Merge pull request #29 from ansible-lockdown/2024_FEB_UPDATE

2024 Feb Update: Bug and Typo Fixes
ansible-lockdown · Mar 13, 2024 · fe510a3 · fe510a3
2 parents 63f913a + f9d2e19
commit fe510a3
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 16 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -1,6 +1,15 @@
 # ChangeLog
 
-## Release 1.0.0
+## Release 2.0.1
+
+February 2024 Update
+- Issues Addressed:
+    - [#27](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/27) - Thank you @SwaffelSmurf
+    - [#28](https://github.com/ansible-lockdown/Windows-2022-CIS/issues/28) - Thank you @natilik-mikeguy
+    - [PR26](https://github.com/ansible-lockdown/Windows-2022-CIS/pull/26) - Thank you @ai13f
+    - Typo and bug fixes
+
+## Release 2.0.0
 
 September 2023
 - This Release is based on CIS Benchmark v2.0.0

diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 MindPoint Group / Lockdown Enterprise
+Copyright (c) 2024 MindPoint Group / Lockdown Enterprise
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -709,6 +709,18 @@ win22cis_public_firewall_log_size: 16384
 
 # Section 18 Variables
 
+# 18.3.5
+# win22cis_laps_password_length is the LAPS tool password length.
+# The recommended state for this setting is: Enabled: 15 or more.
+# Default: 15
+win22cis_laps_password_length: 15
+
+# 18.3.6
+# win22cis_laps_password_age_days is the LAPS tool password age in days.
+# The recommended state for this setting is: Enabled: 30 or fewer.
+# Default: 30
+win22cis_laps_password_age_days: 30
+
 # 18.4.6
 # win22cis_netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType
 # Options are a B-node value of 1, P-node value of 2, M-node value of 4, and H-node value of 8. P-node is the recommended setting from CIS

diff --git a/tasks/section05.yml b/tasks/section05.yml
@@ -26,7 +26,7 @@
         win22cis_rule_5_2
   tags:
       - level1-domaincontroller
-      - level2-domainmember
+      - level2-memberserver
       - rule_5.1
       - rule_5.2
       - patch

diff --git a/tasks/section18.yml b/tasks/section18.yml
@@ -159,7 +159,7 @@
       - name: "18.3.6 | AUDIT | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Warning Check For Variable Standards | Member Server"
         ansible.builtin.debug:
             msg:
-                - "Warning!! You have an invalid password length set for win22cis_laps_password_length please read"
+                - "Warning!! You have an invalid Password Age Days set for win22cis_laps_password_age_days please read"
                 - "the notes for the variable and make the necessary change to the variable to be in compliance."
         when: win22cis_laps_password_age_days > 30
 
@@ -602,7 +602,7 @@
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient
       name: EnableMulticast
-      data: 1
+      data: 0
       type: dword
   when:
       - win22cis_rule_18_6_4_3
@@ -931,13 +931,13 @@
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers
       name: RedirectionguardPolicy
-      data: 2
+      data: 1
       type: dword
   when:
       - win22cis_rule_18_7_2
   tags:
       - level1-domaincontroller
-      - level2-memberserver
+      - level1-memberserver
       - rule_18.7.2
       - patch
       - printers
@@ -952,7 +952,7 @@
       - win22cis_rule_18_7_3
   tags:
       - level1-domaincontroller
-      - level2-memberserver
+      - level1-memberserver
       - rule_18.7.3
       - patch
       - printers
@@ -967,7 +967,7 @@
       - win22cis_rule_18_7_4
   tags:
       - level1-domaincontroller
-      - level2-memberserver
+      - level1-memberserver
       - rule_18.7.4
       - patch
       - printers
@@ -982,7 +982,7 @@
       - win22cis_rule_18_7_5
   tags:
       - level1-domaincontroller
-      - level2-memberserver
+      - level1-memberserver
       - rule_18.7.5
       - patch
       - printers
@@ -1019,7 +1019,7 @@
       - win22cis_rule_18_7_6
   tags:
       - level1-domaincontroller
-      - level2-memberserver
+      - level1-memberserver
       - rule_18.7.6
       - patch
       - printers
@@ -1034,7 +1034,7 @@
       - win22cis_rule_18_7_7
   tags:
       - level1-domaincontroller
-      - level2-memberserver
+      - level1-memberserver
       - rule_18.7.7
       - patch
       - printers
@@ -1075,7 +1075,7 @@
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
       name: NoWarningNoElevationOnInstall
-      data: 1
+      data: 0
       type: dword
   when:
       - win22cis_rule_18_7_10
@@ -1090,7 +1090,7 @@
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
       name: UpdatePromptSettings
-      data: 1
+      data: 0
       type: dword
   when:
       - win22cis_rule_18_7_11
@@ -1978,7 +1978,7 @@
   ansible.windows.win_regedit:
       path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver
       name: Enabled
-      data: 1
+      data: 0
       type: dword
   when:
       - win22cis_rule_18_9_50_1_2
@@ -2740,6 +2740,7 @@
   loop:
       - 26190899-1602-49e8-8b27-eb1d0a1ce869
       - 3b576869-a4ec-4529-8536-b80a7769e899
+      - 56a863a9-875e-4185-98a7-b882c64b5ce5
       - 5beb7efe-fd9a-4556-801d-275e5ffc04cc
       - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
       - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
@@ -2809,7 +2810,7 @@
   ansible.windows.win_regedit:
       path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
       name: DisableRealtimeMonitoring
-      data: 1
+      data: 0
       datatype: dword
   when:
       - win22cis_rule_18_10_43_10_2