From 0470723f3d6f747640be699b860bcf26efacfad7 Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Tue, 26 Mar 2024 14:20:08 -0400 Subject: [PATCH 1/5] Fixing controls stated in issue 38 Signed-off-by: Mathieu Fortin --- tasks/section18.yml | 59 +++++++++++++++++++++++++++------------------ 1 file changed, 36 insertions(+), 23 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 9573b6d..1b3f9c5 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -301,9 +301,9 @@ ansible.windows.win_regedit: path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon state: present - value: AutoAdminLogon + name: AutoAdminLogon data: 0 - datatype: string + type: string when: - win22cis_rule_18_5_1 tags: @@ -598,19 +598,18 @@ - patch - netbios -- name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled MS Only | Member Server" +- name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast - data: 0 + data: 1 type: dword when: - win22cis_rule_18_6_4_3 - - win2022cis_is_domain_member tags: - - level1-domaincontroller - - level1-memberserver + - level1-corporate-enterprise-environment - rule_18.6.4.3 + - automated - patch - dns @@ -3385,20 +3384,6 @@ - patch - wik -- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled" - ansible.windows.win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: EnableUserControl - data: 0 - type: dword - when: - - win22cis_rule_18_10_81_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.10.81.1 - - patch - - name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" block: - name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warning Check For Variable Standards." @@ -3435,6 +3420,34 @@ - automated - patch +- name: "18.10.81.1 | PATCH | Ensure Allow user control over installs is set to Disabled" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: EnableUserControl + data: 0 + type: dword + when: + - win22cis_rule_18_10_81_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.81.1 + - patch + +- name: "18.10.81.2 | PATCH | Ensure 'Always install with elevated privileges' is set to 'Disabled'" + ansible.windows.win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + when: + - win22cis_rule_18_10_81_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.10.81.2 + - patch + - name: "18.10.81.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\Installer @@ -3698,7 +3711,7 @@ - patch - winupdate -- name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds" +- name: "18.10.93.4.1 | PATCH | Ensure 'Manage preview builds' is set to 'Disabled'" block: - name: "18.10.93.4.1 | PATCH | Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" ansible.windows.win_regedit: @@ -3711,7 +3724,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate name: ManagePreviewBuildsPolicyValue - data: 0 + data: 1 type: dword when: - win22cis_rule_18_10_93_4_1 From 04e0b9fba65d2fa6f9a1be152c8078ba70faee16 Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Tue, 26 Mar 2024 14:21:02 -0400 Subject: [PATCH 2/5] revert Signed-off-by: Mathieu Fortin --- tasks/section01.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tasks/section01.yml b/tasks/section01.yml index 97be351..1d9aa7b 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -155,11 +155,10 @@ - password - name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled." - ansible.windows.win_regedit: - path: HKLM:\System\CurrentControlSet\Control\SAM - name: RelaxMinimumPasswordLengthLimits - data: 1 - type: dword + community.windows.win_security_policy: + section: System Access + key: RelaxMinimumPasswordLengthLimits + value: 1 when: - win22cis_rule_1_1_6 tags: From de98e60368b10c90a1df229abe8e85e4c11f74e8 Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Tue, 26 Mar 2024 16:47:03 -0400 Subject: [PATCH 3/5] test Signed-off-by: Mathieu Fortin --- tasks/section18.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 1b3f9c5..2837ad6 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -602,7 +602,7 @@ ansible.windows.win_regedit: path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient name: EnableMulticast - data: 1 + data: 0 type: dword when: - win22cis_rule_18_6_4_3 From f67af575ad31fe48714bd5058a30ef44d2e30e26 Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Tue, 26 Mar 2024 16:57:54 -0400 Subject: [PATCH 4/5] test Signed-off-by: Mathieu Fortin --- tasks/section18.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 2837ad6..82cc641 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -299,7 +299,7 @@ - name: "18.5.1 | PATCH | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" ansible.windows.win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon state: present name: AutoAdminLogon data: 0 From dc8826feeef4d73534a76e3395fd0b12a10e4b6f Mon Sep 17 00:00:00 2001 From: Mathieu Fortin Date: Tue, 23 Apr 2024 11:00:29 -0400 Subject: [PATCH 5/5] Revert tag update Signed-off-by: Mathieu Fortin --- tasks/section18.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section18.yml b/tasks/section18.yml index 82cc641..2e53b69 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -607,9 +607,9 @@ when: - win22cis_rule_18_6_4_3 tags: - - level1-corporate-enterprise-environment + - level1-domaincontroller + - level1-memberserver - rule_18.6.4.3 - - automated - patch - dns