Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2.3.10.9 - Configure Network access Remotely accessible registry paths and sub-paths always includes CertSvc and WINS #45

Open
Crombell95 opened this issue Jun 27, 2024 · 2 comments
Assignees
Labels
bug Something isn't working

Comments

@Crombell95
Copy link

Describe the Issue
2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths always includes the CertSvc and WINS paths, but these paths should only be included when the corresponding roles are present on the server.

The recommended state for this setting is:
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog

The recommended state for servers that hold the Active Directory Certificate ServicesRole with Certification AuthorityRole Service includes the above list and:
System\CurrentControlSet\Services\CertSvc

The recommended state for servers that have the WINS ServerFeature installed includes the above list and:
System\CurrentControlSet\Services\WINS

Expected Behavior
The CertSvc and WINS path are only included in the remotely accessible registry paths and sub-paths when the corresponding features are installed

Actual Behavior
The CertSvc and WINS path are always included

Control(s) Affected
2.3.10.9

Possible Solution

- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
  block:
      - name: 2.3.10.9 | Set value for Configure Network access Remotely accessible registry paths and sub-paths"
        ansible.builtin.set_fact:
            remote_registry_paths: [
                'System\CurrentControlSet\Control\Print\Printers',
                'System\CurrentControlSet\Services\Eventlog',
                'Software\Microsoft\OLAP Server',
                'Software\Microsoft\Windows NT\CurrentVersion\Print',
                'Software\Microsoft\Windows NT\CurrentVersion\Windows',
                'System\CurrentControlSet\Control\ContentIndex',
                'System\CurrentControlSet\Control\Terminal Server',
                'System\CurrentControlSet\Control\Terminal Server\UserConfig',
                'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration',
                'Software\Microsoft\Windows NT\CurrentVersion\Perflib',
                'System\CurrentControlSet\Services\SysmonLog'
            ]

      - name: 2.3.10.9 | Check if AD Certificate Services feature is installed
        community.windows.win_feature_info:
            name: AD-Certificate
        register: adcs_feature

      - name: 2.3.10.9 | Add CertSvc to paths
        ansible.builtin.set_fact:
            remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\CertSvc'] }}"
        when: adcs_feature.features[0].installed

      - name: 2.3.10.9 | Check if WINS feature is installed
        community.windows.win_feature_info:
            name: WINS
        register: wins_feature

      - name: 2.3.10.9 | Add WINS to paths
        ansible.builtin.set_fact:
            remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\WINS'] }}"
        when: wins_feature.features[0].installed

      - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
        ansible.windows.win_regedit:
            path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths
            name: "Machine"
            data: '{{ remote_registry_paths }}'
            type: multistring
  when:
      - win22cis_rule_2_3_10_9
  tags:
      - level1-domaincontroller
      - level1-memberserver
      - rule_2.3.10.9
      - patch
@Crombell95 Crombell95 added the bug Something isn't working label Jun 27, 2024
@MrSteve81 MrSteve81 self-assigned this Dec 3, 2024
@MrSteve81
Copy link
Contributor

This will be pushed to devel today. Sorry about the delays!

@MrSteve81
Copy link
Contributor

Pushed to Devel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants