diff --git a/.ansible-lint b/.ansible-lint new file mode 100755 index 0000000..f2a7e7c --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,11 @@ +parseable: true +quiet: true +skip_list: + - '204' + - '305' + - '303' + - '403' + - '306' + - '602' +use_default_rules: true +verbosity: 0 diff --git a/.gitignore b/.gitignore index c46be6d..3f01909 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,7 @@ .env *.log *.retry +.cache .vagrant tests/*redhat-subscription tests/Dockerfile diff --git a/.yamllint b/.yamllint new file mode 100755 index 0000000..93378b9 --- /dev/null +++ b/.yamllint @@ -0,0 +1,20 @@ +--- +ignore: | + tests/ + molecule/ + .gitlab-ci.yml + *molecule.yml + +extends: default + +rules: + indentation: + spaces: 4 + truthy: disable + braces: + max-spaces-inside: 1 + level: error + brackets: + max-spaces-inside: 1 + level: error + line-length: disable diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 14a8ffe..5842aec 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -1,6 +1,21 @@ Contributing to MindPoint Group Projects ======================================== +Rules +----- +1) All commits must be GPG signed (details in Signing section) +2) All commits must have Signed-off-by (Signed-off-by: Joan Doe ) in the commit message (details in Signing section) +3) All work is done in your own branch or own fork +4) Pull requests + a) From within the repo: All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing + b) From a forked repo: All pull requests will go into a staging branch within the repo. There are automated checks for signed commits, signoff in commit message, and functional testing when going from staging to devel +5) Be open and nice to each other + +Workflow +-------- +- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge +- All community Pull Requests are into the devel branch (from forked repos they go to staging before devel). There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing. +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release Signing your contribution ------------------------- diff --git a/README.md b/README.md index 2641969..e8de020 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,65 @@ Windows Server 2016 CIS ========= +![Release](https://img.shields.io/github/v/release/ansible-lockdown/Windows-2016-CIS?style=plastic) + +Configure a Windows Server 2016 system to be [CIS](https://www.cisecurity.org/cis-benchmarks/) v1.2.0 compliant. There are some intrusive tasks that have a toggle in defaults main.yml to disable to automated fix + +Caution(s) +------- +This role **will make changes to the system** that could break things. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted. + +This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed. + +To use release version please point to main branch +Based on [CIS Windows Server 2016 Benchmark ](https://community.cisecurity.org/collab/public/index.php). + +Documentation +------------- +[Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown)
+[Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise)
+[Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration)
+[Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise)
+[Wiki](https://github.com/ansible-lockdown/Windows-2016-CIS/wiki)
+[Repo GitHub Page](https://ansible-lockdown.github.io/Windows-2016-CIS/)
-Configure a Windows Server 2016 system to be CIS compliant. -This role is based on CIS Microsoft Windows Server 2016 RTM: [Version 1.2.0 Rel 1607 released on May 27, 2020] (https://learn.cisecurity.org/l/799323/2020-07-10/zx1v). Requirements ------------ -Windows Server 2016 - Other versions are not supported. \ No newline at end of file +**General:** +- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible + - [Main Ansible documentation page](https://docs.ansible.com) + - [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html) + - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html) + - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html) +- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup. +- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file or the [Main Variables Wiki Page](https://github.com/ansible-lockdown/Windows-2016-CIS/wiki/Main-Variables). + +**Technical Dependencies:** +- Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer) +- Python3 Ansible run environment + +Role Variables +-------------- + +This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc. These variables can be found [here](https://github.com/ansible-lockdown/Windows-2016-CIS/wiki/Main-Variables) in the Main Variables Wiki page. All variables are listed there along with descriptions. + +Branches +-------- + +- **devel** - This is the default branch and the working development branch. Community pull requests will pull into this branch +- **main** - This is the release branch +- **reports** - This is a protected branch for our scoring reports, no code should ever go here +- **gh-pages** - This is the github pages branch +- **all other branches** - Individual community member branches + +Community Contribution +---------------------- + +We encourage you (the community) to contribute to this role. Please read the rules below. + +- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge. +- All community Pull Requests are pulled into the devel branch +- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved +- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release \ No newline at end of file diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index 4c19e55..0000000 --- a/Vagrantfile +++ /dev/null @@ -1,25 +0,0 @@ -Vagrant.configure("2") do |config| - - config.vm.box = "mindpointgroup/windowsserver2016-winrm" - # config.vm.box = "mindpointgroup/windowsserver2016-DC" - config.vm.guest = :windows - config.winrm.retry_limit = 30 - config.winrm.retry_delay = 120 - config.vm.provider "virtualbox" do |vb| - vb.cpus = 2 - vb.memory = 8192 - end - - config.vm.communicator = "winrm" - config.vm.provision "ansible" do |ansible| - ansible.playbook = "site.yml" - # ansible.verbose = "vvvvv" - ansible.host_vars = { - "default" => { "ansible_winrm_scheme" => "http" } - } - ansible.raw_arguments = [ - "-e 'ansible_connection=winrm ansible_port=5985 ansible_winrm_server_cert_validation=ignore ansible_user=vagrant ansible_password=vagrant'" - ] - end - config.vm.boot_timeout = 500 -end diff --git a/defaults/main.yml b/defaults/main.yml index a68beca..ed17119 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,10 +1,10 @@ --- -section01_patch: yes -section02_patch: yes -section09_patch: yes -section17_patch: yes -section18_patch: yes -section19_patch: yes +section01_patch: true +section02_patch: true +section09_patch: true +section17_patch: true +section18_patch: true +section19_patch: true min_ansible_version: "2.6" @@ -35,10 +35,10 @@ workaround_for_ssg_benchmark: true # tweak role to run in a non-privileged container system_is_container: no -#set to false to skip tasks that either have not been developed or cannot be automated +# set to false to skip tasks that either have not been developed or cannot be automated is_implemented: false -#set to false to skip long running tasks +# set to false to skip long running tasks long_running: false win_skip_for_test: false @@ -89,8 +89,8 @@ rule_2_2_27: true rule_2_2_28: true rule_2_2_29: true rule_2_2_30: true -rule_2_2_31: true -rule_2_2_32: true +rule_2_2_31: true +rule_2_2_32: true rule_2_2_33: true rule_2_2_34: true rule_2_2_35: true @@ -439,6 +439,14 @@ rule_19_7_26_1: true rule_19_7_41_1: true rule_19_7_45_2_1: true +# Section 2 Variables +# Control 2.3.1.5 +# win16cis_admin_username is the name the administrator account will be renamed to +win16cis_admin_username: ChangeThis + +# Control 2.3.1.6 +# win16cis_guest_username is the name the guest account will be renamed to +win16cis_guest_username: GuestChangeThis # This SID is the same for standalone, member, domain controller for 'Administrators' group sedebugprivilege: "*S-1-5-32-544" @@ -506,4 +514,4 @@ public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log' # 9.3.8 # public_firewall_log_size is the size of the log file # To conform to CIS stadnards the value should be 16,384 or greater. Value is in KB -public_firewall_log_size: 16,384 \ No newline at end of file +public_firewall_log_size: 16,384 diff --git a/meta/main.yml b/meta/main.yml index 9fbec02..c8a1380 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -4,10 +4,11 @@ galaxy_info: description: "Ansible role to apply Windows Server 2016 CIS Benchmark" company: "MindPoint Group" license: MIT + role_name: windows_2016_cis min_ansible_version: 2.6 platforms: - - name: Windows Server + - name: Windows versions: - 2016 diff --git a/site.yml b/site.yml index 644ad68..734dedc 100644 --- a/site.yml +++ b/site.yml @@ -5,4 +5,3 @@ roles: - role: "{{ playbook_dir }}" - system_is_container: "{{ is_container | default(false) }}" diff --git a/tasks/section01.yml b/tasks/section01.yml index 0aa261f..1f20bae 100644 --- a/tasks/section01.yml +++ b/tasks/section01.yml @@ -16,10 +16,10 @@ value: "{{ passwordhistorysize }}" when: rule_1_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.1 + - patch - name: "SCORED | 1.1.2 | PATCH | (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0'" block: @@ -38,10 +38,10 @@ value: "{{ maximumpasswordage }}" when: rule_1_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.2 + - patch - name: "SCORED | 1.1.3 | AUDIT | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)'" block: @@ -60,10 +60,10 @@ value: "{{ minimumpasswordage }}" when: rule_1_1_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.3 + - patch - name: "SCORED | 1.1.4 | AUDIT | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)'" block: @@ -82,10 +82,10 @@ value: "{{ minimumpasswordlength }}" when: rule_1_1_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.4 + - patch - name: "SCORED | 1.1.5 | PATCH | (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'" win_security_policy: @@ -94,24 +94,24 @@ value: 1 when: rule_1_1_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.5 + - patch - name: "SCORED | 1.1.6 | PATCH | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" win_security_policy: - section: System Access - key: ClearTextPassword - value: "0" + section: System Access + key: ClearTextPassword + value: "0" when: rule_1_1_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.1.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.1.6 + - patch -#This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable +# This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable - name: "SCORED | 1.2.2 | PATCH | (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'" win_security_policy: section: System Access @@ -119,10 +119,10 @@ value: "{{ lockoutbadcount }}" when: rule_1_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.2.2 + - patch - name: "SCORED | 1.2.1 | AUDIT | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" block: @@ -136,17 +136,18 @@ - name: "SCORED | 1.2.1 | PATCH | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)'" win_security_policy: - section: System Access - key: LockoutDuration - value: "{{ lockoutduration }}" + section: System Access + key: LockoutDuration + value: "{{ lockoutduration }}" when: - - rule_1_2_1 - - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp + - rule_1_2_1 + # Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp + - is_implemented tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.2.1 + - patch - name: "SCORED | 1.2.3 | AUDIT | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'" block: @@ -165,7 +166,7 @@ value: "{{ resetlockoutcount }}" when: rule_1_2_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_1.2.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_1.2.3 + - patch diff --git a/tasks/section02.yml b/tasks/section02.yml index e949a67..2b2eb8b 100644 --- a/tasks/section02.yml +++ b/tasks/section02.yml @@ -1,58 +1,58 @@ --- - name: "SCORED | 2.2.1 | PATCH | (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" win_user_right: - name: SeTrustedCredManAccessPrivilege - users: - action: set + name: SeTrustedCredManAccessPrivilege + users: [] + action: set when: rule_2_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.1 + - patch - name: "SCORED | 2.2.2 | PATCH | (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS' (DC only)" win_user_right: - name: SeNetworkLogonRight - users: - - Administrators - - Authenticated Users - - ENTERPRISE DOMAIN CONTROLLERS - action: set + name: SeNetworkLogonRight + users: + - Administrators + - Authenticated Users + - ENTERPRISE DOMAIN CONTROLLERS + action: set when: - - rule_2_2_2 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller1 - - rule_2.2.2 - - patch + - level1-domaincontroller1 + - rule_2.2.2 + - patch - name: "SCORED | 2.2.3 | PATCH | (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Authenticated Users' (MS only)" win_user_right: - name: SeNetworkLogonRight - users: - - Administrators - - Authenticated Users - action: set + name: SeNetworkLogonRight + users: + - Administrators + - Authenticated Users + action: set when: - - rule_2_2_3 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_3 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_2.2.3 - - patch + - level1-memberserver + - rule_2.2.3 + - patch - name: "SCORED | 2.2.4 | PATCH | (L1) Ensure 'Act as part of the operating system' is set to 'No One'" win_user_right: - name: SeTcbPrivilege - users: - action: set + name: SeTcbPrivilege + users: [] + action: set when: rule_2_2_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.4 + - patch - name: "SCORED | 2.2.5 | PATCH | (L1) Ensure 'Add workstations to domain' is set to 'Administrators' (DC only)" win_user_right: @@ -60,1516 +60,1514 @@ users: Administrators action: set when: - - rule_2_2_5 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_5 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.5 - - patch + - level1-domaincontroller + - rule_2.2.5 + - patch - name: "SCORED | 2.2.6 | PATCH | (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" win_user_right: - name: SeIncreaseQuotaPrivilege - users: - - Administrators - - Local Service - - Network Service - action: set + name: SeIncreaseQuotaPrivilege + users: + - Administrators + - Local Service + - Network Service + action: set when: rule_2_2_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.6 + - patch - name: "SCORED | 2.2.7 | PATCH | (L1) Ensure 'Allow log on locally' is set to 'Administrators'" win_user_right: - name: SeInteractiveLogonRight - users: - - Administrators - action: set + name: SeInteractiveLogonRight + users: + - Administrators + action: set when: rule_2_2_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.7 + - patch - name: "SCORED | 2.2.8 | PATCH | (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators' (DC only)" win_user_right: - name: SeRemoteInteractiveLogonRight - users: - - Administrators - action: set + name: SeRemoteInteractiveLogonRight + users: + - Administrators + action: set when: - - rule_2_2_8 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_8 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.8 - - patch + - level1-domaincontroller + - rule_2.2.8 + - patch - name: "SCORED | 2.2.9 | PATCH | (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (MS only)" win_user_right: - name: SeRemoteInteractiveLogonRight - users: - - Administrators - - Remote Desktop Users - action: set + name: SeRemoteInteractiveLogonRight + users: + - Administrators + - Remote Desktop Users + action: set when: - - rule_2_2_9 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_9 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_2.2.9 - - patch + - level1-memberserver + - rule_2.2.9 + - patch - name: "SCORED | 2.2.10 | PATCH | (L1) Ensure 'Back up files and directories' is set to 'Administrators'" win_user_right: - name: SeBackupPrivilege - users: - - Administrators - action: set + name: SeBackupPrivilege + users: + - Administrators + action: set when: rule_2_2_10 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.10 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.10 + - patch - name: "SCORED | 2.2.11 | PATCH | (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" win_user_right: - name: SeSystemTimePrivilege - users: - - Administrators - - Local Service - action: set + name: SeSystemTimePrivilege + users: + - Administrators + - Local Service + action: set when: rule_2_2_11 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.11 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.11 + - patch - name: "SCORED | 2.2.12 | PATCH | (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'" win_user_right: - name: SeTimeZonePrivilege - users: - - Administrators - - Local Service - action: set + name: SeTimeZonePrivilege + users: + - Administrators + - Local Service + action: set when: rule_2_2_12 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.12 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.12 + - patch - name: "SCORED | 2.2.13 | PATCH | (L1) Ensure 'Create a pagefile' is set to 'Administrators'" win_user_right: - name: SeCreatePagefilePrivilege - users: - - Administrators - action: set + name: SeCreatePagefilePrivilege + users: + - Administrators + action: set when: rule_2_2_13 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.13 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.13 + - patch - name: "SCORED | 2.2.14 | PATCH | (L1) Ensure 'Create a token object' is set to 'No One'" win_user_right: - name: SeCreateTokenPrivilege - users: - action: set + name: SeCreateTokenPrivilege + users: [] + action: set when: rule_2_2_14 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.14 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.14 + - patch - name: "SCORED | 2.2.15 | PATCH | (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" win_user_right: - name: SeCreateGlobalPrivilege - users: - - Administrators - - Local Service - - Network Service - - Service - action: set + name: SeCreateGlobalPrivilege + users: + - Administrators + - Local Service + - Network Service + - Service + action: set when: rule_2_2_15 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.15 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.15 + - patch - name: "SCORED | 2.2.16 | PATCH | (L1) Ensure 'Create permanent shared objects' is set to 'No One'" win_user_right: - name: SeCreatePermanentPrivilege - users: - action: set + name: SeCreatePermanentPrivilege + users: [] + action: set when: rule_2_2_16 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.16 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.16 + - patch - name: "SCORED | 2.2.17 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators' (DC only)" win_user_right: - name: SeCreateSymbolicLinkPrivilege - users: - - Administrators - action: set + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + action: set when: - - rule_2_2_17 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_17 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.17 - - patch + - level1-domaincontroller + - rule_2.2.17 + - patch - name: "SCORED | 2.2.18 | PATCH | (L1) Ensure 'Create symbolic links' is set to 'Administrators, NT VIRTUAL MACHINE/Virtual Machines' (MS only)" win_user_right: - name: SeCreateSymbolicLinkPrivilege - users: - - Administrators - - NT VIRTUAL MACHINE\Virtual Machines - action: set + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + - NT VIRTUAL MACHINE\Virtual Machines + action: set when: - - rule_2_2_18 - - ansible_windows_domain_role == "Member server" + - rule_2_2_18 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.2.18 - - patch + - level1-memberserver + - rule_2.2.18 + - patch - name: "SCORED | 2.2.19 | PATCH | (L1) Ensure 'Debug programs' is set to 'Administrators'" win_user_right: - name: SeDebugPrivilege - users: - - Administrators - action: set + name: SeDebugPrivilege + users: + - Administrators + action: set when: rule_2_2_19 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.19 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.19 + - patch - #Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes +# Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes - name: "SCORED | 2.2.20 | PATCH | (L1) Ensure 'Deny access to this computer from the network' to include 'Guests' (DC only)" win_user_right: - name: SeDenyNetworkLogonRight - users: - - Guests - action: set - when: - - rule_2_2_20 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - level1-domaincontroller - - rule_2.2.20 - - patch + name: SeDenyNetworkLogonRight + users: + - Guests + action: set + when: + - rule_2_2_20 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - rule_2.2.20 + - patch - name: "SCORED | 2.2.21 | PATCH | (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group' (MS only)" win_user_right: - name: SeDenyNetworkLogonRight - users: - - Guests - #- Local Account - #- Administrators - action: set - when: - - rule_2_2_21 - - ansible_windows_domain_member - tags: - - level1-memberserver - - rule_2.2.21 - - patch + name: SeDenyNetworkLogonRight + users: + - Guests + # - Local Account + # - Administrators + action: set + when: + - rule_2_2_21 + - ansible_windows_domain_member + tags: + - level1-memberserver + - rule_2.2.21 + - patch - name: "SCORED | 2.2.22 | PATCH | (L1) Ensure 'Deny log on as a batch job' to include 'Guests'" win_user_right: - name: SeDenyBatchLogonRight - users: - - Guests - action: set + name: SeDenyBatchLogonRight + users: + - Guests + action: set when: rule_2_2_22 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.22 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.22 + - patch - name: "SCORED | 2.2.23 | PATCH | (L1) Ensure 'Deny log on as a service' to include 'Guests'" win_user_right: - name: SeDenyServiceLogonRight - users: - - Guests - action: set + name: SeDenyServiceLogonRight + users: + - Guests + action: set when: rule_2_2_23 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.23 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.23 + - patch - name: "SCORED | 2.2.24 | PATCH | (L1) Ensure 'Deny log on locally' to include 'Guests'" win_user_right: name: SeDenyInteractiveLogonRight users: - - Guests + - Guests action: set when: rule_2_2_24 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.24 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.24 + - patch - name: "SCORED | 2.2.25 | PATCH | (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests' (DC only)" win_user_right: - name: SeDenyRemoteInteractiveLogonRight - users: - - Guests - #- Local Account - action: set + name: SeDenyRemoteInteractiveLogonRight + users: + - Guests + # - Local Account + action: set when: - - rule_2_2_25 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_25 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.25 - - patch + - level1-domaincontroller + - rule_2.2.25 + - patch - name: "SCORED | 2.2.26 | PATCH | (L1) Ensure 'Deny log on through Remote Desktop Services' is set to 'Guests, Local account' (MS only)" win_user_right: - name: SeDenyRemoteInteractiveLogonRight - users: - - Guests - #- Local Account - action: set + name: SeDenyRemoteInteractiveLogonRight + users: + - Guests + # - Local Account + action: set when: - - rule_2_2_26 - - ansible_windows_domain_member + - rule_2_2_26 + - ansible_windows_domain_member tags: - - level1-memberserver - - rule_2.2.26 - - patch + - level1-memberserver + - rule_2.2.26 + - patch - name: "SCORED | 2.2.27 | PATCH | (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'Administrators' (DC only)" win_user_right: - name: SeEnableDelegationPrivilege - users: Administrators - action: set + name: SeEnableDelegationPrivilege + users: Administrators + action: set when: - - rule_2_2_27 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_27 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.27 - - patch + - level1-domaincontroller + - rule_2.2.27 + - patch - name: "SCORED | 2.2.28 | PATCH | (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (MS only)" win_user_right: - name: SeEnableDelegationPrivilege - users: - action: set + name: SeEnableDelegationPrivilege + users: [] + action: set when: - - rule_2_2_28 - - ansible_windows_domain_member + - rule_2_2_28 + - ansible_windows_domain_member tags: - - level1-memberserver - - rule_2.2.28 - - patch + - level1-memberserver + - rule_2.2.28 + - patch - name: "SCORED | 2.2.29 | PATCH | (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators'" win_user_right: name: SeRemoteShutdownPrivilege users: - - Administrators + - Administrators action: set when: rule_2_2_29 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.29 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.29 + - patch - name: "SCORED | 2.2.30 | PATCH | (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'" win_user_right: - name: SeAuditPrivilege - users: - - Local Service - - Network Service - action: set + name: SeAuditPrivilege + users: + - Local Service + - Network Service + action: set when: rule_2_2_30 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.30 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.30 + - patch - name: "SCORED | 2.2.31 | PATCH | (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (DC only)" win_user_right: - name: SeImpersonatePrivilege - users: - - Administrators - - Local Service - - Network Service - - Service - action: set + name: SeImpersonatePrivilege + users: + - Administrators + - Local Service + - Network Service + - Service + action: set when: - - rule_2_2_31 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_31 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.31 - - patch + - level1-domaincontroller + - rule_2.2.31 + - patch - name: "SCORED | 2.2.32 | PATCH | (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' and (when the Web Server (IIS) Role with Web Services Role Service is installed) 'IIS_IUSRS' (MS only)" win_user_right: - name: SeImpersonatePrivilege - users: - - Administrators - - IIS_IUSRS - - Local Service - - Network Service - - Service - action: set + name: SeImpersonatePrivilege + users: + - Administrators + - IIS_IUSRS + - Local Service + - Network Service + - Service + action: set when: - - rule_2_2_32 - - ansible_windows_domain_member + - rule_2_2_32 + - ansible_windows_domain_member tags: - - level1-memberserver - - rule_2.2.32 - - patch + - level1-memberserver + - rule_2.2.32 + - patch - name: "SCORED | 2.2.33 | PATCH | (L1) Ensure 'Increase scheduling priority' is set to 'Administrators'" win_user_right: - name: SeIncreaseBasePriorityPrivilege - users: - - Administrators - action: set + name: SeIncreaseBasePriorityPrivilege + users: + - Administrators + action: set when: rule_2_2_33 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.33 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.33 + - patch - name: "SCORED | 2.2.34 | PATCH | (L1) Ensure 'Load and unload device drivers' is set to 'Administrators'" win_user_right: - name: SeLoadDriverPrivilege - users: - - Administrators - action: set + name: SeLoadDriverPrivilege + users: + - Administrators + action: set when: rule_2_2_34 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.34 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.34 + - patch - name: "SCORED | 2.2.35 | PATCH | (L1) Ensure 'Lock pages in memory' is set to 'No One'" win_user_right: - name: SeLockMemoryPrivilege - users: - action: set + name: SeLockMemoryPrivilege + users: [] + action: set when: rule_2_2_35 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.35 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.35 + - patch - name: "SCORED | 2.2.36 | PATCH | (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (DC Only)" win_user_right: - name: SeBatchLogonRight - users: Administrators - action: set + name: SeBatchLogonRight + users: Administrators + action: set when: - - rule_2_2_36 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_36 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level2-domaincontroller - - rule_2.2.36 - - patch + - level2-domaincontroller + - rule_2.2.36 + - patch - name: "SCORED | 2.2.37 (DC) & 2.2.38 (MS) | PATCH | (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' and (when Exchange is running in the environment) 'Exchange Servers'" win_user_right: - name: SeSecurityPrivilege - users: - - Administrators - action: set + name: SeSecurityPrivilege + users: + - Administrators + action: set when: - - rule_2_2_37 or rule_2_2_38 + - rule_2_2_37 or + rule_2_2_38 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.37 - - rule_2.2.38 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.37 + - rule_2.2.38 + - patch - name: "SCORED | 2.2.39 | PATCH | (L1) Ensure 'Modify an object label' is set to 'No One'" win_user_right: - name: SeReLabelPrivilege - users: - action: set + name: SeReLabelPrivilege + users: [] + action: set when: rule_2_2_39 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.39 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.39 + - patch - name: "SCORED | 2.2.40 | PATCH | (L1) Ensure 'Modify firmware environment values' is set to 'Administrators'" win_user_right: - name: SeSystemEnvironmentPrivilege - users: - - Administrators - action: set + name: SeSystemEnvironmentPrivilege + users: + - Administrators + action: set when: rule_2_2_40 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.40 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.40 + - patch - name: "SCORED | 2.2.41 | PATCH | (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" win_user_right: - name: SeManageVolumePrivilege - users: - - Administrators - action: set + name: SeManageVolumePrivilege + users: + - Administrators + action: set when: rule_2_2_41 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.41 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.41 + - patch - name: "SCORED | 2.2.42 | PATCH | (L1) Ensure 'Profile single process' is set to 'Administrators'" win_user_right: - name: SeProfileSingleProcessPrivilege - users: - - Administrators - action: set + name: SeProfileSingleProcessPrivilege + users: + - Administrators + action: set when: rule_2_2_42 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.42 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.42 + - patch - name: "SCORED | 2.2.43 | PATCH | (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE/WdiServiceHost'" win_user_right: - name: SeSystemProfilePrivilege - users: - - Administrators - - NT SERVICE\WdiServiceHost - action: set + name: SeSystemProfilePrivilege + users: + - Administrators + - NT SERVICE\WdiServiceHost + action: set when: rule_2_2_43 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.43 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.43 + - patch - name: "SCORED | 2.2.44 | PATCH | (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" win_user_right: - name: SeAssignPrimaryTokenPrivilege - users: - - LOCAL SERVICE - - NETWORK SERVICE - action: set + name: SeAssignPrimaryTokenPrivilege + users: + - LOCAL SERVICE + - NETWORK SERVICE + action: set when: rule_2_2_44 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.44 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.44 + - patch - name: "SCORED | 2.2.45 | PATCH | (L1) Ensure 'Restore files and directories' is set to 'Administrators'" win_user_right: - name: SeRestorePrivilege - users: - - Administrators - action: set + name: SeRestorePrivilege + users: + - Administrators + action: set when: rule_2_2_45 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.45 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.45 + - patch - name: "SCORED | 2.2.46 | PATCH | (L1) Ensure 'Shut down the system' is set to 'Administrators'" win_user_right: - name: SeShutdownPrivilege - users: - - Administrators - action: set + name: SeShutdownPrivilege + users: + - Administrators + action: set when: rule_2_2_46 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.46 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.46 + - patch - name: "SCORED | 2.2.47 | PATCH | (L1) Ensure 'Synchronize directory service data' is set to 'No One' (DC only)" win_user_right: - name: SeSyncAgentPrivilege - users: - action: set + name: SeSyncAgentPrivilege + users: [] + action: set when: - - rule_2_2_47 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_2_47 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.2.47 - - patch + - level1-domaincontroller + - rule_2.2.47 + - patch - name: "SCORED | 2.2.48 | PATCH | (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators'" win_user_right: - name: SeTakeOwnershipPrivilege - users: - - Administrators - action: set + name: SeTakeOwnershipPrivilege + users: + - Administrators + action: set when: rule_2_2_48 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.2.48 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.2.48 + - patch - name: "SCORED | 2.3.1.1 | PATCH | (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)" win_security_policy: - section: System Access - key: EnableAdminAccount - value: 0 + section: System Access + key: EnableAdminAccount + value: 0 when: - - rule_2_3_1_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_1_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_2.3.1.1 - - patch + - level1-memberserver + - rule_2.3.1.1 + - patch - name: "SCORED | 2.3.1.2 | PATCH | (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: NoConnectedUser - data: 3 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: NoConnectedUser + data: 3 + type: dword when: rule_2_3_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.2 + - patch - name: "SCORED | 2.3.1.3 | PATCH | (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (MS only)" win_security_policy: - section: System Access - key: EnableGuestAccount - value: 0 + section: System Access + key: EnableGuestAccount + value: 0 when: - rule_2_3_1_3 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_2.3.1.3 - - patch + - level1-memberserver + - rule_2.3.1.3 + - patch - name: "SCORED | 2.3.1.4 | PATCH | (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: LimitBlankPasswordUse - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: LimitBlankPasswordUse + data: 1 + type: dword when: rule_2_3_1_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.1.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.4 + - patch - name: "SCORED | 2.3.1.5 | PATCH | (L1) Configure 'Accounts: Rename administrator account'" win_security_policy: - section: System Access - key: newadministratorname - value: GeorgeSharp - when: - - rule_2_3_1_5 - - not win_skip_for_test - tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.1.5 - - patch + section: System Access + key: newadministratorname + value: "{{ win16cis_admin_username }}" + when: + - rule_2_3_1_5 + - not win_skip_for_test + tags: + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.5 + - patch - name: "SCORED | 2.3.1.6 | PATCH | (L1) Configure 'Accounts: Rename guest account'" win_security_policy: - section: System Access - key: NewGuestName - value: BobCooper + section: System Access + key: NewGuestName + value: "{{ win16cis_guest_username }}" when: - - rule_2_3_1_6 + - rule_2_3_1_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.1.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.1.6 + - patch - name: "SCORED | 2.3.2.1 | PATCH | (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: SCENoApplyLegacyAuditPolicy - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: SCENoApplyLegacyAuditPolicy + data: 1 + type: dword when: rule_2_3_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.2.1 + - patch - name: "SCORED | 2.3.2.2 | PATCH | (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: CrashOnAuditFail - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: CrashOnAuditFail + data: 0 + type: dword when: rule_2_3_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.2.2 + - patch - name: "SCORED | 2.3.4.1 | PATCH | (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators'" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: AllocateDASD - data: 0 - type: string + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: AllocateDASD + data: 0 + type: string when: rule_2_3_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.4.1 + - patch - name: "SCORED | 2.3.4.2 | PATCH | (L1) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers - name: AddPrinterDrivers - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers + name: AddPrinterDrivers + data: 1 + type: dword when: rule_2_3_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.4.2 + - patch - name: "SCORED | 2.3.5.1 | PATCH | (L1) Ensure 'Domain controller: Allow server operators to schedule tasks' is set to 'Disabled' (DC only)" win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa - name: SubmitControl - data: 0 - type: dword + path: HKLM:\System\CurrentControlSet\Control\Lsa + name: SubmitControl + data: 0 + type: dword when: - - rule_2_3_5_1 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_5_1 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.3.5.1 - - patch + - level1-domaincontroller + - rule_2.3.5.1 + - patch - name: "SCORED | 2.3.5.2 | PATCH | (L1) Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)" win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters - name: LDAPServerIntegrity - data: 2 - type: dword + path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters + name: LDAPServerIntegrity + data: 2 + type: dword when: - - rule_2_3_5_2 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_5_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.3.5.2 - - patch + - level1-domaincontroller + - rule_2.3.5.2 + - patch - name: "SCORED | 2.3.5.3 | PATCH | (L1) Ensure 'Domain controller: Refuse machine account password changes' is set to 'Disabled'" win_regedit: - path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters - name: RefusePasswordChange - data: 0 - type: dword + path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters + name: RefusePasswordChange + data: 0 + type: dword when: - - rule_2_3_5_3 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_5_3 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.3.5.3 - - patch + - level1-domaincontroller + - rule_2.3.5.3 + - patch - name: "SCORED | 2.3.6.1 | PATCH | (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: RequireSignOrSeal - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: RequireSignOrSeal + data: 1 + type: dword when: - - rule_2_3_6_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.1 + - patch - name: "SCORED | 2.3.6.2 | PATCH | (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: sealsecurechannel - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: sealsecurechannel + data: 1 + type: dword when: - - rule_2_3_6_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_6_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.2 + - patch - name: "SCORED | 2.3.6.3 | PATCH | (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: signsecurechannel - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: signsecurechannel + data: 1 + type: dword when: - - rule_2_3_6_3 + - rule_2_3_6_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.3 + - patch - name: "SCORED | 2.3.6.4 | PATCH | (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: disablepasswordchange - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: disablepasswordchange + data: 0 + type: dword when: - - rule_2_3_6_4 + - rule_2_3_6_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.4 + - patch - name: "SCORED | 2.3.6.5 | PATCH | (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: MaximumPasswordAge - data: 30 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: MaximumPasswordAge + data: 30 + type: dword when: - - rule_2_3_6_5 + - rule_2_3_6_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.5 + - patch - name: "SCORED | 2.3.6.6 | PATCH | (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters - name: RequireStrongKey - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: RequireStrongKey + data: 1 + type: dword when: - - rule_2_3_6_6 + - rule_2_3_6_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.6.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.6.6 + - patch - name: "SCORED | 2.3.7.1 | PATCH | (L1) Ensure 'Interactive logon: Do not display last user name' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DontDisplayLastUserName - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DontDisplayLastUserName + data: 1 + type: dword when: rule_2_3_7_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.1 + - patch - name: "SCORED | 2.3.7.2 | PATCH | (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DisableCAD - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableCAD + data: 0 + type: dword when: rule_2_3_7_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.2 + - patch - name: "SCORED | 2.3.7.3 | PATCH | (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: InactivityTimeoutSecs - data: 900 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: InactivityTimeoutSecs + data: 900 + type: dword when: rule_2_3_7_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.3 + - patch - name: "SCORED | 2.3.7.4 | PATCH | (L1) Configure 'Interactive logon: Message text for users attempting to log on'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: LegalNoticeText - data: "{{ legalnoticetext }}" - type: string + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LegalNoticeText + data: "{{ legalnoticetext }}" + type: string when: rule_2_3_7_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.4 + - patch - name: "SCORED | 2.3.7.5 | PATCH | (L1) Configure 'Interactive logon: Message title for users attempting to log on'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: LegalNoticeCaption - data: "{{ legalnoticecaption }}" - type: string + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LegalNoticeCaption + data: "{{ legalnoticecaption }}" + type: string when: rule_2_3_7_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.5 + - patch - name: "SCORED | 2.3.7.6 | PATCH | (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: cachedlogonscount - data: 1 - type: string + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: cachedlogonscount + data: 1 + type: string when: - rule_2_3_7_6 - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-memberserver - - rule_2.3.7.6 - - patch + - level2-memberserver + - rule_2.3.7.6 + - patch - name: "SCORED | 2.3.7.7 | PATCH | (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: PasswordExpiryWarning - data: 14 - type: dword + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: PasswordExpiryWarning + data: 14 + type: dword when: rule_2_3_7_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.7 + - patch - name: "SCORED | 2.3.7.8 | PATCH | (L1) Ensure 'Interactive logon: Require Domain Controller Authentication to unlock workstation' is set to 'Enabled' (MS only)" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ForceUnlockLogon - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ForceUnlockLogon + data: 1 + type: dword when: - - rule_2_3_7_8 - - ansible_windows_domain_role == "Member server" + - rule_2_3_7_8 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.7.8 - - patch + - level1-memberserver + - rule_2.3.7.8 + - patch - name: "SCORED | 2.3.7.9 | PATCH | (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: scremoveoption - data: 1 - type: string + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: scremoveoption + data: 1 + type: string when: rule_2_3_7_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.7.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.7.9 + - patch - name: "SCORED | 2.3.8.1 | PATCH | (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: RequireSecuritySignature - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: RequireSecuritySignature + data: 1 + type: dword when: rule_2_3_8_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.8.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.8.1 + - patch - name: "SCORED | 2.3.8.2 | PATCH | (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: EnableSecuritySignature - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: EnableSecuritySignature + data: 1 + type: dword when: rule_2_3_8_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.8.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.8.2 + - patch - name: "SCORED | 2.3.8.3 | PATCH | (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters - name: EnablePlainTextPassword - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: EnablePlainTextPassword + data: 0 + type: dword when: rule_2_3_8_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.8.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.8.3 + - patch - name: "SCORED | 2.3.9.1 | PATCH | (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: autodisconnect - data: 15 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: autodisconnect + data: 15 + type: dword when: rule_2_3_9_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.9.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.1 + - patch - name: "SCORED | 2.3.9.2 | PATCH | (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: requiresecuritysignature - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: requiresecuritysignature + data: 1 + type: dword when: rule_2_3_9_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.9.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.2 + - patch - name: "SCORED | 2.3.9.3 | PATCH | (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: enablesecuritysignature - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: enablesecuritysignature + data: 1 + type: dword when: rule_2_3_9_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.9.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.3 + - patch - name: "SCORED | 2.3.9.4 | PATCH | (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: enableforcedlogoff - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: enableforcedlogoff + data: 1 + type: dword when: rule_2_3_9_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.9.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.9.4 + - patch - name: "SCORED | 2.3.9.5 | PATCH | (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher (MS only)" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: SMBServerNameHardeningLevel - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: SMBServerNameHardeningLevel + data: 1 + type: dword when: - - rule_2_3_9_5 - - ansible_windows_domain_role == "Member server" + - rule_2_3_9_5 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.9.5 - - patch + - level1-memberserver + - rule_2.3.9.5 + - patch - name: "SCORED | 2.3.10.1 | PATCH | (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'" win_security_policy: - section: System Access - key: LSAAnonymousNameLookup - value: 0 + section: System Access + key: LSAAnonymousNameLookup + value: 0 when: rule_2_3_10_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.1 + - patch - name: "SCORED | 2.3.10.2 | PATCH | (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (MS only)" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: RestrictAnonymousSAM - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: RestrictAnonymousSAM + data: 1 + type: dword when: - - rule_2_3_10_2 - - ansible_windows_domain_role == "Member server" + - rule_2_3_10_2 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.10.2 - - patch + - level1-memberserver + - rule_2.3.10.2 + - patch - name: "SCORED | 2.3.10.3 | PATCH | (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (MS only)" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: RestrictAnonymous - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: RestrictAnonymous + data: 1 + type: dword when: - - rule_2_3_10_3 - - ansible_windows_domain_role == "Member server" + - rule_2_3_10_3 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.10.3 - - patch + - level1-memberserver + - rule_2.3.10.3 + - patch - name: "SCORED | 2.3.10.4 | PATCH | (L2) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: DisableDomainCreds - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: DisableDomainCreds + data: 1 + type: dword when: rule_2_3_10_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_2.3.10.4 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_2.3.10.4 + - patch - name: "SCORED | 2.3.10.5 | PATCH | (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: EveryoneIncludesAnonymous - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: EveryoneIncludesAnonymous + data: 0 + type: dword when: rule_2_3_10_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.5 + - patch - name: "SCORED | 2.3.10.6 | PATCH | (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (DC only)" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionPipes - data: "" - type: multistring + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionPipes + data: "" + type: multistring when: - - rule_2_3_10_6 - - ansible_windows_domain_role == "Primary domain controller" + - rule_2_3_10_6 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_2.3.10.6 - - patch + - level1-domaincontroller + - rule_2.3.10.6 + - patch - name: "SCORED | 2.3.10.7 | PATCH | (L1) Configure 'Network access: Named Pipes that can be accessed anonymously' (MS only)" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionPipes - data: "" - type: multistring + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionPipes + data: "" + type: multistring when: - - rule_2_3_10_7 - - ansible_windows_domain_role == "Member server" + - rule_2_3_10_7 + - ansible_windows_domain_role == "Member server" tags: - - level1-memberserver - - rule_2.3.10.7 - - patch + - level1-memberserver + - rule_2.3.10.7 + - patch - name: "SCORED | 2.3.10.8 | PATCH | (L1) Configure 'Network access: Remotely accessible registry paths'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] - type: multistring + path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths + name: "Machine" + data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] + type: multistring when: rule_2_3_10_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.8 + - patch - name: "SCORED | 2.3.10.9 | PATCH | (L1) Configure 'Network access: Remotely accessible registry paths and sub-paths'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths - name: "Machine" - data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] - type: multistring + path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths + name: "Machine" + data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] + type: multistring when: rule_2_3_10_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.9 + - patch - name: "SCORED | 2.3.10.10 | PATCH | (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: RestrictNullSessAccess - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: RestrictNullSessAccess + data: 1 + type: dword when: rule_2_3_10_10 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.10 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.10 + - patch - name: "SCORED | 2.3.10.11 | PATCH | (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' (MS only)" win_regedit: - path: HKLM:\System\CurrentControlSet\Control\Lsa - name: RestrictRemoteSAM - data: "O:BAG:BAD:(A;;RC;;;BA)" - type: string + path: HKLM:\System\CurrentControlSet\Control\Lsa + name: RestrictRemoteSAM + data: "O:BAG:BAD:(A;;RC;;;BA)" + type: string when: - not ansible_windows_domain_role == "Primary domain controller" - rule_2_3_10_11 tags: - - level1-memberserver - - rule_2.3.10.11 - - patch + - level1-memberserver + - rule_2.3.10.11 + - patch - name: "SCORED | 2.3.10.12 | PATCH | (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters - name: NullSessionShares - data: "" - type: multistring + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionShares + data: "" + type: multistring when: rule_2_3_10_12 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.12 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.12 + - patch - name: "SCORED | 2.3.10.13 | PATCH | (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: ForceGuest - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: ForceGuest + data: 0 + type: dword when: rule_2_3_10_13 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.10.13 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.10.13 + - patch - name: "SCORED | 2.3.11.1 | PATCH | (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: UseMachineId - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: UseMachineId + data: 1 + type: dword when: rule_2_3_11_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.1 + - patch - name: "SCORED | 2.3.11.2 | PATCH | (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: allownullsessionfallback - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: allownullsessionfallback + data: 0 + type: dword when: rule_2_3_11_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.2 + - patch - name: "SCORED | 2.3.11.3 | PATCH | (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U - name: AllowOnlineID - data: 0 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U + name: AllowOnlineID + data: 0 + type: dword when: rule_2_3_11_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.3 + - patch - name: "SCORED | 2.3.11.4 | PATCH | (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters - name: SupportedEncryptionTypes - data: 2147483644 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters + name: SupportedEncryptionTypes + data: 2147483640 + type: dword when: rule_2_3_11_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.4 + - patch - name: "SCORED | 2.3.11.5 | PATCH | (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: NoLMHash - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: NoLMHash + data: 1 + type: dword when: rule_2_3_11_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.5 + - patch - name: "NOTSCORED | 2.3.11.6 | PATCH | (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'" win_regedit: - path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters - name: EnableForcedLogOff - data: 1 - type: dword + path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters + name: EnableForcedLogOff + data: 1 + type: dword when: rule_2_3_11_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.6 + - patch - name: "SCORED | 2.3.11.7 | PATCH | (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa - name: LMCompatibilityLevel - data: 5 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: LMCompatibilityLevel + data: 5 + type: dword when: rule_2_3_11_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.7 + - patch - name: "SCORED | 2.3.11.8 | PATCH | (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Ldap - name: LDAPClientIntegrity - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Services\Ldap + name: LDAPClientIntegrity + data: 1 + type: dword when: rule_2_3_11_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.8 + - patch - name: "SCORED | 2.3.11.9 | PATCH | (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: NTLMMinClientSec - data: 537395200 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: NTLMMinClientSec + data: 537395200 + type: dword when: rule_2_3_11_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.9 + - patch - name: "SCORED | 2.3.11.10 | PATCH | (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 - name: NTLMMinServerSec - data: 537395200 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: NTLMMinServerSec + data: 537395200 + type: dword when: rule_2_3_11_10 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.11.10 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.11.10 + - patch - name: "SCORED | 2.3.13.1 | PATCH | (L1) Ensure 'Shutdown: Allow system to be shut down without having to log on' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ShutdownWithoutLogon - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ShutdownWithoutLogon + data: 0 + type: dword when: rule_2_3_13_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.13.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.13.1 + - patch - name: "SCORED | 2.3.15.1 | PATCH | (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel - name: ObCaseInsensitive - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel + name: ObCaseInsensitive + data: 1 + type: dword when: rule_2_3_15_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.15.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.15.1 + - patch - name: "SCORED | 2.3.15.2 | PATCH | (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager - name: ProtectionMode - data: 1 - type: dword + path: HKLM:\System\Currentcontrolset\Control\Session Manager + name: ProtectionMode + data: 1 + type: dword when: rule_2_3_15_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.15.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.15.2 + - patch - name: "SCORED | 2.3.17.1 | PATCH | (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: FilterAdministratorToken - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: FilterAdministratorToken + data: 1 + type: dword when: rule_2_3_17_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.1 + - patch - name: "SCORED | 2.3.17.2 | PATCH | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableUIADesktopToggle - data: 0 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableUIADesktopToggle + data: 0 + type: dword when: rule_2_3_17_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.2 + - patch - name: "SCORED | 2.3.17.3 | PATCH | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: ConsentPromptBehaviorUser - data: 2 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ConsentPromptBehaviorUser + data: 0 + type: dword when: rule_2_3_17_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.3 + - patch - name: "SCORED | 2.3.17.4 | PATCH | (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableInstallerDetection - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableInstallerDetection + data: 1 + type: dword when: rule_2_3_17_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.4 + - patch - name: "SCORED | 2.3.17.5 | PATCH | (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableSecureUIAPaths - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableSecureUIAPaths + data: 1 + type: dword when: rule_2_3_17_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.5 + - patch - name: "SCORED | 2.3.17.6 | PATCH | (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableLUA - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableLUA + data: 1 + type: dword when: rule_2_3_17_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.6 + - patch - name: "SCORED | 2.3.17.7 | PATCH | (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: PromptOnSecureDesktop - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: PromptOnSecureDesktop + data: 1 + type: dword when: rule_2_3_17_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_2.3.17.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_2.3.17.7 + - patch - name: "SCORED | 2.3.17.8 | PATCH | (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: EnableVirtualization - data: 1 - type: dword + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableVirtualization + data: 1 + type: dword when: rule_2_3_17_8 tags: - - level1 - - level2 - - rule_2.3.17.8 - - patch + - level1s diff --git a/tasks/section09.yml b/tasks/section09.yml index 8bef659..16e40ae 100644 --- a/tasks/section09.yml +++ b/tasks/section09.yml @@ -1,364 +1,364 @@ --- - name: "SCORED | 9.1.1 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - name: EnableFirewall - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: EnableFirewall + data: 1 + type: dword when: - - rule_9_1_1 + - rule_9_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.1 + - patch - name: "SCORED | 9.1.2 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - name: DefaultInboundAction - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DefaultInboundAction + data: 1 + type: dword when: - - rule_9_1_2 + - rule_9_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.2 + - patch - name: "SCORED | 9.1.3 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - name: DefaultOutboundAction - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DefaultOutboundAction + data: 0 + type: dword when: - - rule_9_1_3 + - rule_9_1_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.3 + - patch - name: "SCORED | 9.1.4 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile - name: DisableNotifications - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile + name: DisableNotifications + data: 1 + type: dword when: - - rule_9_1_4 + - rule_9_1_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.4 + - patch # title has slashes switched - name: "SCORED | 9.1.5 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/domainfw.log'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogFilePath - data: '{{ domain_firewall_log_path }}' - type: string + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFilePath + data: '{{ domain_firewall_log_path }}' + type: string when: - - rule_9_1_5 + - rule_9_1_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.5 + - patch - name: "SCORED | 9.1.6 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogFileSize - data: '{{ domain_firewall_log_size }}' - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogFileSize + data: '{{ domain_firewall_log_size }}' + type: dword when: - - rule_9_1_6 + - rule_9_1_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.6 + - patch - name: "SCORED | 9.1.7 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogDroppedPackets - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword when: - - rule_9_1_7 + - rule_9_1_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.7 + - patch - name: "SCORED | 9.1.8 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging - name: LogSuccessfulConnections - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword when: - - rule_9_1_8 + - rule_9_1_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.1.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.1.8 + - patch - name: "SCORED | 9.2.1 | PATCH | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'" win_firewall: - state: enabled - profile: Private + state: enabled + profile: Private when: - - rule_9_2_1 + - rule_9_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.1 + - patch - name: "SCORED | 9.2.2 | PATCH | (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile - name: DefaultInboundAction - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DefaultInboundAction + data: 1 + type: dword when: - - rule_9_2_2 + - rule_9_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.2 + - patch - name: "SCORED | 9.2.3 | PATCH | (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile - name: DefaultOutboundAction - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DefaultOutboundAction + data: 0 + type: dword when: - - rule_9_2_3 + - rule_9_2_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.3 + - patch - name: "SCORED | 9.2.4 | PATCH | (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile - name: DisableNotifications - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile + name: DisableNotifications + data: 1 + type: dword when: - - rule_9_2_4 + - rule_9_2_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.4 + - patch # title has slashes switched - name: "SCORED | 9.2.5 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/privatefw.log'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogFilePath - data: '{{ private_firewall_log_path }}' - type: string + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFilePath + data: '{{ private_firewall_log_path }}' + type: string when: - - rule_9_2_5 + - rule_9_2_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.5 + - patch - name: "SCORED | 9.2.6 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogFileSize - data: '{{ private_firewall_log_size }}' - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogFileSize + data: '{{ private_firewall_log_size }}' + type: dword when: - - rule_9_2_6 + - rule_9_2_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.6 + - patch - name: "SCORED | 9.2.7 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogDroppedPackets - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword when: - - rule_9_2_7 + - rule_9_2_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.7 + - patch - name: "SCORED | 9.2.8 | PATCH | (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging - name: LogSuccessfulConnections - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword when: - - rule_9_2_8 + - rule_9_2_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.2.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.2.8 + - patch - name: "SCORED | 9.3.1 | PATCH | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'" win_firewall: - state: enabled - profile: Public + state: enabled + profile: Public when: - - rule_9_3_1 + - rule_9_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.1 + - patch - name: "SCORED | 9.3.2 | PATCH | (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: DefaultInboundAction - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DefaultInboundAction + data: 1 + type: dword when: - - rule_9_3_2 + - rule_9_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.2 + - patch - name: "SCORED | 9.3.3 | PATCH | (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: DefaultOutboundAction - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DefaultOutboundAction + data: 0 + type: dword when: - - rule_9_3_3 + - rule_9_3_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.3 + - patch - name: "SCORED | 9.3.4 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: DisableNotifications - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: DisableNotifications + data: 1 + type: dword when: - - rule_9_3_4 + - rule_9_3_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.4 + - patch - name: "SCORED | 9.3.5 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: AllowLocalPolicyMerge - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: AllowLocalPolicyMerge + data: 0 + type: dword when: - - rule_9_3_5 - - not win_skip_for_test + - rule_9_3_5 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.5 + - patch - name: "SCORED | 9.3.6 | PATCH | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile - name: AllowLocalIPsecPolicyMerge - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile + name: AllowLocalIPsecPolicyMerge + data: 0 + type: dword when: - - rule_9_3_6 + - rule_9_3_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.6 + - patch # title has slashes switched - name: "SCORED | 9.3.7 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%/System32/logfiles/firewall/publicfw.log'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogFilePath - data: '{{ public_firewall_log_path }}' - type: string + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFilePath + data: '{{ public_firewall_log_path }}' + type: string when: - - rule_9_3_7 + - rule_9_3_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.7 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.7 + - patch - name: "SCORED | 9.3.8 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogFileSize - data: '{{ public_firewall_log_size }}' - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogFileSize + data: '{{ public_firewall_log_size }}' + type: dword when: - - rule_9_3_8 + - rule_9_3_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.8 + - patch - name: "SCORED | 9.3.9 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogDroppedPackets - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogDroppedPackets + data: 1 + type: dword when: - - rule_9_3_9 + - rule_9_3_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.9 + - patch - name: "SCORED | 9.3.10 | PATCH | (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging - name: LogSuccessfulConnections - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging + name: LogSuccessfulConnections + data: 1 + type: dword when: - - rule_9_3_10 + - rule_9_3_10 tags: - - level1-domaincontroller - - level1-memberserver - - rule_9.3.10 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_9.3.10 + - patch diff --git a/tasks/section17.yml b/tasks/section17.yml index 420d6c6..e9cc6b9 100644 --- a/tasks/section17.yml +++ b/tasks/section17.yml @@ -1,44 +1,44 @@ --- - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure" block: - - name: "SCORED | 17.1.1 | AUDIT | (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" - win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_1_1_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable - when: "'Success' not in rule_17_1_1_audit.stdout" - changed_when: "'Success' not in rule_17_1_1_audit.stdout" - - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable - when: "'Failure' not in rule_17_1_1_audit.stdout" - changed_when: "'Failure' not in rule_17_1_1_audit.stdout" + - name: "SCORED | 17.1.1 | AUDIT | (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'" + win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_1_1_audit + + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable + changed_when: "'Success' not in rule_17_1_1_audit.stdout" + when: "'Success' not in rule_17_1_1_audit.stdout" + + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable + changed_when: "'Failure' not in rule_17_1_1_audit.stdout" + when: "'Failure' not in rule_17_1_1_audit.stdout" when: - - rule_17_1_1 + - rule_17_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.1.1 + - patch - name: "SCORED | 17.1.2 | PATCH | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)" block: - - name: "SCORED | 17.1.2 | audit | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Get current settings" - win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_1_2_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.1.2 | PATCH | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Set for success" - win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable - when: "'Success' not in rule_17_1_2_audit.stdout" - - - name: "SCORED | 17.1.2 | PATCH | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Set for failure" - win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable - when: "'Failure' not in rule_17_1_2_audit.stdout" + - name: "SCORED | 17.1.2 | audit | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Kerberos Authentication Service" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_1_2_audit + + - name: "SCORED | 17.1.2 | PATCH | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Set for success" + win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable + when: "'Success' not in rule_17_1_2_audit.stdout" + + - name: "SCORED | 17.1.2 | PATCH | (L1) Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only) | Set for failure" + win_shell: AuditPol /set /subcategory:"Kerberos Authentication Service" /success:enable + when: "'Failure' not in rule_17_1_2_audit.stdout" when: - rule_17_1_2 - ansible_windows_domain_role == "Primary domain controller" @@ -50,19 +50,19 @@ - name: "SCORED | 17.1.3 | PATCH | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)" block: - - name: "SCORED | 17.1.3 | audit | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Get current settings" - win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_1_3_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.1.3 | PATCH | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Set for success" - win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable - when: "'Success' not in rule_17_1_3_audit.stdout" - - - name: "SCORED | 17.1.3 | PATCH | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Set for failure" - win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable - when: "'Failure' not in rule_17_1_3_audit.stdout" + - name: "SCORED | 17.1.3 | audit | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Kerberos Service Ticket Operations" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_1_3_audit + + - name: "SCORED | 17.1.3 | PATCH | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Set for success" + win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable + when: "'Success' not in rule_17_1_3_audit.stdout" + + - name: "SCORED | 17.1.3 | PATCH | (L1) Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only) | Set for failure" + win_shell: AuditPol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable + when: "'Failure' not in rule_17_1_3_audit.stdout" when: - rule_17_1_3 - ansible_windows_domain_role == "Primary domain controller" @@ -74,631 +74,635 @@ - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure'" block: - - name: "SCORED | 17.2.1 | AUDIT | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_1_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Success" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable - when: "'Success' not in rule_17_2_1_audit.stdout" - changed_when: "'Success' not in rule_17_2_1_audit.stdout" - - - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Failure" - win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable - when: "'Failure' not in rule_17_2_1_audit.stdout" - changed_when: "'Failure' not in rule_17_2_1_audit.stdout" - when: - - rule_17_2_1 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.2.1 - - patch + - name: "SCORED | 17.2.1 | AUDIT | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_2_1_audit + + - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Success" + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + changed_when: "'Success' not in rule_17_2_1_audit.stdout" + when: "'Success' not in rule_17_2_1_audit.stdout" + + - name: "SCORED | 17.2.1 | PATCH | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Failure" + win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable + changed_when: "'Failure' not in rule_17_2_1_audit.stdout" + when: "'Failure' not in rule_17_2_1_audit.stdout" + when: + - rule_17_2_1 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1-domaincontroller + - level1-memberserver + - rule_17.2.1 + - patch - name: "SCORED | 17.2.2 | AUDIT | (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only)" block: - - name: "SCORED | 17.2.2 | AUDIT | (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only) | Get current settings" - win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_2_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.2.2 | PATCH | (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only) | Set success" - win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable - when: "'Success' not in rule_17_2_2_audit.stdout" + - name: "SCORED | 17.2.2 | AUDIT | (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_2_2_audit + + - name: "SCORED | 17.2.2 | PATCH | (L1) Ensure 'Audit Computer Account Management' is set to include 'Success' (DC only) | Set success" + win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable + when: "'Success' not in rule_17_2_2_audit.stdout" when: - - rule_17_2_2 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.2.2 - - patch + - level1-domaincontroller + - rule_17.2.2 + - patch - name: "SCORED | 17.2.3 | AUDIT | (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only)" block: - - name: "SCORED | 17.2.3 | AUDIT | (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only) | Get current settings" - win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_3_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.2.3 | PATCH | (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only) | Set success" - win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable - when: "'Success' not in rule_17_2_3_audit.stdout" + - name: "SCORED | 17.2.3 | AUDIT | (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_2_3_audit + + - name: "SCORED | 17.2.3 | PATCH | (L1) Ensure 'Audit Distribution Group Management' is set to include 'Success' (DC only) | Set success" + win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable + when: "'Success' not in rule_17_2_3_audit.stdout" when: - - rule_17_2_3 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_3 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.2.3 - - patch + - level1-domaincontroller + - rule_17.2.3 + - patch - name: "SCORED | 17.2.4 | AUDIT | (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only)" block: - - name: "SCORED | 17.2.4 | AUDIT | (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only) | Get current settings" - win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_4_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.2.4 | PATCH | (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only) | Set success" - win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable - when: "'Success' not in rule_17_2_4_audit.stdout" + - name: "SCORED | 17.2.4 | AUDIT | (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_2_4_audit + + - name: "SCORED | 17.2.4 | PATCH | (L1) Ensure 'Audit Other Account Management Events' is set to include 'Success' (DC only) | Set success" + win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable + when: "'Success' not in rule_17_2_4_audit.stdout" when: - - rule_17_2_4 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_4 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.2.4 - - patch + - level1-domaincontroller + - rule_17.2.4 + - patch - name: "SCORED | 17.2.5 | AUDIT | (L1) Ensure 'Audit Security Group Management' is set to include 'Success'" block: - - name: "SCORED | 17.2.5 | AUDIT | (L1) Ensure 'Audit Security Group Management' is set to include 'Success' | Get current settings" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_5_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.2.5 | PATCH | (L1) Ensure 'Audit Security Group Management' is set to include 'Success' | Set success" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable - when: "'Success' not in rule_17_2_5_audit.stdout" + - name: "SCORED | 17.2.5 | AUDIT | (L1) Ensure 'Audit Security Group Management' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_2_5_audit + + - name: "SCORED | 17.2.5 | PATCH | (L1) Ensure 'Audit Security Group Management' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + when: "'Success' not in rule_17_2_5_audit.stdout" when: - - rule_17_2_5 + - rule_17_2_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.2.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.2.5 + - patch - name: "SCORED | 17.2.6 | PATCH | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure'" block: - - name: "SCORED | 17.2.6 | AUDIT | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_6_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.2.6 | PATCH | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Success" - win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable - when: "'Success' not in rule_17_2_6_audit.stdout" - changed_when: "'Success' not in rule_17_2_6_audit.stdout" - - - name: "SCORED | 17.2.6 | PATCH | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Failure" - win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable - when: "'Failure' not in rule_17_2_6_audit.stdout" - changed_when: "'Failure' not in rule_17_2_6_audit.stdout" + - name: "SCORED | 17.2.6 | AUDIT | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_2_6_audit + + - name: "SCORED | 17.2.6 | PATCH | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Success" + win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable + changed_when: "'Success' not in rule_17_2_6_audit.stdout" + when: "'Success' not in rule_17_2_6_audit.stdout" + + - name: "SCORED | 17.2.6 | PATCH | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Failure" + win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable + changed_when: "'Failure' not in rule_17_2_6_audit.stdout" + when: "'Failure' not in rule_17_2_6_audit.stdout" when: - - rule_17_2_6 + - rule_17_2_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.2.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.2.6 + - patch - name: "SCORED | 17.3.1 | AUDIT | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Get current settings" block: - - name: "SCORED | 17.3.1 | AUDIT | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Set success" - win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_1_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.3.1 | PATCH | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Set failure" - win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable - changed_when: "'Success' not in rule_17_3_1_audit.stdout" - when: "'Success' not in rule_17_3_1_audit.stdout" + - name: "SCORED | 17.3.1 | AUDIT | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Set success" + win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_3_1_audit + + - name: "SCORED | 17.3.1 | PATCH | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Set failure" + win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable + changed_when: "'Success' not in rule_17_3_1_audit.stdout" + when: "'Success' not in rule_17_3_1_audit.stdout" when: - - rule_17_3_1 + - rule_17_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.3.1 + - patch - name: "SCORED | 17.3.2 | AUDIT | (L1) Ensure 'Audit Process Creation' is set to include 'Success'" block: - - name: "SCORED | 17.3.2 | AUDIT | (L1) Ensure 'Audit Process Creation' is set to include 'Success' | Get current settings" - win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_2_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.3.2 | PATCH | (L1) Ensure 'Audit Process Creation' is set to include 'Success' | Set success" - win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable - changed_when: "'Success' not in rule_17_3_2_audit.stdout" - when: "'Success' not in rule_17_3_2_audit.stdout" + - name: "SCORED | 17.3.2 | AUDIT | (L1) Ensure 'Audit Process Creation' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_3_2_audit + + - name: "SCORED | 17.3.2 | PATCH | (L1) Ensure 'Audit Process Creation' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable + changed_when: "'Success' not in rule_17_3_2_audit.stdout" + when: "'Success' not in rule_17_3_2_audit.stdout" when: - - rule_17_3_2 + - rule_17_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.3.2 + - patch - name: "SCORED | 17.4.1 | AUDIT | (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only)" block: - - name: "SCORED | 17.4.1 | AUDIT | (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only) | Get current settings" - win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_1_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.4.1 | PATCH | (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only) | Set failure" - win_shell: AuditPol /set /subcategory:"Directory Service Access" /failure:enable - changed_when: "'Success' not in rule_17_4_1_audit.stdout" - when: "'Success' not in rule_17_4_1_audit.stdout" + - name: "SCORED | 17.4.1 | AUDIT | (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_4_1_audit + + - name: "SCORED | 17.4.1 | PATCH | (L1) Ensure 'Audit Directory Service Access' is set to include 'Failure' (DC only) | Set failure" + win_shell: AuditPol /set /subcategory:"Directory Service Access" /failure:enable + changed_when: "'Success' not in rule_17_4_1_audit.stdout" + when: "'Success' not in rule_17_4_1_audit.stdout" when: - - rule_17_4_1 + - rule_17_4_1 tags: - - level1-domaincontroller - - rule_17.4.1 - - patch + - level1-domaincontroller + - rule_17.4.1 + - patch - name: "SCORED | 17.4.2 | AUDIT | (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only)" block: - - name: "SCORED | 17.4.2 | AUDIT | (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only) | Get current settings" - win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_2_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.4.2 | PATCH | (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only) | Set success" - win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable - changed_when: "'Success' not in rule_17_4_2_audit.stdout" - when: "'Success' not in rule_17_4_2_audit.stdout" + - name: "SCORED | 17.4.2 | AUDIT | (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only) | Get current settings" + win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_4_2_audit + + - name: "SCORED | 17.4.2 | PATCH | (L1) Ensure 'Audit Directory Service Changes' is set to include 'Success' (DC only) | Set success" + win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable + changed_when: "'Success' not in rule_17_4_2_audit.stdout" + when: "'Success' not in rule_17_4_2_audit.stdout" when: - - rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" + - rule_17_4_2 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_17.4.2 - - patch + - level1-domaincontroller + - rule_17.4.2 + - patch - name: "SCORED | 17.5.1 | AUDIT | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure'" block: - - name: "SCORED | 17.5.1 | AUDIT | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_1_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.5.1 | PATCH | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' | Set failure" - win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable - changed_when: "'Failure' not in rule_17_5_1_audit.stdout" - when: "'Failure' not in rule_17_5_1_audit.stdout" + - name: "SCORED | 17.5.1 | AUDIT | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_1_audit + + - name: "SCORED | 17.5.1 | PATCH | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' | Set failure" + win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable + changed_when: "'Failure' not in rule_17_5_1_audit.stdout" + when: "'Failure' not in rule_17_5_1_audit.stdout" when: - - rule_17_5_1 + - rule_17_5_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.1 + - patch - name: "SCORED | 17.5.2 | AUDIT | (L1) Ensure 'Audit Group Membership' is set to include 'Success'" block: - - name: "SCORED | 17.5.2 | AUDIT | (L1) Ensure 'Audit Group Membership' is set to include 'Success' | Get current settings" - win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_2_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.5.2 | PATCH | (L1) Ensure 'Audit Group Membership' is set to include 'Success' | Set success" - win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable - changed_when: "'Success' not in rule_17_5_2_audit.stdout" - when: "'Success' not in rule_17_5_2_audit.stdout" + - name: "SCORED | 17.5.2 | AUDIT | (L1) Ensure 'Audit Group Membership' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_2_audit + + - name: "SCORED | 17.5.2 | PATCH | (L1) Ensure 'Audit Group Membership' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable + changed_when: "'Success' not in rule_17_5_2_audit.stdout" + when: "'Success' not in rule_17_5_2_audit.stdout" when: - - rule_17_5_2 + - rule_17_5_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.2 + - patch - name: "SCORED | 17.5.3 | AUDIT | (L1) Ensure 'Audit Logoff' is set to include 'Success'" block: - - name: "SCORED | 17.5.3 | AUDIT | (L1) Ensure 'Audit Logoff' is set to include 'Success' | Get current settings" - win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_3_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.5.3 | PATCH | (L1) Ensure 'Audit Logoff' is set to include 'Success' | Set success" - win_shell: AuditPol /set /subcategory:"Logoff" /success:enable - changed_when: "'Success' not in rule_17_5_3_audit.stdout" - when: "'Success' not in rule_17_5_3_audit.stdout" + - name: "SCORED | 17.5.3 | AUDIT | (L1) Ensure 'Audit Logoff' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_3_audit + + - name: "SCORED | 17.5.3 | PATCH | (L1) Ensure 'Audit Logoff' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Logoff" /success:enable + changed_when: "'Success' not in rule_17_5_3_audit.stdout" + when: "'Success' not in rule_17_5_3_audit.stdout" when: - - rule_17_5_3 + - rule_17_5_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.3 + - patch - name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure'" block: - - name: "SCORED | 17.5.4 | AUDIT | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_4_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Success" - win_shell: AuditPol /set /subcategory:"Logon" /success:enable - changed_when: "'Success' not in rule_17_5_4_audit.stdout" - when: "'Failure' not in rule_17_5_4_audit.stdout" - - - name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Failure" - win_shell: AuditPol /set /subcategory:"Logon" /failure:enable - changed_when: "'Failure' not in rule_17_5_4_audit.stdout" - when: "'Failure' not in rule_17_5_4_audit.stdout" + - name: "SCORED | 17.5.4 | AUDIT | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_4_audit + + - name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Success" + win_shell: AuditPol /set /subcategory:"Logon" /success:enable + changed_when: "'Success' not in rule_17_5_4_audit.stdout" + when: "'Failure' not in rule_17_5_4_audit.stdout" + + - name: "SCORED | 17.5.4 | PATCH | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Failure" + win_shell: AuditPol /set /subcategory:"Logon" /failure:enable + changed_when: "'Failure' not in rule_17_5_4_audit.stdout" + when: "'Failure' not in rule_17_5_4_audit.stdout" when: - - rule_17_5_4 + - rule_17_5_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.4 + - patch - name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" block: - - name: "SCORED | 17.5.5 | AUDIT | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_5_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Success" - win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable - changed_when: "'Success' not in rule_17_5_5_audit.stdout" - when: "'Success' not in rule_17_5_5_audit.stdout" - - - name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Failure" - win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable - changed_when: "'Failure' not in rule_17_5_5_audit.stdout" - when: "'Failure' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.5 - - patch + - name: "SCORED | 17.5.5 | AUDIT | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_5_audit + + - name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Success" + win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable + changed_when: "'Success' not in rule_17_5_5_audit.stdout" + when: "'Success' not in rule_17_5_5_audit.stdout" + + - name: "SCORED | 17.5.5 | PATCH | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Failure" + win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable + changed_when: "'Failure' not in rule_17_5_5_audit.stdout" + when: "'Failure' not in rule_17_5_5_audit.stdout" + when: + - rule_17_5_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_17.5.5 + - patch - name: "SCORED | 17.5.6 | PATCH | (L1) Ensure 'Audit Special Logon' is set to include 'Success'" block: - - name: "SCORED | 17.5.6 | AUDIT | (L1) Ensure 'Audit Special Logon' is set to include 'Success' | Get current settings" - win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_6_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.5.6 | PATCH | (L1) Ensure 'Audit Special Logon' is set to include 'Success' | Get current settings" - win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable - changed_when: "'Success' not in rule_17_5_6_audit.stdout" - when: "'Success' not in rule_17_5_6_audit.stdout" + - name: "SCORED | 17.5.6 | AUDIT | (L1) Ensure 'Audit Special Logon' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_5_6_audit + + - name: "SCORED | 17.5.6 | PATCH | (L1) Ensure 'Audit Special Logon' is set to include 'Success' | Get current settings" + win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable + changed_when: "'Success' not in rule_17_5_6_audit.stdout" + when: "'Success' not in rule_17_5_6_audit.stdout" when: - - rule_17_5_6 + - rule_17_5_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.5.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.5.6 + - patch - name: "SCORED | 17.6.1 | PATCH | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" block: - - name: "SCORED | 17.6.1 | AUDIT | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" - win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_6_1_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.6.1 | PATCH | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" - win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable - when: "'Failure' not in rule_17_6_1_audit.stdout" - when: rule_17_6_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.6.1 - - patch + - name: "SCORED | 17.6.1 | AUDIT | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_6_1_audit + + - name: "SCORED | 17.6.1 | PATCH | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure'" + win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable + when: "'Failure' not in rule_17_6_1_audit.stdout" + when: + - rule_17_6_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_17.6.1 + - patch - name: "SCORED | 17.6.2 | PATCH | (L1) Ensure 'Audit File Share' is set to 'Success and Failure'" win_audit_policy_system: subcategory: File Share audit_type: success, failure when: - - rule_17_6_2 + - rule_17_6_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.6.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.6.2 + - patch - name: "SCORED | 17.6.3 | PATCH | (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure'" win_audit_policy_system: subcategory: Other Object Access Events audit_type: success, failure when: - - rule_17_6_3 + - rule_17_6_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.6.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.6.3 + - patch - name: "SCORED | 17.6.4 | PATCH | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure'" block: - - name: "SCORED | 17.6.4 | AUDIT | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_6_4_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.6.4 | PATCH | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Set success" - win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable - changed_when: "'Success' not in rule_17_6_4_audit.stdout" - when: "'Success' not in rule_17_6_4_audit.stdout" - - - name: "SCORED | 17.6.4 | PATCH | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Set failure" - win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable - changed_when: "'failure' not in rule_17_6_4_audit.stdout" - when: "'Failure' not in rule_17_6_4_audit.stdout" + - name: "SCORED | 17.6.4 | AUDIT | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_6_4_audit + + - name: "SCORED | 17.6.4 | PATCH | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Set success" + win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable + changed_when: "'Success' not in rule_17_6_4_audit.stdout" + when: "'Success' not in rule_17_6_4_audit.stdout" + + - name: "SCORED | 17.6.4 | PATCH | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Set failure" + win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable + changed_when: "'failure' not in rule_17_6_4_audit.stdout" + when: "'Failure' not in rule_17_6_4_audit.stdout" when: - - rule_17_6_4 + - rule_17_6_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.6.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.6.4 + - patch - name: "SCORED | 17.7.1 | PATCH | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success'" block: - - name: "SCORED | 17.7.1 | AUDIT | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' | Get current settings" - win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_1_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.7.1 | PATCH | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' | Set success" - win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_1_audit.stdout" - when: "'Success' not in rule_17_7_1_audit.stdout" + - name: "SCORED | 17.7.1 | AUDIT | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_1_audit + + - name: "SCORED | 17.7.1 | PATCH | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_1_audit.stdout" + when: "'Success' not in rule_17_7_1_audit.stdout" when: - - rule_17_7_1 + - rule_17_7_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.1 + - patch - name: "SCORED | 17.7.2 | PATCH | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success'" block: - - name: "SCORED | 17.7.2 | AUDIT | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Get current settings" - win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_2_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.7.2 | PATCH | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Set success" - win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_2_audit.stdout" - when: "'Success' not in rule_17_7_2_audit.stdout" + - name: "SCORED | 17.7.2 | AUDIT | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_2_audit + + - name: "SCORED | 17.7.2 | PATCH | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_2_audit.stdout" + when: "'Success' not in rule_17_7_2_audit.stdout" when: - - rule_17_7_2 + - rule_17_7_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.2 + - patch - name: "SCORED | 17.7.3 | PATCH | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success'" block: - - name: "SCORED | 17.7.3 | AUDIT | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Get current settings" - win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_3_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.7.3 | PATCH | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Set success" - win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_3_audit.stdout" - when: "'Success' not in rule_17_7_3_audit.stdout" + - name: "SCORED | 17.7.3 | AUDIT | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_3_audit + + - name: "SCORED | 17.7.3 | PATCH | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_3_audit.stdout" + when: "'Success' not in rule_17_7_3_audit.stdout" when: - - rule_17_7_3 + - rule_17_7_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.3 + - patch - name: "SCORED | 17.7.4 | PATCH | (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure'" win_audit_policy_system: - subcategory: MPSSVC Rule-Level Policy Change - audit_type: success, failure + subcategory: MPSSVC Rule-Level Policy Change + audit_type: success, failure when: - - rule_17_7_4 + - rule_17_7_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.4 + - patch - name: "SCORED | 17.7.5 | PATCH | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure'" block: - - name: "SCORED | 17.7.5 | AUDIT | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_5_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.7.5 | PATCH | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Set failure" - win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable - when: "'Failure' not in rule_17_7_5_audit.stdout" + - name: "SCORED | 17.7.5 | AUDIT | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_7_5_audit + + - name: "SCORED | 17.7.5 | PATCH | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Set failure" + win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /success:enable + when: "'Failure' not in rule_17_7_5_audit.stdout" when: - rule_17_7_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.7.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.7.5 + - patch - name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" block: - - name: "SCORED | 17.8.1 | AUDIT | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_8_1_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Success" - win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable - changed_when: "'Success' not in rule_17_8_1_audit.stdout" - when: "'Success' not in rule_17_8_1_audit.stdout" - - - name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Failure" - win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable - changed_when: "'Failure' not in rule_17_8_1_audit.stdout" - when: "'Failure' not in rule_17_8_1_audit.stdout" - - when: rule_17_8_1 + - name: "SCORED | 17.8.1 | AUDIT | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_8_1_audit + + - name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Success" + win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable + changed_when: "'Success' not in rule_17_8_1_audit.stdout" + when: "'Success' not in rule_17_8_1_audit.stdout" + + - name: "SCORED | 17.8.1 | PATCH | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Failure" + win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable + changed_when: "'Failure' not in rule_17_8_1_audit.stdout" + when: "'Failure' not in rule_17_8_1_audit.stdout" + when: + - rule_17_8_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.8.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.8.1 + - patch - name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" block: - - name: "SCORED | 17.9.1 | AUDIT | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_1_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Success" - win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable - changed_when: "'Success' not in rule_17_9_1_audit.stdout" - when: "'Success' not in rule_17_9_1_audit.stdout" - - - name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Failure" - win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable - changed_when: "'Failure' not in rule_17_9_1_audit.stdout" - when: "'Failure' not in rule_17_9_1_audit.stdout" - - when: rule_17_9_1 + - name: "SCORED | 17.9.1 | AUDIT | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_1_audit + + - name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Success" + win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable + changed_when: "'Success' not in rule_17_9_1_audit.stdout" + when: "'Success' not in rule_17_9_1_audit.stdout" + + - name: "SCORED | 17.9.1 | PATCH | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Failure" + win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable + changed_when: "'Failure' not in rule_17_9_1_audit.stdout" + when: "'Failure' not in rule_17_9_1_audit.stdout" + when: + - rule_17_9_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_17.9.1 + - patch - name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure'" block: - - name: "SCORED | 17.9.2 | AUDIT | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_2_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Success" - win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable - changed_when: "'Success' not in rule_17_9_2_audit.stdout" - when: "'Success' not in rule_17_9_2_audit.stdout" - - - name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Failure" - win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable - changed_when: "'Failure' not in rule_17_9_2_audit.stdout" - when: "'Failure' not in rule_17_9_2_audit.stdout" - when: rule_17_9_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.2 - - patch + - name: "SCORED | 17.9.2 | AUDIT | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_2_audit + + - name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Success" + win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable + changed_when: "'Success' not in rule_17_9_2_audit.stdout" + when: "'Success' not in rule_17_9_2_audit.stdout" + + - name: "SCORED | 17.9.2 | PATCH | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Failure" + win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable + changed_when: "'Failure' not in rule_17_9_2_audit.stdout" + when: "'Failure' not in rule_17_9_2_audit.stdout" + when: + - rule_17_9_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_17.9.2 + - patch - name: "SCORED | 17.9.3 | AUDIT | (L1) Ensure 'Audit Security State Change' is set to include 'Success'" block: - - name: "SCORED | 17.9.3 | AUDIT | (L1) Ensure 'Audit Security State Change' is set to include 'Success' | Get current settings" - win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_3_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.9.3 | PATCH | (L1) Ensure 'Audit Security State Change' is set to include 'Success' Set success" - win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable - changed_when: "'Success' not in rule_17_9_3_audit.stdout" - when: "'Success' not in rule_17_9_3_audit.stdout" - when: rule_17_9_3 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.3 - - patch + - name: "SCORED | 17.9.3 | AUDIT | (L1) Ensure 'Audit Security State Change' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_3_audit + + - name: "SCORED | 17.9.3 | PATCH | (L1) Ensure 'Audit Security State Change' is set to include 'Success' Set success" + win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable + changed_when: "'Success' not in rule_17_9_3_audit.stdout" + when: "'Success' not in rule_17_9_3_audit.stdout" + when: + - rule_17_9_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_17.9.3 + - patch - name: "SCORED | 17.9.4 | AUDIT | (L1) Ensure 'Audit Security System Extension' is set to include 'Success'" block: - - name: "SCORED | 17.9.4 | AUDIT | (L1) Ensure 'Audit Security System Extension' is set to include 'Success' | Get current settings" - win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_4_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.9.4 | PATCH | (L1) Ensure 'Audit Security System Extension' is set to include 'Success' | Set success" - win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable - changed_when: "'Success' not in rule_17_9_4_audit.stdout" - when: "'Success' not in rule_17_9_4_audit.stdout" - when: rule_17_9_4 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.4 - - patch + - name: "SCORED | 17.9.4 | AUDIT | (L1) Ensure 'Audit Security System Extension' is set to include 'Success' | Get current settings" + win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_4_audit + + - name: "SCORED | 17.9.4 | PATCH | (L1) Ensure 'Audit Security System Extension' is set to include 'Success' | Set success" + win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable + changed_when: "'Success' not in rule_17_9_4_audit.stdout" + when: "'Success' not in rule_17_9_4_audit.stdout" + when: + - rule_17_9_4 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_17.9.4 + - patch - name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure'" block: - - name: "SCORED | 17.9.5 | AUDIT | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Get current settings" - win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_5_audit - changed_when: no - failed_when: false - - - name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Success" - win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable - changed_when: "'Success' not in rule_17_9_5_audit.stdout" - when: "'Success' not in rule_17_9_5_audit.stdout" - - - name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Failure" - win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable - changed_when: "'Failure' not in rule_17_9_5_audit.stdout" - when: "'Failure' not in rule_17_9_5_audit.stdout" - when: rule_17_9_5 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_17.9.5 - - patch - + - name: "SCORED | 17.9.5 | AUDIT | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Get current settings" + win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + changed_when: false + failed_when: false + register: rule_17_9_5_audit + + - name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Success" + win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable + changed_when: "'Success' not in rule_17_9_5_audit.stdout" + when: "'Success' not in rule_17_9_5_audit.stdout" + + - name: "SCORED | 17.9.5 | PATCH | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Failure" + win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable + changed_when: "'Failure' not in rule_17_9_5_audit.stdout" + when: "'Failure' not in rule_17_9_5_audit.stdout" + when: + - rule_17_9_5 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_17.9.5 + - patch diff --git a/tasks/section18.yml b/tasks/section18.yml index 4fa41fd..f6d1f63 100644 --- a/tasks/section18.yml +++ b/tasks/section18.yml @@ -1,217 +1,219 @@ --- -#one of the settings in the file render the server unreachable from ansible with this message "the specified credentials were rejected by the server" +# one of the settings in the file render the server unreachable from ansible with this message "the specified credentials were rejected by the server" - name: "SCORED | 18.1.1.1 | PATCH | (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Personalization - name: NoLockScreenCamera - data: 1 - type: dword - when: rule_18_1_1_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Personalization + name: NoLockScreenCamera + data: 1 + type: dword + when: + - rule_18_1_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.1.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.1.1.1 + - patch - name: "SCORED | 18.1.1.2 | PATCH | (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Personalization - name: NoLockScreenSlideshow - data: 1 - type: dword - when: rule_18_1_1_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Personalization + name: NoLockScreenSlideshow + data: 1 + type: dword + when: + - rule_18_1_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.1.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.1.1.2 + - patch - name: "SCORED | 18.1.2.2 | PATCH | (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization - name: AllowInputPersonalization - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization + name: AllowInputPersonalization + data: 0 + type: dword when: - - rule_18_1_2_2 + - rule_18_1_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.1.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.1.2.2 + - patch - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" block: - - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - - - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" - command: "echo true" + - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + command: "echo true" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 18.1.3 | AUDIT | (L2) Ensure 'Allow Online Tips' is set to 'Disabled'" + command: "echo true" when: - - is_implemented - - rule_18_1_3 + - is_implemented + - rule_18_1_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.1.3 - - audit + - level2-domaincontroller + - level2-memberserver + - rule_18.1.3 + - audit - name: "SCORED | 18.2.1 | AUDIT | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" block: - - name: "SCORED | 18.2.1 | AUDIT | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - - - name: "SCORED | 18.2.1 | PATCH | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" - command: "echo true" + - name: "SCORED | 18.2.1 | AUDIT | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" + command: "echo true" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 18.2.1 | PATCH | (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)" + command: "echo true" when: - - is_implemented - - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_2_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.2.1 - - patch + - level1-memberserver + - rule_18.2.1 + - patch - name: "SCORED | 18.2.2 | AUDIT | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" block: - - name: "SCORED | 18.2.2 | AUDIT | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - - - name: "SCORED | 18.2.2 | PATCH | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" - command: "echo true" + - name: "SCORED | 18.2.2 | AUDIT | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" + command: "echo true" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 18.2.2 | PATCH | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only)" + command: "echo true" when: - - is_implemented - - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_2_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.2.2 - - audit + - level1-memberserver + - rule_18.2.2 + - audit - name: "SCORED | 18.2.3 | AUDIT | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" block: - - name: "SCORED | 18.2.3 | AUDIT | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - - - name: "SCORED | 18.2.3 | PATCH | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" - command: "echo true" + - name: "SCORED | 18.2.3 | AUDIT | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" + command: "echo true" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 18.2.3 | PATCH | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only)" + command: "echo true" when: - - is_implemented - - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_2_3 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.2.3 - - audit + - level1-memberserver + - rule_18.2.3 + - audit - name: "SCORED | 18.2.4 | AUDIT | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" block: - - name: "SCORED | 18.2.4 | AUDIT | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - - - name: "SCORED | 18.2.4 | PATCH | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" - command: "echo true" + - name: "SCORED | 18.2.4 | AUDIT | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" + command: "echo true" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 18.2.4 | PATCH | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" + command: "echo true" when: - - is_implemented - - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_2_4 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.2.4 - - audit + - level1-memberserver + - rule_18.2.4 + - audit - name: "SCORED | 18.2.5 | AUDIT | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" block: - - name: "SCORED | 18.2.5 | AUDIT | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - - - name: "SCORED | 18.2.5 | PATCH | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" - command: "echo true" + - name: "SCORED | 18.2.5 | AUDIT | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + command: "echo true" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 18.2.5 | PATCH | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'" + command: "echo true" when: - - is_implemented - - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_2_5 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.2.5 - - audit + - level1-memberserver + - rule_18.2.5 + - audit - name: "SCORED | 18.2.6 | AUDIT | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" block: - - name: "SCORED | 18.2.6 | AUDIT | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - - - name: "SCORED | 18.2.6 | PATCH | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" - command: "echo true" + - name: "SCORED | 18.2.6 | AUDIT | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" + command: "echo true" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 18.2.6 | PATCH | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" + command: "echo true" when: - - is_implemented - - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_2_6 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.2.6 - - audit + - level1-memberserver + - rule_18.2.6 + - audit - name: "SCORED | 18.3.1 | AUDIT | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" block: - - name: "SCORED | 18.3.1 | AUDIT | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - - - name: "SCORED | 18.3.1 | PATCH | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" - command: "echo true" + - name: "SCORED | 18.3.1 | AUDIT | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + command: "echo true" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 18.3.1 | PATCH | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only)" + command: "echo true" when: - - is_implemented - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" + - is_implemented + - rule_18_3_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.3.1 - - audit + - level1-memberserver + - rule_18.3.1 + - audit - name: "SCORED | 18.3.2 | AUDIT | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" block: - - name: "SCORED | 18.3.2 | AUDIT | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - - - name: "SCORED | 18.3.2 | PATCH | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" - command: "echo true" + - name: "SCORED | 18.3.2 | AUDIT | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + command: "echo true" + changed_when: false + ignore_errors: true + register: result + + - name: "SCORED | 18.3.2 | PATCH | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'" + command: "echo true" when: - - is_implemented - - rule_18_3_2 + - is_implemented + - rule_18_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.2 - - audit + - level1-domaincontroller + - level1-memberserver + - rule_18.3.2 + - audit -- name: "SCORED | 18_3_3 | PATCH | (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" +- name: "SCORED | 18.3.3 | PATCH | (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters name: SMB1 @@ -219,26 +221,28 @@ type: dword state: present notify: reboot_windows - when: rule_18_3_3 + when: + - rule_18_3_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.3 + - patch -- name: "SCORED | 18_3_4 | PATCH | (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" +- name: "SCORED | 18.3.4 | PATCH | (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'" win_regedit: path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel name: DisableExceptionChainValidation - data: 1 + data: 0 type: dword state: present - when: rule_18_3_4 + when: + - rule_18_3_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.4 + - patch - name: "SCORED | 18.3.5 | PATCH | (L1) Ensure 'Extended Protection for LDAP Authentication (Domain Controllers only)' is set to 'Enabled: Enabled, always (recommended)' (DC Only)" win_regedit: @@ -247,12 +251,12 @@ data: 1 type: dword when: - - rule_18_3_5 - - ansible_windows_domain_role == "Primary domain controller" + - rule_18_3_5 + - ansible_windows_domain_role == "Primary domain controller" tags: - - level1-domaincontroller - - rule_18.3.5 - - patch + - level1-domaincontroller + - rule_18.3.5 + - patch - name: "SCORED | 18.3.6 | PATCH | (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'" @@ -262,12 +266,13 @@ value: NodeType data: 2 datatype: dword - when: rule_18_3_6 + when: + - rule_18_3_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.6 + - patch - name: "SCORED | 18.3.7 | PATCH | (L1) Ensure 'WDigest Authentication' is set to 'Disabled'" win_regedit: @@ -276,12 +281,13 @@ value: UseLogonCredential data: 0 datatype: dword - when: rule_18_3_7 + when: + - rule_18_3_7 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.3.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.3.6 + - patch - name: "SCORED | 18.4.1 | PATCH | (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" win_regedit: @@ -289,13 +295,14 @@ state: present value: AutoAdminLogon data: 0 - datatype: dword - when: rule_18_4_1 + datatype: string + when: + - rule_18_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.1 + - patch - name: "SCORED | 18.4.2 | PATCH | (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" win_regedit: @@ -304,12 +311,13 @@ value: DisableIPSourceRouting data: 2 datatype: dword - when: rule_18_4_2 + when: + - rule_18_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.2 + - patch - name: "SCORED | 18.4.3 | PATCH | (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'" win_regedit: @@ -318,12 +326,13 @@ value: DisableIPSourceRouting data: 2 datatype: dword - when: rule_18_4_3 + when: + - rule_18_4_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.3 + - patch - name: "SCORED | 18.4.4 | PATCH | (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" win_regedit: @@ -332,2223 +341,2355 @@ value: EnableICMPRedirect data: 0 datatype: dword - when: rule_18_4_4 + when: + - rule_18_4_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.4 + - patch - name: "SCORED | 18.4.5 | PATCH | (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'" win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present - value: KeepAliveTime - data: 300000 - datatype: dword - when: rule_18_4_5 + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: KeepAliveTime + data: 300000 + datatype: dword + when: + - rule_18_4_5 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.4.5 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.4.5 + - patch - name: "SCORED | 18.4.6 | PATCH | (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters - state: present - name: NoNameReleaseOnDemand - data: 1 - type: dword - when: rule_18_4_6 + path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters + state: present + name: NoNameReleaseOnDemand + data: 1 + type: dword + when: + - rule_18_4_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.6 + - patch - name: "SCORED | 18.4.7 | PATCH | (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - state: present - name: PerformRouterDiscovery - data: 0 - type: dword - when: rule_18_4_7 + path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + state: present + name: PerformRouterDiscovery + data: 0 + type: dword + when: + - rule_18_4_7 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.4.7 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.4.7 + - patch - name: "SCORED | 18.4.8 | PATCH | (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager - name: SafeDllSearchMode - data: 1 - type: dword - state: present - when: rule_18_4_8 + path: HKLM:\System\Currentcontrolset\Control\Session Manager + name: SafeDllSearchMode + data: 1 + type: dword + state: present + when: + - rule_18_4_8 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.8 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.8 + - patch - name: "SCORED | 18.4.9 | PATCH | (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'" win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ScreenSaverGracePeriod - data: 5 - type: string - state: present - when: rule_18_4_9 + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ScreenSaverGracePeriod + data: 5 + type: string + state: present + when: + - rule_18_4_9 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.9 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.9 + - patch - name: "SCORED | 18.4.10 | PATCH | (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters - name: TcpMaxDataRetransmissions - data: 3 - type: dword - when: rule_18_4_10 + path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters + name: TcpMaxDataRetransmissions + data: 3 + type: dword + when: + - rule_18_4_10 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.4.10 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.4.10 + - patch - name: "SCORED | 18.4.11 | PATCH | (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - name: TcpMaxDataRetransmissions - data: 3 - type: dword - when: rule_18_4_11 + path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + name: TcpMaxDataRetransmissions + data: 3 + type: dword + when: + - rule_18_4_11 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.4.11 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.4.11 + - patch - name: "SCORED | 18.4.12 | PATCH | (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security - name: WarningLevel - data: 90 - type: dword - when: rule_18_4_12 + path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security + name: WarningLevel + data: 90 + type: dword + when: + - rule_18_4_12 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.4.12 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.4.12 + - patch - name: "SCORED | 18.5.4.1 | PATCH | (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient - name: EnableMulticast - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient + name: EnableMulticast + data: 0 + type: dword when: - - rule_18_5_4_2 + - rule_18_5_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.4.2 + - patch - name: "SCORED | 18.5.5.1 | PATCH | (L2) Ensure 'Enable Font Providers' is set to 'Disabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System - name: EnableFontProviders - data: 0 - type: dword - when: rule_18_5_5_1 + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: EnableFontProviders + data: 0 + type: dword + when: + - rule_18_5_5_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.5.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.5.5.1 + - patch - name: "SCORED | 18.5.8.1 | PATCH | (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation - name: AllowInsecureGuestAuth - data: 0 - type: dword - when: rule_18_5_8_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation + name: AllowInsecureGuestAuth + data: 0 + type: dword + when: + - rule_18_5_8_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.8.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.8.1 + - patch - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'" block: - - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | AllowLLTDIOOndomain" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowLLTDIOOndomain - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | AllowLLTDIOOnPublicNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowLLTDIOOnPublicNet - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | EnableLLTDIO" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: EnableLLTDIO - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | ProhibitLLTDIOOnPrivateNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: ProhibitLLTDIOOnPrivateNet - data: 0 - type: dword - when: rule_18_5_9_1 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.9.1 - - patch + - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | AllowLLTDIOOndomain" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowLLTDIOOndomain + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | AllowLLTDIOOnPublicNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowLLTDIOOnPublicNet + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | EnableLLTDIO" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: EnableLLTDIO + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | ProhibitLLTDIOOnPrivateNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: ProhibitLLTDIOOnPrivateNet + data: 0 + type: dword + when: + - rule_18_5_9_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.9.1 + - patch - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'" block: - - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | AllowRspndrOnDomain" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowRspndrOnDomain - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | AllowRspndrOnPublicNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowRspndrOnPublicNet - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | EnableRspndr" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: EnableRspndr - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | ProhibitRspndrOnPrivateNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: ProhibitRspndrOnPrivateNet - data: 0 - type: dword - when: rule_18_5_9_2 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.9.2 - - patch + - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | AllowRspndrOnDomain" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowRspndrOnDomain + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | AllowRspndrOnPublicNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowRspndrOnPublicNet + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | EnableRspndr" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: EnableRspndr + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' | ProhibitRspndrOnPrivateNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: ProhibitRspndrOnPrivateNet + data: 0 + type: dword + when: + - rule_18_5_9_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.9.2 + - patch - name: "SCORED | 18.5.10.2 | PATCH | (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Peernet - name: Disabled - data: 1 - type: dword - when: rule_18_5_10_2 + path: HKLM:\Software\Policies\Microsoft\Peernet + name: Disabled + data: 1 + type: dword + when: + - rule_18_5_10_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.10.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.5.10.2 + - patch - name: "SCORED | 18.5.11.2 | PATCH | (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections - name: NC_AllowNetBridge_NLA - data: 0 - type: dword - when: rule_18_5_11_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + name: NC_AllowNetBridge_NLA + data: 0 + type: dword + when: + - rule_18_5_11_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.11.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.11.2 + - patch - name: "SCORED | 18.5.11.3 | PATCH | (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections - name: NC_ShowSharedAccessUI - data: 0 - type: dword - when: rule_18_5_11_3 + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections + name: NC_ShowSharedAccessUI + data: 0 + type: dword + when: + - rule_18_5_11_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.11.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.11.3 + - patch - name: "SCORED | 18.5.11.4 | PATCH | (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections - name: NC_StdDomainUserSetLocation - data: 1 - type: dword - when: rule_18_5_11_4 + path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + name: NC_StdDomainUserSetLocation + data: 1 + type: dword + when: + - rule_18_5_11_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.11.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.11.4 + - patch - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares'" block: - - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares' | Set NETLOGON" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths - name: "\\\\*\\NETLOGON" - data: "RequireMutualAuthentication=1, RequireIntegrity=1" - type: string - - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares' | Set SYSVOL" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths - name: "\\\\*\\SYSVOL" - data: "RequireMutualAuthentication=1, RequireIntegrity=1" - type: string - when: rule_18_5_14_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.14.1 - - patch + - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares' | Set NETLOGON" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + name: "\\\\*\\NETLOGON" + data: "RequireMutualAuthentication=1, RequireIntegrity=1" + type: string + + - name: "SCORED | 18.5.14.1 | PATCH | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares' | Set SYSVOL" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + name: "\\\\*\\SYSVOL" + data: "RequireMutualAuthentication=1, RequireIntegrity=1" + type: string + when: + - rule_18_5_14_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.5.14.1 + - patch - name: "SCORED | 18.5.19.2.1 | PATCH | (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)')" win_regedit: - path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters - name: DisabledComponents - data: 255 - type: dword - when: rule_18_5_19_2_1 + path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters + name: DisabledComponents + data: 255 + type: dword + when: + - rule_18_5_19_2_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.19.2.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.5.19.2.1 + - patch - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'" block: - - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | EnableRegistrars" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: EnableRegistrars - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableUPnPRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableUPnPRegistrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableInBand802DOT11Registrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableInBand802DOT11Registrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableFlashConfigRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableFlashConfigRegistrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableWPDRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableWPDRegistrar - data: 0 - type: dword - when: rule_18_5_20_1 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.20.1 - - patch + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | EnableRegistrars" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: EnableRegistrars + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableUPnPRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableUPnPRegistrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableInBand802DOT11Registrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableInBand802DOT11Registrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableFlashConfigRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableFlashConfigRegistrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | DisableWPDRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableWPDRegistrar + data: 0 + type: dword + when: + - rule_18_5_20_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.5.20.1 + - patch - name: "SCORED | 18.5.20.2 | PATCH | (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui - name: DisableWcnUi - data: 1 - type: dword - when: rule_18_5_20_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui + name: DisableWcnUi + data: 1 + type: dword + when: + - rule_18_5_20_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.5.20.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.5.20.2 + - patch - name: "SCORED | 18.5.21.1 | PATCH | (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 1 = Minimize simultaneous connections'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy - name: fMinimizeConnections - data: 1 - type: dword - when: rule_18_5_21_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + name: fMinimizeConnections + data: 1 + type: dword + when: + - rule_18_5_21_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.5.21.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.5.21.1 + - patch - name: "SCORED | 18.5.21.2 | PATCH | (L2) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' (MS only)" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy - name: fBlockNonDomain - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + name: fBlockNonDomain + data: 1 + type: dword when: - - rule_18_5_21_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_5_21_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-memberserver - - rule_18.5.21.2 - - patch + - level2-memberserver + - rule_18.5.21.2 + - patch - name: "SCORED | 18.7.1.1 | PATCH | (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled' (Scored)" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications - name: NoCloudApplicationNotification - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications + name: NoCloudApplicationNotification + data: 1 + type: dword when: - - rule_18_7_1_1 + - rule_18_7_1_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.7.1.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.7.1.1 + - patch - name: "SCORED | 18.8.3.1 | PATCH | (L1) Ensure 'Include command line in process creation events' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit - name: ProcessCreationIncludeCmdLine_Enabled - data: 0 - type: dword - when: rule_18_8_3_1 + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit + name: ProcessCreationIncludeCmdLine_Enabled + data: 0 + type: dword + when: + - rule_18_8_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.3.1 + - patch - name: "SCORED | 18.8.4.1 | PATCH | (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'" win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters - name: AllowEncryptionOracle - data: 0 - type: dword + path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters + name: AllowEncryptionOracle + data: 0 + type: dword when: - - rule_18_8_4_1 + - rule_18_8_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.4.1 + - patch - name: "SCORED | 18.8.4.2 | PATCH | (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation - name: AllowProtectedCreds - data: 1 - type: dword - when: rule_18_8_4_2 + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation + name: AllowProtectedCreds + data: 1 + type: dword + when: + - rule_18_8_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.4.2 + - patch - name: "SCORED | 18.8.5.1 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: EnableVirtualizationBasedSecurity - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: EnableVirtualizationBasedSecurity + data: 1 + type: dword when: - - rule_18_8_5_1 - - ansible_windows_domain_role == "Member server" + - rule_18_8_5_1 + - ansible_windows_domain_role == "Member server" tags: - - nextgen-domaincontroller - - nextgen-memberserver - - rule_18.8.5.1 - - patch + - nextgen-domaincontroller + - nextgen-memberserver + - rule_18.8.5.1 + - patch - name: "SCORED | 18.8.5.2 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: RequirePlatformSecurityFeatures - data: 3 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: RequirePlatformSecurityFeatures + data: 3 + type: dword when: - - rule_18_8_5_2 - - ansible_windows_domain_role == "Member server" + - rule_18_8_5_2 + - ansible_windows_domain_role == "Member server" tags: - - nextgen-domaincontroller - - nextgen-memberserver - - rule_18.8.5.2 - - patch + - nextgen-domaincontroller + - nextgen-memberserver + - rule_18.8.5.2 + - patch - name: "SCORED | 18.8.5.3 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: HypervisorEnforcedCodeIntegrity - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: HypervisorEnforcedCodeIntegrity + data: 1 + type: dword when: - - rule_18_8_5_3 + - rule_18_8_5_3 tags: - - nextgen-domaincontroller - - nextgen-memberserver - - rule_18.8.5.3 - - patch + - nextgen-domaincontroller + - nextgen-memberserver + - rule_18.8.5.3 + - patch - name: "SCORED | 18.8.5.4 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: HVCIMATRequired - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: HVCIMATRequired + data: 1 + type: dword when: - - rule_18_8_5_4 + - rule_18_8_5_4 tags: - - nextgen-domaincontroller - - nextgen-memberserver - - rule_18.8.5.4 - - patch + - nextgen-domaincontroller + - nextgen-memberserver + - rule_18.8.5.4 + - patch - name: "SCORED | 18.8.5.5 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only)" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: LsaCfgFlags - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: LsaCfgFlags + data: 1 + type: dword when: - - rule_18_8_5_5 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_5_5 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - nextgen-memberserver - - rule_18.8.5.5 - - patch + - nextgen-memberserver + - rule_18.8.5.5 + - patch - name: "SCORED | 18.8.5.6 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Disabled' (DC Only)" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: LsaCfgFlags - data: 0 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: LsaCfgFlags + data: 0 + type: dword when: - - rule_18_8_5_6 - - ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_5_6 + - ansible_windows_domain_role == "Primary domain controller" tags: - - nextgen-domaincontroller - - rule_18.8.5.6 - - patch + - nextgen-domaincontroller + - rule_18.8.5.6 + - patch - name: "SCORED | 18.8.5.7 | PATCH | (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: ConfigureSystemGuardLaunch - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: ConfigureSystemGuardLaunch + data: 1 + type: dword when: - - rule_18_8_5_7 + - rule_18_8_5_7 tags: - - nextgen-domaincontroller - - nextgen-memberserver - - rule_18.8.5.7 - - patch + - nextgen-domaincontroller + - nextgen-memberserver + - rule_18.8.5.7 + - patch - name: "SCORED | 18.8.14.1 | PATCH | (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'" win_regedit: - path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch - name: DriverLoadPolicy - data: 3 - type: dword - when: rule_18_8_14_1 + path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch + name: DriverLoadPolicy + data: 3 + type: dword + when: + - rule_18_8_14_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.14.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.14.1 + - patch - name: "SCORED | 18.8.21.2 | PATCH | (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} - name: NoBackgroundPolicy - data: 0 - type: dword - when: rule_18_8_21_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + name: NoBackgroundPolicy + data: 0 + type: dword + when: + - rule_18_8_21_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.21.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.2 + - patch - name: "SCORED | 18.8.21.3 | PATCH | (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE's" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} - name: NoGPOListChanges - data: 0 - type: dword - when: rule_18_8_21_3 + path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + name: NoGPOListChanges + data: 0 + type: dword + when: + - rule_18_8_21_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.21.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.3 + - patch - name: "SCORED | 18.8.21.4 | PATCH | (L1) Ensure 'Continue experiences on this device' is set to 'Disabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System - name: EnableCdp - data: 0 - type: dword - when: rule_18_8_21_4 + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: EnableCdp + data: 0 + type: dword + when: + - rule_18_8_21_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.21.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.4 + - patch - name: "SCORED | 18.8.21.5 | PATCH | (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy - state: absent - delete_key: yes - when: rule_18_8_21_5 + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy + state: absent + delete_key: yes + when: + - rule_18_8_21_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.21.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.21.5 + - patch - name: "SCORED | 18.8.22.1.1 | PATCH | (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers - name: DisableWebPnPDownload - data: 1 - type: dword - when: rule_18_8_22_1_1 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + name: DisableWebPnPDownload + data: 1 + type: dword + when: + - rule_18_8_22_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.22.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.22.1.1 + - patch - name: "SCORED | 18.8.22.1.2 | PATCH | (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc - name: PreventHandwritingDataSharing - data: 1 - type: dword - when: rule_18_8_22_1_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc + name: PreventHandwritingDataSharing + data: 1 + type: dword + when: + - rule_18_8_22_1_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.2 + - patch - name: "SCORED | 18.8.22.1.3 | PATCH | (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports - name: PreventHandwritingErrorReports - data: 1 - type: dword - when: rule_18_8_22_1_3 + path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports + name: PreventHandwritingErrorReports + data: 1 + type: dword + when: + - rule_18_8_22_1_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.3 + - patch - name: "SCORED | 18.8.22.1.4 | PATCH | (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard - name: ExitOnMSICW - data: 1 - type: dword - when: rule_18_8_22_1_4 + path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard + name: ExitOnMSICW + data: 1 + type: dword + when: + - rule_18_8_22_1_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.4 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.4 + - patch - name: "SCORED | 18.8.22.1.5 | PATCH | (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoWebServices - data: 1 - type: dword - when: rule_18_8_22_1_5 + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoWebServices + data: 1 + type: dword + when: + - rule_18_8_22_1_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.22.1.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.22.1.5 + - patch - name: "SCORED | 18.8.22.1.6 | PATCH | (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers - name: DisableHTTPPrinting - data: 1 - type: dword - when: rule_18_8_22_1_6 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + name: DisableHTTPPrinting + data: 1 + type: dword + when: + - rule_18_8_22_1_6 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.6 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.6 + - patch - name: "SCORED | 18.8.22.1.7 | PATCH | (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control - name: NoRegistration - data: 1 - type: dword - when: rule_18_8_22_1_7 + path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control + name: NoRegistration + data: 1 + type: dword + when: + - rule_18_8_22_1_7 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.7 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.7 + - patch - name: "SCORED |18.8.22.1.8 | PATCH | (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Searchcompanion - name: DisableContentFileUpdates - data: 1 - type: dword - when: rule_18_8_22_1_8 + path: HKLM:\Software\Policies\Microsoft\Searchcompanion + name: DisableContentFileUpdates + data: 1 + type: dword + when: + - rule_18_8_22_1_8 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.8 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.8 + - patch - name: "SCORED | 18.8.22.1.9 | PATCH | (L2) Ensure 'Turn off the Order Prints picture task' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoOnlinePrintsWizard - data: 1 - type: dword - when: rule_18_8_22_1_9 + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoOnlinePrintsWizard + data: 1 + type: dword + when: + - rule_18_8_22_1_9 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.9 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.9 + - patch - name: "SCORED | 18.8.22.1.10 | PATCH | (L2) Ensure 'Turn off the Publish to Web task for files and folders' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoPublishingWizard - data: 1 - type: dword - when: rule_18_8_22_1_10 + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoPublishingWizard + data: 1 + type: dword + when: + - rule_18_8_22_1_10 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.10 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.10 + - patch - name: "SCORED | 18.8.22.1.11 | PATCH | (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Messenger\Client - name: CEIP - data: 2 - type: dword - when: rule_18_8_22_1_11 + path: HKLM:\Software\Policies\Microsoft\Messenger\Client + name: CEIP + data: 2 + type: dword + when: + - rule_18_8_22_1_11 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.11 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.11 + - patch - name: "SCORED | 18.8.22.1.12 | PATCH | (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows - name: CEIPEnable - data: 0 - type: dword - when: rule_18_8_22_1_12 + path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows + name: CEIPEnable + data: 0 + type: dword + when: + - rule_18_8_22_1_12 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.12 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.12 + - patch - name: "SCORED | 18.8.22.1.13 | PATCH | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" block: - - name: "SCORED | 18.8.22.1.13 | PATCH | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' | Windows Error Reporting" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting - name: Disabled - data: 1 - type: dword - - - name: "SCORED | 18.8.22.1.13 | PATCH | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' | ErrorReporting" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting - name: DoReport - data: 0 - type: dword - when: rule_18_8_22_1_13 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.22.1.13 - - patch + - name: "SCORED | 18.8.22.1.13 | PATCH | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' | Windows Error Reporting" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting + name: Disabled + data: 1 + type: dword + + - name: "SCORED | 18.8.22.1.13 | PATCH | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' | ErrorReporting" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting + name: DoReport + data: 0 + type: dword + when: + - rule_18_8_22_1_13 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.22.1.13 + - patch - name: "SCORED | 18.8.25.1 | PATCH | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'" block: - - name: "SCORED | 18.8.25.1 | PATCH | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' | DevicePKInitBehavior" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters - name: DevicePKInitBehavior - data: 0 - type: dword - - - name: "SCORED | 18.8.25.1 | PATCH | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' | DevicePKInitEnabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters - name: DevicePKInitEnabled - data: 1 - type: dword - when: rule_18_8_25_1 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.25.1 - - patch + - name: "SCORED | 18.8.25.1 | PATCH | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' | DevicePKInitBehavior" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + name: DevicePKInitBehavior + data: 0 + type: dword + + - name: "SCORED | 18.8.25.1 | PATCH | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' | DevicePKInitEnabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + name: DevicePKInitEnabled + data: 1 + type: dword + when: + - rule_18_8_25_1 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.8.25.1 + - patch - name: "SCORED | 18.8.27.1 | PATCH | (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Control Panel\International - name: BlockUserInputMethodsForSignIn - data: 1 - type: dword - when: rule_18_8_27_1 + path: HKLM:\Software\Policies\Microsoft\Control Panel\International + name: BlockUserInputMethodsForSignIn + data: 1 + type: dword + when: + - rule_18_8_27_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.27.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.27.1 + - patch - name: "SCORED | 18.8.28.1 | PATCH | (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: BlockUserFromShowingAccountDetailsOnSignin - data: 1 - type: dword - when: rule_18_8_28_1 + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: BlockUserFromShowingAccountDetailsOnSignin + data: 1 + type: dword + when: + - rule_18_8_28_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.1 + - patch - name: "SCORED | 18.8.28.2 | PATCH | (L1) Ensure 'Do not display network selection UI' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DontDisplayNetworkSelectionUI - data: 1 - type: dword - when: rule_18_8_28_2 + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DontDisplayNetworkSelectionUI + data: 1 + type: dword + when: + - rule_18_8_28_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.2 + - patch - name: "SCORED | 18.8.28.3 | PATCH | (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DontEnumerateConnectedUsers - data: 1 - type: dword - when: rule_18_8_28_3 + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DontEnumerateConnectedUsers + data: 1 + type: dword + when: + - rule_18_8_28_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.3 + - patch - name: "SCORED | 18.8.28.4 | PATCH | (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (MS only)" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: EnumerateLocalUsers - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: EnumerateLocalUsers + data: 0 + type: dword when: - - rule_18_8_28_4 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_28_4 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.8.28.4 - - patch + - level1-memberserver + - rule_18.8.28.4 + - patch - name: "SCORED | 18.8.28.5 | PATCH | (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DisableLockScreenAppNotifications - data: 1 - type: dword - when: rule_18_8_28_5 + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DisableLockScreenAppNotifications + data: 1 + type: dword + when: + - rule_18_8_28_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.5 + - patch - name: "SCORED | 18.8.28.6 | PATCH | (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: BlockDomainPicturePassword - data: 1 - type: dword - when: rule_18_8_28_6 + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: BlockDomainPicturePassword + data: 1 + type: dword + when: + - rule_18_8_28_6 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.6 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.6 + - patch - name: "SCORED | 18.8.28.7 | PATCH | (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: AllowDomainPINLogon - data: 0 - type: dword - when: rule_18_8_28_7 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.28.7 - - patch - + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: AllowDomainPINLogon + data: 0 + type: dword + when: + - rule_18_8_28_7 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.8.28.7 + - patch + - name: "SCORED | 18.8.34.6.1 | PATCH | (L2) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 - name: DCSettingIndex - data: 0 - type: dword - when: rule_18_8_34_6_1 + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 + name: DCSettingIndex + data: 0 + type: dword + when: + - rule_18_8_34_6_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.34.6.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.34.6.1 + - patch - name: "SCORED | 18.8.34.6.2 | PATCH | (L2) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 - name: ACSettingIndex - data: 0 - type: dword - when: rule_18_8_34_6_2 + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 + name: ACSettingIndex + data: 0 + type: dword + when: + - rule_18_8_34_6_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.34.6.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.34.6.2 + - patch - name: "SCORED | 18.8.34.6.3 | PATCH | (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 - name: DCSettingIndex - data: 1 - type: dword - when: rule_18_8_34_6_3 + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + name: DCSettingIndex + data: 1 + type: dword + when: + - rule_18_8_34_6_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.34.6.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.34.6.3 + - patch - name: "SCORED | 18.8.34.6.4 | PATCH | (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 - name: ACSettingIndex - data: 1 - type: dword - when: rule_18_8_34_6_4 + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + name: ACSettingIndex + data: 1 + type: dword + when: + - rule_18_8_34_6_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.34.6.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.34.6.4 + - patch - name: "SCORED | 18.8.36.1 | PATCH | (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fAllowUnsolicited - data: 0 - type: dword - when: rule_18_8_36_1 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fAllowUnsolicited + data: 0 + type: dword + when: + - rule_18_8_36_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.36.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.36.1 + - patch - name: "SCORED | 18.8.36.2 | PATCH | (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fAllowToGetHelp - data: 0 - type: dword - when: rule_18_8_36_2 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fAllowToGetHelp + data: 0 + type: dword + when: + - rule_18_8_36_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.8.36.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.8.36.2 + - patch - name: "SCORED | 18.8.37.1 | PATCH | (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (MS only)" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc - name: EnableAuthEpResolution - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + name: EnableAuthEpResolution + data: 1 + type: dword when: - - rule_18_8_37_1 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_37_1 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level1-memberserver - - rule_18.8.37.1 - - patch + - level1-memberserver + - rule_18.8.37.1 + - patch - name: "SCORED | 18.8.37.2 | PATCH | (L2) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (MS only)" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc - name: RestrictRemoteClients - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + name: RestrictRemoteClients + data: 1 + type: dword when: - - rule_18_8_37_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_37_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-memberserver - - rule_18.8.37.2 - - patch + - level2-memberserver + - rule_18.8.37.2 + - patch - name: "SCORED | 18.8.47.5.1 | PATCH | (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy - name: DisableQueryRemoteServer - data: 0 - type: dword - when: rule_18_8_47_5_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy + name: DisableQueryRemoteServer + data: 0 + type: dword + when: + - rule_18_8_47_5_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.47.5.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.5.1 + - patch - name: "SCORED | 18.8.47.11.1 | PATCH |(L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} - name: ScenarioExecutionEnabled - data: 0 - type: dword - when: rule_18_8_47_11_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} + name: ScenarioExecutionEnabled + data: 0 + type: dword + when: + - rule_18_8_47_11_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.47.11.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.47.11.1 + - patch - name: "SCORED | 18.8.49.1 | PATCH | (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo - name: DisabledByGroupPolicy - data: 1 - type: dword - when: rule_18_8_49_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo + name: DisabledByGroupPolicy + data: 1 + type: dword + when: + - rule_18_8_49_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.49.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.49.1 + - patch - name: "SCORED | 18.8.52.1.1 | PATCH | (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient - name: Enabled - data: 1 - type: dword - when: rule_18_8_52_1_1 + path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient + name: Enabled + data: 1 + type: dword + when: + - rule_18_8_52_1_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.8.52.1.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.8.52.1.1 + - patch - name: "SCORED | 18.8.52.1.2 | PATCH | (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only)" win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver - name: Enabled - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver + name: Enabled + data: 0 + type: dword when: - - rule_18_8_52_1_2 - - not ansible_windows_domain_role == "Primary domain controller" + - rule_18_8_52_1_2 + - not ansible_windows_domain_role == "Primary domain controller" tags: - - level2-memberserver - - rule_18.8.52.1.2 - - patch + - level2-memberserver + - rule_18.8.52.1.2 + - patch - name: "SCORED | 18.9.4.1 | PATCH | (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager - name: AllowSharedLocalAppData - data: 0 - type: dword - when: rule_18_9_4_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager + name: AllowSharedLocalAppData + data: 0 + type: dword + when: + - rule_18_9_4_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.4.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.4.1 + - patch - name: "SCORED | 18.9.6.1 | PATCH | (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: MSAOptional - data: 1 - type: dword - when: rule_18_9_6_1 + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: MSAOptional + data: 1 + type: dword + when: + - rule_18_9_6_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.6.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.6.1 + - patch - name: "SCORED | 18.9.8.1 | PATCH | (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoAutoplayfornonVolume - data: 1 - type: dword - when: rule_18_9_8_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoAutoplayfornonVolume + data: 1 + type: dword + when: + - rule_18_9_8_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.8.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.8.1 + - patch - name: "SCORED | 18.9.8.2 | PATCH | (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoAutorun - data: 1 - type: dword - when: rule_18_9_8_2 + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoAutorun + data: 1 + type: dword + when: + - rule_18_9_8_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.8.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.8.2 + - patch - name: "SCORED | 18.9.8.3 | PATCH | (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoDriveTypeAutoRun - data: 255 - type: dword - when: rule_18_9_8_3 + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoDriveTypeAutoRun + data: 255 + type: dword + when: + - rule_18_9_8_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.8.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.8.3 + - patch - name: "SCORED | 18.9.10.1.1 | PATCH | (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures - name: EnhancedAntiSpoofing - data: 1 - type: dword - when: rule_18_9_10_1_1 + path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures + name: EnhancedAntiSpoofing + data: 1 + type: dword + when: + - rule_18_9_10_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.10.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.10.1.1 + - patch - name: "SCORED | 18.9.12.1 | PATCH | (L2) Ensure 'Allow Use of Camera' is set to 'Disabled's" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Camera - name: AllowCamera - data: 1 - type: dword - when: rule_18_9_12_1 + path: HKLM:\SOFTWARE\Policies\Microsoft\Camera + name: AllowCamera + data: 1 + type: dword + when: + - rule_18_9_12_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.12.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.12.1 + - patch - name: "SCORED | 18.9.13.1 | PATCH | (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent - name: DisableWindowsConsumerFeatures - data: 1 - type: dword - when: rule_18_9_13_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent + name: DisableWindowsConsumerFeatures + data: 1 + type: dword + when: + - rule_18_9_13_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.13.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.13.1 + - patch - name: "SCORED | 18.9.14.1 | PATCH | (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect - name: RequirePinForPairing - data: 1 - type: dword - when: rule_18_9_14_1 + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect + name: RequirePinForPairing + data: 1 + type: dword + when: + - rule_18_9_14_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.14.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.14.1 + - patch - name: "SCORED | 18.9.15.1 | PATCH | (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Credui - name: DisablePasswordReveal - data: 1 - type: dword - when: rule_18_9_15_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Credui + name: DisablePasswordReveal + data: 1 + type: dword + when: + - rule_18_9_15_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.15.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.15.1 + - patch - name: "SCORED | 18.9.15.2 | PATCH | (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui - name: EnumerateAdministrators - data: 0 - type: dword - when: rule_18_9_15_2 + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui + name: EnumerateAdministrators + data: 0 + type: dword + when: + - rule_18_9_15_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.15.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.15.2 + - patch - name: "SCORED | 18.9.16.1 | PATCH | (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: AllowTelemetry - data: 0 - type: dword - when: rule_18_9_16_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: AllowTelemetry + data: 0 + type: dword + when: + - rule_18_9_16_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.16.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.16.1 + - patch - name: "SCORED | 18.9.16.2 | PATCH | (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: DisableEnterpriseAuthProxy - data: 0 - type: dword - when: rule_18_9_16_2 - tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.16.2 - - patch - + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: DisableEnterpriseAuthProxy + data: 0 + type: dword + when: + - rule_18_9_16_2 + tags: + - level2-domaincontroller + - level2-memberserver + - rule_18.9.16.2 + - patch + - name: "SCORED | 18.9.16.3 | PATCH | (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds - name: EnableConfigFlighting - data: 01 - type: dword - when: rule_18_9_16_3 + path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds + name: EnableConfigFlighting + data: 01 + type: dword + when: + - rule_18_9_16_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.16.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.16.3 + - patch - name: "SCORED | 18.9.16.4 | PATCH | (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds - name: AllowBuildPreview - data: 0 - type: dword - when: rule_18_9_16_4 + path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds + name: AllowBuildPreview + data: 0 + type: dword + when: + - rule_18_9_16_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.16.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.16.4 + - patch - name: "SCORED | 18.9.26.1.1 | PATCH | (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application - name: Retention - data: 0 - type: dword - when: rule_18_9_26_1_1 + path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application + name: Retention + data: 0 + type: string + when: + - rule_18_9_26_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.1.1 + - patch - name: "SCORED | 18.9.26.1.2 | PATCH | (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application - name: MaxSize - data: 65538 - type: dword - when: rule_18_9_26_1_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application + name: MaxSize + data: "{{ app_maxsize }}" + type: dword + when: + - rule_18_9_26_1_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.1.2 + - patch - name: "SCORED | 18.9.26.2.1 | PATCH | (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: Retention - data: 0 - type: string - when: rule_18_9_26_2_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: Retention + data: 0 + type: string + when: + - rule_18_9_26_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.2.1 + - patch - name: "SCORED | 18.9.26.2.2 | PATCH | (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: MaxSize - data: 196608 - type: dword - when: rule_18_9_26_2_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: MaxSize + data: "{{ sec_maxsize }}" + type: dword + when: + - rule_18_9_26_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.2.2 + - patch - name: "SCORED | 18.9.26.3.1 | PATCH | (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup - name: Retention - data: 0 - type: string - when: rule_18_9_26_3_1 + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup + name: Retention + data: 0 + type: string + when: + - rule_18_9_26_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.3.1 + - patch - name: "SCORED | 18.9.26.3.2 | PATCH | (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup - name: MaxSize - data: 32768 - type: dword - when: rule_18_9_26_3_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup + name: MaxSize + data: 32768 + type: dword + when: + - rule_18_9_26_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.3.2 + - patch - name: "SCORED | 18.9.26.4.1 | PATCH | (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: Retention - data: 0 - type: string - when: rule_18_9_26_4_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: Retention + data: 0 + type: string + when: + - rule_18_9_26_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.4.1 + - patch - name: "SCORED | 18.9.26.4.2 | PATCH | (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: MaxSize - data: 65538 - type: dword - when: rule_18_9_26_4_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: MaxSize + data: "{{ sys_maxsize }}" + type: dword + when: + - rule_18_9_26_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.26.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.26.4.2 + - patch - name: "SCORED | 18.9.30.2 | PATCH | (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoDataExecutionPrevention - data: 0 - type: dword - when: rule_18_9_30_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoDataExecutionPrevention + data: 0 + type: dword + when: + - rule_18_9_30_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.30.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.30.2 + - patch - name: "SCORED | 18.9.30.3 | PATCH | (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoHeapTerminationOnCorruption - data: 0 - type: dword - when: rule_18_9_30_3 + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoHeapTerminationOnCorruption + data: 0 + type: dword + when: + - rule_18_9_30_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.30.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.30.3 + - patch - name: "SCORED | 18.9.30.4 | PATCH | (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: PreXPSP2ShellProtocolBehavior - data: 0 - type: dword - when: rule_18_9_30_4 + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: PreXPSP2ShellProtocolBehavior + data: 0 + type: dword + when: + - rule_18_9_30_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.30.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.30.4 + - patch - name: "SCORED | 18.9.39.1 | PATCH | (L2) Ensure 'Turn off location' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors - name: DisableLocation - data: 1 - type: dword - when: rule_18_9_39_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors + name: DisableLocation + data: 1 + type: dword + when: + - rule_18_9_39_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.39.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.39.1 + - patch - name: "SCORED | 18.9.43.1 | PATCH | (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Messaging - name: AllowMessageSync - data: 0 - type: dword - when: rule_18_9_43_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Messaging + name: AllowMessageSync + data: 0 + type: dword + when: + - rule_18_9_43_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.43.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.43.1 + - patch - name: "SCORED | 18.9.44.1 | PATCH | (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount - name: DisableUserAuth - data: 1 - type: dword - when: rule_18_9_44_1 + path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount + name: DisableUserAuth + data: 1 + type: dword + when: + - rule_18_9_44_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.44.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.44.1 + - patch - name: "SCORED | 18.9.52.1 | PATCH | (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive - name: DisableFileSyncNGSC - data: 1 - type: dword - when: rule_18_9_52_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive + name: DisableFileSyncNGSC + data: 1 + type: dword + when: + - rule_18_9_52_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.52.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.52.1 + - patch - name: "SCORED | 18.9.59.2.2 | PATCH | (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DisablePasswordSaving - data: 1 - type: dword - when: rule_18_9_59_2_2 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DisablePasswordSaving + data: 1 + type: dword + when: + - rule_18_9_59_2_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.58.2.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.58.2.2 + - patch - name: "SCORED | 18.9.59.3.2.1 | PATCH | (L2) Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fSingleSessionPerUser - data: 1 - type: dword - when: rule_18_9_59_3_2_1 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fSingleSessionPerUser + data: 1 + type: dword + when: + - rule_18_9_59_3_2_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.2.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.2.1 + - patch - name: "SCORED | 18.9.59.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCcm - data: 1 - type: dword - when: rule_18_9_59_3_3_1 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableCcm + data: 1 + type: dword + when: + - rule_18_9_59_3_3_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.3.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.1 + - patch - name: "SCORED | 18.9.59.3.3.2 | PATCH | (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCdm - data: 1 - type: dword - when: rule_18_9_59_3_3_2 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableCdm + data: 1 + type: dword + when: + - rule_18_9_59_3_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.3.2 + - patch - name: "SCORED | 18.9.59.3.3.3 | PATCH | (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableLPT - data: 1 - type: dword - when: rule_18_9_59_3_3_3 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableLPT + data: 1 + type: dword + when: + - rule_18_9_59_3_3_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.3.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.3 + - patch - name: "SCORED | 18.9.59.3.3.4 | PATCH | (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisablePNPRedir - data: 1 - type: dword - when: rule_18_9_59_3_3_4 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisablePNPRedir + data: 1 + type: dword + when: + - rule_18_9_59_3_3_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.3.4 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.3.4 + - patch - name: "SCORED | 18.9.59.3.9.1 | PATCH | (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fPromptForPassword - data: 1 - type: dword - when: rule_18_9_59_3_9_1 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fPromptForPassword + data: 1 + type: dword + when: + - rule_18_9_59_3_9_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.1 + - patch - name: "SCORED | 18.9.59.3.9.2 | PATCH | (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fEncryptRPCTraffic - data: 1 - type: dword - when: rule_18_9_59_3_9_2 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fEncryptRPCTraffic + data: 1 + type: dword + when: + - rule_18_9_59_3_9_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.2 + - patch - name: "SCORED | 18.9.59.3.9.3 | PATCH | (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services - name: SecurityLayer - data: 2 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + name: SecurityLayer + data: 2 + type: dword when: - rule_18_9_59_3_9_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.3 + - patch - name: "SCORED | 18.9.59.3.9.4 | PATCH | (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services - name: UserAuthentication - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services + name: UserAuthentication + data: 1 + type: dword when: - - rule_18_9_59_3_9_4 + - rule_18_9_59_3_9_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.4 + - patch - name: "SCORED | 18.9.59.3.9.5 | PATCH | (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MinEncryptionLevel - data: 3 - type: dword - when: rule_18_9_59_3_9_5 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MinEncryptionLevel + data: 3 + type: dword + when: + - rule_18_9_59_3_9_5 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.9.5 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.9.5 + - patch - name: "SCORED | 18.9.59.3.10.1 | PATCH | (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxIdleTime - data: 3600000 - type: dword - when: rule_18_9_59_3_10_1 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxIdleTime + data: 3600000 + type: dword + when: + - rule_18_9_59_3_10_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.10.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.10.1 + - patch - name: "SCORED | 18.9.59.3.10.2 | PATCH | (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxDisconnectionTime - data: 28800000 - type: dword - when: rule_18_9_59_3_10_2 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxDisconnectionTime + data: 28800000 + type: dword + when: + - rule_18_9_59_3_10_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.59.3.10.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.59.3.10.2 + - patch - name: "SCORED | 18.9.59.3.11.1 | PATCH | (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DeleteTempDirsOnExit - data: 1 - type: dword - when: rule_18_9_59_3_11_1 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DeleteTempDirsOnExit + data: 1 + type: dword + when: + - rule_18_9_59_3_11_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.11.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.11.1 + - patch - name: "SCORED | 18.9.59.3.11.2 | PATCH | (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: PerSessionTempDir - data: 1 - type: dword - when: rule_18_9_59_3_11_2 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: PerSessionTempDir + data: 1 + type: dword + when: + - rule_18_9_59_3_11_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.59.3.11.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.59.3.11.2 + - patch - name: "SCORED | 18.9.60.1 | PATCH | (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds - name: DisableEnclosureDownload - data: 1 - type: dword - when: rule_18_9_60_1 + path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds + name: DisableEnclosureDownload + data: 1 + type: dword + when: + - rule_18_9_60_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.60.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.60.1 + - patch - name: "SCORED | 18.9.61.2 | PATCH | (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowCloudSearch - data: 0 - type: dword - when: rule_18_9_61_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowCloudSearch + data: 0 + type: dword + when: + - rule_18_9_61_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.61.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.61.2 + - patch - name: "SCORED | 18.9.61.3 | PATCH | (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowIndexingEncryptedStoresOrItems - data: 0 - type: dword - when: rule_18_9_61_3 + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowIndexingEncryptedStoresOrItems + data: 0 + type: dword + when: + - rule_18_9_61_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.61.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.61.3 + - patch - name: "SCORED | 18.9.66.1 | PATCH | (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform - name: NoGenTicket - data: 1 - type: dword - when: rule_18_9_66_1 + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform + name: NoGenTicket + data: 1 + type: dword + when: + - rule_18_9_66_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.66.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.66.1 + - patch - name: "SCORED | 18.9.77.3.1 | PATCH | (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: LocalSettingOverrideSpynetReporting - data: 0 - type: dword - when: rule_18_9_77_3_1 + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: LocalSettingOverrideSpynetReporting + data: 0 + type: dword + when: + - rule_18_9_77_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.3.1 + - patch - name: "SCORED | 18.9.77.3.2 | PATCH | (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: SpynetReporting - data: 0 - type: dword - when: rule_18_9_77_3_2 + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: SpynetReporting + data: 0 + type: dword + when: + - rule_18_9_77_3_2 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.77.3.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.77.3.2 + - patch - name: "SCORED | 18.9.77.7.1 | PATCH | (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableBehaviorMonitoring - data: 0 - type: dword - when: rule_18_9_77_7_1 + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableBehaviorMonitoring + data: 0 + type: dword + when: + - rule_18_9_77_7_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.7.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.7.1 + - patch - name: "SCORED | 18.9.77.9.1 | PATCH | (L2) Ensure 'Configure Watson events' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting - name: DisableGenericRePorts - data: 1 - type: dword - when: rule_18_9_77_9_1 + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting + name: DisableGenericRePorts + data: 1 + type: dword + when: + - rule_18_9_77_9_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.77.9.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.77.9.1 + - patch - name: "SCORED | 18.9.77.10.1 | PATCH | (L1) Ensure 'Scan removable drives' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableRemovableDriveScanning - data: 0 - type: dword - when: rule_18_9_77_10_1 + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableRemovableDriveScanning + data: 0 + type: dword + when: + - rule_18_9_77_10_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.10.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.10.1 + - patch - name: "SCORED | 18.9.77.10.2 | PATCH | (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableEmailScanning - data: 0 - type: dword - when: rule_18_9_77_10_2 + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableEmailScanning + data: 0 + type: dword + when: + - rule_18_9_77_10_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.10.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.10.2 + - patch - name: "SCORED | 18.9.77.13.3.1 | PATCH | (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - name: EnableNetworkProtection - data: 1 - type: dword - when: rule_18_9_77_13_3_1 + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + name: EnableNetworkProtection + data: 1 + type: dword + when: + - rule_18_9_77_13_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.13.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.13.3.1 + - patch - name: "SCORED | 18.9.77.14 | PA | (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender - name: PUAProtection - data: 1 - type: dword + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender + name: PUAProtection + data: 1 + type: dword when: - - rule_18_9_77_14 + - rule_18_9_77_14 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.14 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.14 + - patch - name: "SCORED | 18.9.77.15 | PATCH | (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender - name: DisableAntiSpyware - data: 0 - type: dword - when: rule_18_9_77_15 + path: HKLM:\Software\Policies\Microsoft\Windows Defender + name: DisableAntiSpyware + data: 0 + type: dword + when: + - rule_18_9_77_15 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.77.15 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.77.15 + - patch - name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'" block: - - name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | EnableSmartScreen" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: EnableSmartScreen - data: 1 - type: dword - - - name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | ShellSmartScreenLevel" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: ShellSmartScreenLevel - data: Block - type: string - when: rule_18_9_80_1_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.80.1.1 - - patch + - name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | EnableSmartScreen" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: EnableSmartScreen + data: 1 + type: dword + + - name: "SCORED | 18.9.80.1.1 | PATCH | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | ShellSmartScreenLevel" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: ShellSmartScreenLevel + data: Block + type: string + when: + - rule_18_9_80_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.80.1.1 + - patch - name: "SCORED | 18.9.84.1 | PATCH | (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace - name: AllowSuggestedAppsInWindowsInkWorkspace - data: 0 - type: dword - when: rule_18_9_84_1 + path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace + name: AllowSuggestedAppsInWindowsInkWorkspace + data: 0 + type: dword + when: + - rule_18_9_84_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.84.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.84.1 + - patch - name: "SCORED | 18.9.84.2 | PATCH | (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On'" win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace - name: AllowWindowsInkWorkspace - data: 1 - type: dword - when: rule_18_9_84_2 + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace + name: AllowWindowsInkWorkspace + data: 1 + type: dword + when: + - rule_18_9_84_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.84.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.84.2 + - patch - name: "SCORED | 18.9.85.1 | PATCH | (L1) Ensure 'Allow user control over installs' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: EnableUserControl - data: 0 - type: dword - when: rule_18_9_85_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: EnableUserControl + data: 0 + type: dword + when: + - rule_18_9_85_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.85.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.85.1 + - patch - name: "SCORED | 18.9.85.2 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword - when: rule_18_9_85_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + when: + - rule_18_9_85_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.85.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.85.2 + - patch - name: "SCORED | 18.9.85.3 | PATCH | (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: SafeForScripting - data: 0 - type: dword - when: rule_18_9_85_3 + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: SafeForScripting + data: 0 + type: dword + when: + - rule_18_9_85_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.85.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.85.3 + - patch - name: "SCORED | 18.9.86.1 | PATCH | (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DisableAutomaticRestartSignOn - data: 1 - type: dword - when: rule_18_9_86_1 + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableAutomaticRestartSignOn + data: 1 + type: dword + when: + - rule_18_9_86_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.86.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.86.1 + - patch - name: "SCORED | 18.9.95.1 | PATCH | (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging - name: EnableScriptBlockLogging - data: 1 - type: dword - when: rule_18_9_95_1 + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging + name: EnableScriptBlockLogging + data: 0 + type: dword + when: + - rule_18_9_95_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.95.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.95.1 + - patch - name: "SCORED | 18.9.95.2 | PATCH | (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription - name: EnableTranscripting - data: 0 - type: dword - when: rule_18_9_95_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription + name: EnableTranscripting + data: 0 + type: dword + when: + - rule_18_9_95_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.95.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.95.2 + - patch - name: "SCORED | 18.9.97.1.1 | PATCH | (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowBasic - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowBasic + data: 0 + type: dword when: - - rule_18_9_97_1_1 - - not win_skip_for_test + - rule_18_9_97_1_1 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.1.1 + - patch - name: "SCORED | 18.9.97.1.2 | PATCH | (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowUnencryptedTraffic - data: 0 - type: dword - when: - - rule_18_9_97_1_2 - - not win_skip_for_test + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowUnencryptedTraffic + data: 0 + type: dword + when: + - rule_18_9_97_1_2 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.1.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.1.2 + - patch - name: "SCORED | 18.9.97.1.3 | PATCH | (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowDigest - data: 0 - type: dword - when: rule_18_9_97_1_3 + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowDigest + data: 0 + type: dword + when: + - rule_18_9_97_1_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.1.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.1.3 + - patch - name: "SCORED | 18.9.97.2.1 | PATCH | (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowBasic - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowBasic + data: 0 + type: dword when: - - rule_18_9_97_2_1 - - not win_skip_for_test + - rule_18_9_97_2_1 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.2.1 + - patch -#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +# This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart - name: "SCORED | 18.9.97.2.2 | PATCH | (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowAutoConfig - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowAutoConfig + data: 0 + type: dword when: - - rule_18_9_97_2_2 - - not win_skip_for_test + - rule_18_9_97_2_2 + - not win_skip_for_test tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.97.2.2 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.97.2.2 + - patch - name: "SCORED | 18.9.97.2.3 | PATCH | (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowUnencryptedTraffic - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowUnencryptedTraffic + data: 0 + type: dword when: - - rule_18_9_97_2_3 - - not win_skip_for_test + - rule_18_9_97_2_3 + - not win_skip_for_test tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.2.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.2.3 + - patch - name: "SCORED | 18.9.97.2.4 | PATCH | (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: DisableRunAs - data: 1 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: DisableRunAs + data: 1 + type: dword when: - - rule_18_9_97_2_4 + - rule_18_9_97_2_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.97.2.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.97.2.4 + - patch -#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +# This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart - name: "SCORED | 18.9.98.1 | PATCH | (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs - name: AllowRemoteShellAccess - data: 0 - type: dword + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs + name: AllowRemoteShellAccess + data: 0 + type: dword when: - - rule_18_9_98_1 - - is_implemented - - not win_skip_for_test + - rule_18_9_98_1 + - is_implemented + - not win_skip_for_test tags: - - level2-domaincontroller - - level2-memberserver - - rule_18.9.98.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_18.9.98.1 + - patch - name: "SCORED | 18.9.99.2.1 | PATCH | (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - name: DisallowExploitProtectionOverride - data: 1 - type: dword - when: rule_18_9_99_2_1 + path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + name: DisallowExploitProtectionOverride + data: 1 + type: dword + when: + - rule_18_9_99_2_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.99.2.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.99.2.1 + - patch - name: "SCORED | 18.9.102.1.1 | PATCH | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds'" block: - - name: "SCORED | 18.9.102.1.1 | PATCH | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' | ManagePreviewBuilds" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuilds - data: 1 - type: dword - - - name: "SCORED | 18.9.102.1.1 | PATCH | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' | ManagePreviewBuilds" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuildsPolicyValue - data: 0 - type: dword - when: rule_18_9_102_1_1 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.1.1 - - patch + - name: "SCORED | 18.9.102.1.1 | PATCH | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' | ManagePreviewBuilds" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuilds + data: 1 + type: dword + + - name: "SCORED | 18.9.102.1.1 | PATCH | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' | ManagePreviewBuilds" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuildsPolicyValue + data: 0 + type: dword + when: + - rule_18_9_102_1_1 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.1 + - patch - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days'" block: - - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | DeferFeatureUpdates" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdates - data: 1 - type: dword - - - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | DeferFeatureUpdatesPeriodInDays" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdatesPeriodInDays - data: 180 - type: dword - - - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | BranchReadinessLevel" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: BranchReadinessLevel - data: 16 - type: dword - when: rule_18_9_102_1_2 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.1.2 - - patch + - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | DeferFeatureUpdates" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: DeferFeatureUpdates + data: 1 + type: dword + + - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | DeferFeatureUpdatesPeriodInDays" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: DeferFeatureUpdatesPeriodInDays + data: 180 + type: dword + + - name: "SCORED | 18.9.102.1.2 | PATCH | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | BranchReadinessLevel" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: BranchReadinessLevel + data: 16 + type: dword + when: + - rule_18_9_102_1_2 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.2 + - patch - name: "SCORED | 18.9.102.1.3 | PATCH | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'" block: - - name: "SCORED | 18.9.102.1.3 | PATCH | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' | DeferQualityUpdates" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - name: DeferQualityUpdates - data: 1 - type: dword - - - name: "SCORED | 18.9.102.1.3 | PATCH | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' | DeferQualityUpdatesPeriodInDays" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - name: DeferQualityUpdatesPeriodInDays - data: 0 - type: dword - when: rule_18_9_102_1_3 - tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.1.3 - - patch + - name: "SCORED | 18.9.102.1.3 | PATCH | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' | DeferQualityUpdates" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + name: DeferQualityUpdates + data: 1 + type: dword + + - name: "SCORED | 18.9.102.1.3 | PATCH | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' | DeferQualityUpdatesPeriodInDays" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + name: DeferQualityUpdatesPeriodInDays + data: 0 + type: dword + when: + - rule_18_9_102_1_3 + tags: + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.1.3 + - patch - name: "SCORED | 18.9.102.2 | PATCH | (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoUpdate - data: 0 - type: dword - when: rule_18_9_102_2 + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoUpdate + data: 0 + type: dword + when: + - rule_18_9_102_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.101.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.101.2 + - patch - name: "SCORED | 18.9.102.3 | PATCH | (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: ScheduledInstallDay - data: 0 - type: dword - when: rule_18_9_102_3 + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: ScheduledInstallDay + data: 0 + type: dword + when: + - rule_18_9_102_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.3 + - patch - name: "SCORED | 18.9.102.4 | PATCH | (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoRebootWithLoggedOnUsers - data: 0 - type: dword - when: rule_18_9_102_4 + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoRebootWithLoggedOnUsers + data: 0 + type: dword + when: + - rule_18_9_102_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_18.9.102.4 - - patch - + - level1-domaincontroller + - level1-memberserver + - rule_18.9.102.4 + - patch diff --git a/tasks/section19.yml b/tasks/section19.yml index 1eb28e1..f90c93e 100644 --- a/tasks/section19.yml +++ b/tasks/section19.yml @@ -1,331 +1,345 @@ --- - name: "SCORED | 19.1.3.1 | PATCH | (L1) Ensure 'Enable screen saver' is set to 'Enabled'" block: - - name: "SCORED | 19.1.3.1 | PATCH | (L1) Ensure 'Enable screen saver' is set to 'Enabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string + - name: "SCORED | 19.1.3.1 | PATCH | (L1) Ensure 'Enable screen saver' is set to 'Enabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveActive + data: 1 + type: string - - name: "SCORED | 19.1.3.1 | PATCH |(L1) Ensure 'Enable screen saver' is set to 'Enabled'" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveActive - data: 1 - type: string - when: rule_19_1_3_1 + - name: "SCORED | 19.1.3.1 | PATCH |(L1) Ensure 'Enable screen saver' is set to 'Enabled'" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveActive + data: 1 + type: string + when: + - rule_19_1_3_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.1.3.1 + - patch - name: "SCORED | 19.1.3.2 | PATCH | (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'" block: - - name: "SCORED | 19.1.3.2 | PATCH | (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: SCRNSAVE.EXE - data: scrnsave.scr - type: string + - name: "SCORED | 19.1.3.2 | PATCH | (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: SCRNSAVE.EXE + data: scrnsave.scr + type: string - - name: "SCORED | 19.1.3.2 | PATCH | (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: SCRNSAVE.EXE - data: scrnsave.scr - type: string - when: rule_19_1_3_2 + - name: "SCORED | 19.1.3.2 | PATCH | (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: SCRNSAVE.EXE + data: scrnsave.scr + type: string + when: + - rule_19_1_3_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.1.3.2 + - patch - name: "SCORED | 19.1.3.3 | PATCH | (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" block: - - name: "SCORED | 19.1.3.3 | PATCH | (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string + - name: "SCORED | 19.1.3.3 | PATCH | (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaverIsSecure + data: 1 + type: string - - name: "SCORED | 19.1.3.3 | PATCH | (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaverIsSecure - data: 1 - type: string - when: rule_19_1_3_3 + - name: "SCORED | 19.1.3.3 | PATCH | (L1) Ensure 'Password protect the screen saver' is set to 'Enabled'" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaverIsSecure + data: 1 + type: string + when: + - rule_19_1_3_3 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.3 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.1.3.3 + - patch - name: "SCORED | 19.1.3.4 | PATCH | (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" block: - - name: "SCORED | 19.1.3.4 | PATCH | (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: 900 - type: string + - name: "SCORED | 19.1.3.4 | PATCH | (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveTimeOut + data: 900 + type: string - - name: "SCORED | 19.1.3.4 | PATCH | (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop - name: ScreenSaveTimeOut - data: 900 - type: string - when: rule_19_1_3_4 + - name: "SCORED | 19.1.3.4 | PATCH | (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveTimeOut + data: 900 + type: string + when: + - rule_19_1_3_4 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.1.3.4 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.1.3.4 + - patch - name: "SCORED | 19.5.1.1 | PATCH | (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" block: - - name: "SCORED | 19.5.1.1 | PATCH | (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword + - name: "SCORED | 19.5.1.1 | PATCH | (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + name: NoToastApplicationNotificationOnLockScreen + data: 1 + type: dword - - name: "SCORED | 19.5.1.1 | PATCH | (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications - name: NoToastApplicationNotificationOnLockScreen - data: 1 - type: dword - when: rule_19_5_1_1 + - name: "SCORED | 19.5.1.1 | PATCH | (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + name: NoToastApplicationNotificationOnLockScreen + data: 1 + type: dword + when: + - rule_19_5_1_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.5.1.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.5.1.1 + - patch - name: "SCORED | 19.6.6.1.1 | PATCH | (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" block: - - name: "SCORED | 19.6.6.1.1 | PATCH | (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword + - name: "SCORED | 19.6.6.1.1 | PATCH | (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 + name: NoImplicitFeedback + data: 1 + type: dword - - name: "SCORED | 19.6.6.1.1 | PATCH | (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 - name: NoImplicitFeedback - data: 1 - type: dword - when: rule_19_6_6_1_1 + - name: "SCORED | 19.6.6.1.1 | PATCH | (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 + name: NoImplicitFeedback + data: 1 + type: dword + when: + - rule_19_6_6_1_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.6.6.1.1 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_19.6.6.1.1 + - patch - name: "SCORED | 19.7.4.1 | PATCH | (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" block: - - name: "SCORED | 19.7.4.1 | PATCH | (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 3 - type: dword + - name: "SCORED | 19.7.4.1 | PATCH | (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + name: SaveZoneInformation + data: 2 + type: dword - - name: "SCORED | 19.7.4.1 | PATCH | (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" - win_regedit: - path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments - name: SaveZoneInformation - data: 3 - type: dword - when: rule_19_7_4_1 + - name: "SCORED | 19.7.4.1 | PATCH | (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" + win_regedit: + path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + name: SaveZoneInformation + data: 2 + type: dword + when: + - rule_19_7_4_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.4.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.4.1 + - patch - name: "SCORED | 19.7.4.2 | PATCH | (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" block: - - name: "SCORED | 19.7.4.2 | PATCH | (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword + - name: "SCORED | 19.7.4.2 | PATCH | (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments + name: ScanWithAntiVirus + data: 3 + type: dword - - name: "SCORED | 19.7.4.2 | PATCH | (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" - win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments - name: ScanWithAntiVirus - data: 3 - type: dword - when: rule_19_7_4_2 + - name: "SCORED | 19.7.4.2 | PATCH | (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" + win_regedit: + path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments + name: ScanWithAntiVirus + data: 3 + type: dword + when: + - rule_19_7_4_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.4.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.4.2 + - patch - name: "SCORED | 19.7.7.1 | PATCH | (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" block: - - name: "SCORED | 19.7.7.1 | PATCH | (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword + - name: "SCORED | 19.7.7.1 | PATCH | (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: ConfigureWindowsSpotlight + data: 2 + type: dword - - name: "SCORED | 19.7.7.1 | PATCH | (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: ConfigureWindowsSpotlight - data: 2 - type: dword - when: rule_19_7_7_1 + - name: "SCORED | 19.7.7.1 | PATCH | (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: ConfigureWindowsSpotlight + data: 2 + type: dword + when: + - rule_19_7_7_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.7.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.7.1 + - patch - name: "SCORED | 19.7.7.2 | PATCH | (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" block: - - name: "SCORED | 19.7.7.2 | PATCH | (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword + - name: "SCORED | 19.7.7.2 | PATCH | (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableThirdPartySuggestions + data: 1 + type: dword - - name: "SCORED | 19.7.7.2 | PATCH | (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableThirdPartySuggestions - data: 1 - type: dword - when: rule_19_7_7_2 + - name: "SCORED | 19.7.7.2 | PATCH | (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableThirdPartySuggestions + data: 1 + type: dword + when: + - rule_19_7_7_2 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.7.2 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.7.2 + - patch - name: "SCORED | 19.7.7.3 | PATCH | (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" block: - - name: "SCORED | 19.7.7.3 | PATCH | (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword + - name: "SCORED | 19.7.7.3 | PATCH | (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableTailoredExperiencesWithDiagnosticData + data: 1 + type: dword - - name: "SCORED | 19.7.7.3 | PATCH | (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableTailoredExperiencesWithDiagnosticData - data: 1 - type: dword - when: rule_19_7_7_3 + - name: "SCORED | 19.7.7.3 | PATCH | (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableTailoredExperiencesWithDiagnosticData + data: 1 + type: dword + when: + - rule_19_7_7_3 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.7.3 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_19.7.7.3 + - patch - name: "SCORED | 19.7.7.4 | PATCH | (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" block: - - name: "SCORED | 19.7.7.4 | PATCH | (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword + - name: "SCORED | 19.7.7.4 | PATCH | (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableWindowsSpotlightFeatures + data: 1 + type: dword - - name: "SCORED | 19.7.7.4 | PATCH | (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent - name: DisableWindowsSpotlightFeatures - data: 1 - type: dword - when: rule_19_7_7_4 + - name: "SCORED | 19.7.7.4 | PATCH | (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableWindowsSpotlightFeatures + data: 1 + type: dword + when: + - rule_19_7_7_4 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.7.4 - - patch + - level2-domaincontroller + - level2-memberserver + - rule_19.7.7.4 + - patch - name: "SCORED | 19.7.26.1 | PATCH | (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" block: - - name: "SCORED | 19.7.26.1 | PATCH | (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword + - name: "SCORED | 19.7.26.1 | PATCH | (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoInplaceSharing + data: 1 + type: dword - - name: "SCORED | 19.7.26.1 | PATCH | (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" - win_regedit: - path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoInplaceSharing - data: 1 - type: dword - when: rule_19_7_26_1 + - name: "SCORED | 19.7.26.1 | PATCH | (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" + win_regedit: + path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoInplaceSharing + data: 1 + type: dword + when: + - rule_19_7_26_1 tags: - - level1-domaincontroller - - level1-memberserver - - rule_19.7.26.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.26.1 + - patch - name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" block: - - name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword + - name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword - - name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword - when: rule_19_7_41_1 + - name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + when: + - rule_19_7_41_1 tags: - - level1 - - level2 - - rule_19.7.41.1 - - patch + - level1-domaincontroller + - level1-memberserver + - rule_19.7.41.1 + - patch - name: "SCORED | 19.7.45.2.1 | PATCH | (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" block: - - name: "SCORED | 19.7.45.2.1 | PATCH | (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" - win_regedit: - path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword + - name: "SCORED | 19.7.45.2.1 | PATCH | (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer + name: PreventCodecDownload + data: 1 + type: dword - - name: "SCORED | 19.7.45.2.1 | PATCH | (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" - win_regedit: - path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer - name: PreventCodecDownload - data: 1 - type: dword - when: rule_19_7_45_2_1 + - name: "SCORED | 19.7.45.2.1 | PATCH | (L2) Ensure 'Prevent Codec Download' is set to 'Enabled'" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer + name: PreventCodecDownload + data: 1 + type: dword + when: + - rule_19_7_45_2_1 tags: - - level2-domaincontroller - - level2-memberserver - - rule_19.7.45.2.1 - - patch - + - level2-domaincontroller + - level2-memberserver + - rule_19.7.45.2.1 + - patch