Merge pull request #43 from mfortin/issue-38-redo

Issue 38
ansible-lockdown · Apr 23, 2024 · eb332ce · eb332ce
2 parents a5bf30f + dc8826f
commit eb332ce
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 26 deletions.
diff --git a/tasks/section01.yml b/tasks/section01.yml
@@ -155,11 +155,10 @@
       - password
 
 - name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled."
-  ansible.windows.win_regedit:
-      path: HKLM:\System\CurrentControlSet\Control\SAM
-      name: RelaxMinimumPasswordLengthLimits
-      data: 1
-      type: dword
+  community.windows.win_security_policy:
+      section: System Access
+      key: RelaxMinimumPasswordLengthLimits
+      value: 1
   when:
       - win22cis_rule_1_1_6
   tags:

diff --git a/tasks/section18.yml b/tasks/section18.yml
@@ -299,11 +299,11 @@
 
 - name: "18.5.1 | PATCH | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled"
   ansible.windows.win_regedit:
-      path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
+      path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon
       state: present
-      value: AutoAdminLogon
+      name: AutoAdminLogon
       data: 0
-      datatype: string
+      type: string
   when:
       - win22cis_rule_18_5_1
   tags:
@@ -598,15 +598,14 @@
       - patch
       - netbios
 
-- name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only | Member Server"
+- name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled"
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient
       name: EnableMulticast
       data: 0
       type: dword
   when:
       - win22cis_rule_18_6_4_3
-      - win2022cis_is_domain_member
   tags:
       - level1-domaincontroller
       - level1-memberserver
@@ -3385,20 +3384,6 @@
       - patch
       - wik
 
-- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled"
-  ansible.windows.win_regedit:
-      path: HKLM:\Software\Policies\Microsoft\Windows\Installer
-      name: EnableUserControl
-      data: 0
-      type: dword
-  when:
-      - win22cis_rule_18_10_81_1
-  tags:
-      - level1-domaincontroller
-      - level1-memberserver
-      - rule_18.10.81.1
-      - patch
-
 - name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'"
   block:
       - name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warning Check For Variable Standards."
@@ -3435,6 +3420,34 @@
       - automated
       - patch
 
+- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled"
+  ansible.windows.win_regedit:
+      path: HKLM:\Software\Policies\Microsoft\Windows\Installer
+      name: EnableUserControl
+      data: 0
+      type: dword
+  when:
+      - win22cis_rule_18_10_81_1
+  tags:
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_18.10.81.1
+      - patch
+
+- name: "18.10.81.2 | PATCH | Ensure 'Always install with elevated privileges' is set to 'Disabled'"
+  ansible.windows.win_regedit:
+      path: HKLM:\Software\Policies\Microsoft\Windows\Installer
+      name: AlwaysInstallElevated
+      data: 0
+      type: dword
+  when:
+      - win22cis_rule_18_10_81_2
+  tags:
+      - level1-domaincontroller
+      - level1-memberserver
+      - rule_18.10.81.2
+      - patch
+
 - name: "18.10.81.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled"
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows\Installer
@@ -3698,7 +3711,7 @@
       - patch
       - winupdate
 
-- name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds"
+- name: "18.10.93.4.1 | PATCH | Ensure 'Manage preview builds' is set to 'Disabled'"
   block:
       - name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds"
         ansible.windows.win_regedit:
@@ -3711,7 +3724,7 @@
         ansible.windows.win_regedit:
             path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
             name: ManagePreviewBuildsPolicyValue
-            data: 0
+            data: 1
             type: dword
   when:
       - win22cis_rule_18_10_93_4_1