_rule_1_2_4 - - not win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - not win22cis_cloud_based_system tags: - level1-domaincontroller - level1-memberserver @@ -318,9 +311,7 @@ when: win22cis_account_lockout_duration >= 15 when: - win22cis_rule_1_2_1 - - not win22cis_cloud_based_system or - win2022cis_is_domain_controller or - win2022cis_is_domain_member + - not win22cis_cloud_based_system tags: - level1-domaincontroller - level1-memberserver diff --git a/tasks/section01_cloud_lockout_order.yml b/tasks/section01_cloud_lockout_order.yml index dbb61ca..cae28b8 100644 --- a/tasks/section01_cloud_lockout_order.yml +++ b/tasks/section01_cloud_lockout_order.yml @@ -80,6 +80,7 @@ value: "{{ win22cis_allow_admin_account_lockout }}" when: - win22cis_rule_1_2_3 + - win2022cis_is_domain_member tags: - level1-memberserver - rule_1.2.3 diff --git a/tasks/section02.yml b/tasks/section02.yml index 320e581..23e4f63 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -300,6 +300,7 @@ when: - win22cis_rule_2_2_20 - win2022cis_is_domain_controller + - not win_skip_for_test tags: - level1-domaincontroller - rule_2.2.20 @@ -378,6 +379,7 @@ when: - win22cis_rule_2_2_25 - win2022cis_is_domain_controller + - not win_skip_for_test tags: - level1-domaincontroller - rule_2.2.25 @@ -394,6 +396,7 @@ when: - win22cis_rule_2_2_26 - win2022cis_is_domain_member + - not win_skip_for_test tags: - level1-memberserver - rule_2.2.26 diff --git a/tasks/section05.yml b/tasks/section05.yml index 2321979..4c67efa 100644 --- a/tasks/section05.yml +++ b/tasks/section05.yml @@ -20,7 +20,7 @@ start_mode: disabled state: stopped when: spooler_service_info.exists - notify: reboot_windows + notify: change_requires_reboot when: - win22cis_rule_5_1 or win22cis_rule_5_2 diff --git a/tasks/section18.yml b/tasks/section18.yml index d2b30ae..619f84b 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -207,7 +207,7 @@ name: RpcAuthnLevelPrivacyEnabled data: 1 type: dword - notify: reboot_windows + notify: change_requires_reboot when: - win22cis_rule_18_4_2 tags: @@ -239,7 +239,7 @@ data: 0 type: dword state: present - notify: reboot_windows + notify: change_requires_reboot when: - win22cis_rule_18_4_4 tags: @@ -1265,18 +1265,18 @@ - patch - vbs -- name: "18.8.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled" +- name: "18.9.7.2 | PATCH | Ensure Prevent device metadata retrieval from the Internet is set to Enabled" ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Device Metadata name: PreventDeviceMetadataFromNetwork data: 1 type: dword when: - - win22cis_rule_18_8_7_2 + - win22cis_rule_18_9_7_2 tags: - level1-domaincontroller - level1-memberserver - - rule_18.8.7.2 + - rule_18.9.7.2 - patch - metadata @@ -3578,7 +3578,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service name: AllowAutoConfig - data: 1 + data: 0 type: dword when: - win22cis_rule_18_10_89_2_2 diff --git a/tasks/section19.yml b/tasks/section19.yml index 1138a71..0c6a872 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -1,20 +1,13 @@ --- - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" - block: - - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string - - - name: "19.1.3.1 | PATCH | Ensure Enable screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveActive + data: 1 + type: string + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_1_3_1 tags: @@ -25,20 +18,13 @@ - screensaver - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" - block: - - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string - - - name: "19.1.3.2 | PATCH | Ensure Password protect the screen saver is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaverIsSecure + data: 1 + type: string + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_1_3_2 tags: @@ -70,23 +56,12 @@ - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: "{{ win22cis_screen_saver_timeout }}" - type: string - when: - - win22cis_screen_saver_timeout > 0 - - win22cis_screen_saver_timeout <= 900 - - - name: "19.1.3.3 | PATCH | Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Control Panel\Desktop name: ScreenSaveTimeOut data: "{{ win22cis_screen_saver_timeout }}" type: string - when: - - win22cis_screen_saver_timeout > 0 - - win22cis_screen_saver_timeout <= 900 + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_1_3_3 tags: @@ -97,20 +72,13 @@ - screensaver - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" - block: - - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword - - - name: "19.5.1.1 | PATCH | Ensure Turn off toast notifications on the lock screen is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + name: NoToastApplicationNotificationOnLockScreen + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_5_1_1 tags: @@ -121,20 +89,13 @@ - toast - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" - block: - - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword - - - name: "19.6.6.1.1 | PATCH | Ensure Turn off Help Experience Improvement Program is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Assistance\Client\1.0 + name: NoImplicitFeedback + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_6_6_1_1 tags: @@ -145,20 +106,13 @@ - help - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" - block: - - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 2 - type: dword - - - name: "19.7.4.1 | PATCH | Ensure Do not preserve zone information in file attachments is set to Disabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 2 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + name: SaveZoneInformation + data: 2 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_4_1 tags: @@ -169,20 +123,13 @@ - attachments - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" - block: - - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword - - - name: "19.7.4.2 | PATCH | Ensure Notify antivirus programs when opening attachments is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Microsoft\Windows\Currentversion\Policies\Attachments + name: ScanWithAntiVirus + data: 3 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_4_2 tags: @@ -193,20 +140,13 @@ - antivirus - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" - block: - - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword - - - name: "19.7.7.1 | PATCH | Ensure Configure Windows spotlight on lock screen is set to Disabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: ConfigureWindowsSpotlight + data: 2 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_1 tags: @@ -217,20 +157,13 @@ - cloudcontent - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - block: - - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword - - - name: "19.7.7.2 | PATCH | Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: DisableThirdPartySuggestions + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_2 tags: @@ -241,20 +174,13 @@ - cloudcontent - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - block: - - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword - - - name: "19.7.7.3 | PATCH | Ensure Do not use diagnostic data for tailored experiences is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: DisableTailoredExperiencesWithDiagnosticData + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_3 tags: @@ -265,20 +191,13 @@ - cloudcontent - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" - block: - - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword - - - name: "19.7.7.4 | PATCH | Ensure Turn off all Windows spotlight features is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\CloudContent + name: DisableWindowsSpotlightFeatures + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_4 tags: @@ -289,20 +208,13 @@ - cloudcontent - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" - block: - - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableSpotlightCollectionOnDesktop - data: 1 - type: dword - - - name: "19.7.7.5 | PATCH | Ensure Turn off Spotlight collection on Desktop is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableSpotlightCollectionOnDesktop - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\SOFTWARE\Policies\Microsoft\Windows\CloudContent + name: DisableSpotlightCollectionOnDesktop + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_7_5 tags: @@ -313,20 +225,13 @@ - cloudcontent - name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" - block: - - name: "19.7.25.1| PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword - - - name: "19.7.25.1 | PATCH | Ensure Prevent users from sharing files within their profile. is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoInplaceSharing + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_25_1 tags: @@ -338,20 +243,13 @@ - sharing - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - block: - - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword - - - name: "19.7.40.1 | PATCH | Ensure Always install with elevated privileges is set to Disabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_40_1 tags: @@ -362,20 +260,13 @@ - permissions - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" - block: - - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" - ansible.windows.win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword - - - name: "19.7.42.2.1 | PATCH | Ensure Prevent Codec Download is set to Enabled" - ansible.windows.win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword + ansible.windows.win_regedit: + path: HKU:\{{ item }}\Software\Policies\Microsoft\Windowsmediaplayer + name: PreventCodecDownload + data: 1 + type: dword + loop: "{{ hku_loaded_list }}" + notify: change_requires_reboot when: - win22cis_rule_19_7_42_2_1 tags: diff --git a/vars/main.yml b/vars/main.yml index 51f62e8..40755de 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -17,3 +17,7 @@ win22cis_cloud_based_system: false win2022cis_is_standalone: false win2022cis_is_domain_controller: false win2022cis_is_domain_member: false + +# Default setting, this should not be changed +# and is overridden if a task that changed sets the value if required. +reboot_host: false