From 86fa8b10cdb346589a8f0bfff25acadde32b28e1 Mon Sep 17 00:00:00 2001 From: George Nalen Date: Fri, 5 Feb 2021 14:56:08 -0500 Subject: [PATCH] Finalized updates for version 1.2.0 Signed-off-by: George Nalen --- tasks/old_section01.yml | 194 --- tasks/old_section02.yml | 1549 ------------------------ tasks/old_section17.yml | 765 ------------ tasks/old_section18.yml | 2553 --------------------------------------- 4 files changed, 5061 deletions(-) delete mode 100644 tasks/old_section01.yml delete mode 100644 tasks/old_section02.yml delete mode 100644 tasks/old_section17.yml delete mode 100644 tasks/old_section18.yml diff --git a/tasks/old_section01.yml b/tasks/old_section01.yml deleted file mode 100644 index 214e782..0000000 --- a/tasks/old_section01.yml +++ /dev/null @@ -1,194 +0,0 @@ ---- -# - name: "SCORED | 1.1.1 | AUDIT | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' -# assert: -# that: passwordhistorysize | int is version('24', '>=') -# fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" -# register: result -# changed_when: no -# ignore_errors: yes -# when: rule_1_1_1 -# tags: -# - level1 -# - rule_1.1.1 -# - audit - -# - name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" -# win_security_policy: -# section: System Access -# key: PasswordHistorySize -# value: "{{ passwordhistorysize }}" -# when: rule_1_1_1 -# tags: -# - level1 -# - level2 -# - rule_1.1.1 -# - patch - -# - name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" -# assert: -# that: maximumpasswordage | int is version('60', '<=') -# fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" -# register: result -# changed_when: no -# ignore_errors: yes -# when: rule_1_1_2 -# tags: -# - level1 -# - level2 -# - rule_1.1.2 -# - audit - -# - name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" -# win_security_policy: -# section: System Access -# key: MaximumPasswordAge -# value: "{{ maximumpasswordage }}" -# when: rule_1_1_2 -# tags: -# - level1 -# - level2 -# - rule_1.1.2 -# - patch - -# - name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" -# assert: -# that: minimumpasswordage is version('1', '>=') -# fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" -# register: result -# changed_when: no -# ignore_errors: yes -# when: rule_1_1_3 -# tags: -# - level1 -# - level2 -# - rule_1.1.3 -# - audit - -# - name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" -# win_security_policy: -# section: System Access -# key: MinimumPasswordAge -# value: "{{ minimumpasswordage }}" -# when: rule_1_1_3 -# tags: -# - level1 -# - level2 -# - rule_1.1.3 -# - patch - -# - name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" -# assert: -# that: minimumpasswordlength is version('14', '>=') -# fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" -# register: result -# changed_when: no -# ignore_errors: yes -# when: rule_1_1_4 -# tags: -# - level1 -# - level2 -# - rule_1.1.4 -# - audit - -# - name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" -# win_security_policy: -# section: System Access -# key: MinimumPasswordLength -# value: "{{ minimumpasswordlength }}" -# when: rule_1_1_4 -# tags: -# - level1 -# - level2 -# - rule_1.1.4 -# - patch - -# - name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled" -# win_security_policy: -# section: System Access -# key: PasswordComplexity -# value: 1 -# when: rule_1_1_5 -# tags: -# - level1 -# - level2 -# - rule_1.1.5 -# - patch - -# - name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled" -# win_security_policy: -# section: System Access -# key: ClearTextPassword -# value: "0" -# when: rule_1_1_6 -# tags: -# - level1 -# - level2 -# - rule_1.1.6 -# - patch - -# - name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" -# assert: -# that: lockoutduration | int is version('15', '<=') -# fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" -# register: result -# changed_when: no -# ignore_errors: yes -# when: rule_1_2_1 -# tags: -# - level1 -# - level2 -# - rule_1.2.1 -# - audit - -# - name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" -# win_security_policy: -# section: System Access -# key: LockoutDuration -# value: "{{ lockoutduration }}" -# when: -# - rule_1_2_1 -# - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp -# tags: -# - level1 -# - level2 -# - rule_1.2.1 -# - patch - -# #This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable -# - name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" -# win_security_policy: -# section: System Access -# key: LockoutBadCount -# value: "{{ lockoutbadcount }}" -# when: rule_1_2_2 -# tags: -# - level1 -# - level2 -# - rule_1.2.2 -# - patch - -# - name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" -# assert: -# that: resetlockoutcount | int is version('15', '>=') -# fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" -# register: result -# changed_when: no -# ignore_errors: yes -# when: rule_1_2_3 -# tags: -# - level1 -# - level2 -# - rule_1.2.3 -# - audit - -# - name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" -# win_security_policy: -# section: System Access -# key: ResetLockoutCount -# value: "{{ resetlockoutcount }}" -# when: rule_1_2_3 -# tags: -# - level1 -# - level2 -# - rule_1.2.3 -# - patch diff --git a/tasks/old_section02.yml b/tasks/old_section02.yml deleted file mode 100644 index c9ad642..0000000 --- a/tasks/old_section02.yml +++ /dev/null @@ -1,1549 +0,0 @@ ---- -# - name: "SCORED | 2.2.1 | PATCH | L1 Ensure Access Credential Manager as a trusted caller is set to No One" -# win_user_right: -# name: SeTrustedCredManAccessPrivilege -# users: -# action: set -# when: rule_2_2_1 -# tags: -# - level1 -# - level2 -# - rule_2.2.1 -# - patch - -# - name: "SCORED | 2.2.2 & 2.2.3 | PATCH | L1 Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" -# win_user_right: -# name: SeNetworkLogonRight -# users: -# - Administrators -# - Authenticated Users -# action: set -# when: -# - rule_2_2_2 or rule_2_2_3 -# tags: -# - rule_2.2.2 -# - rule_2.2.3 -# - patch - -# - name: "SCORED | 2.2.4 | PATCH | L1 Ensure Act as part of the operating system is set to No One" -# win_user_right: -# name: SeTcbPrivilege -# users: -# action: set -# when: rule_2_2_4 -# tags: -# - level1 -# - level2 -# - rule_2.2.4 -# - patch - -# - name: "SCORED | 2.2.5 | PATCH | L1 Ensure Add workstations to domain is set to Administrators DC only" -# win_user_right: -# name: SeMachineAccountPrivilege -# users: Administrators -# action: set -# when: -# - rule_2_2_5 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.5 -# - patch - -# - name: "SCORED | 2.2.6 | PATCH | L1 Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" -# win_user_right: -# name: SeIncreaseQuotaPrivilege -# users: -# - Administrators -# - Local Service -# - Network Service -# action: set -# when: rule_2_2_6 -# tags: -# - level1 -# - level2 -# - rule_2.2.6 -# - patch - -# - name: "SCORED | 2.2.7 | PATCH | L1 Ensure Allow log on locally is set to Administrators" -# win_user_right: -# name: SeInteractiveLogonRight -# users: -# - Administrators -# action: set -# when: rule_2_2_7 -# tags: -# - level1 -# - level2 -# - rule_2.2.7 -# - patch - -# - name: "SCORED | 2.2.8 & 2.2.9 | PATCH | L1 Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" -# win_user_right: -# name: SeRemoteInteractiveLogonRight -# users: -# - Administrators -# - Remote Desktop Users -# action: set -# when: -# - rule_2_2_8 or rule_2_2_9 -# tags: -# - rule_2.2.8 -# - rule_2.2.9 -# - patch - -# - name: "SCORED | 2.2.10 | PATCH | L1 Ensure Back up files and directories is set to Administrators" -# win_user_right: -# name: SeBackupPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_10 -# tags: -# - level1 -# - level2 -# - rule_2.2.10 -# - patch - -# - name: "SCORED | 2.2.11 | PATCH | L1 Ensure Change the system time is set to Administrators LOCAL SERVICE" -# win_user_right: -# name: SeSystemTimePrivilege -# users: -# - Administrators -# - Local Service -# action: set -# when: rule_2_2_11 -# tags: -# - level1 -# - level2 -# - rule_2.2.11 -# - patch - -# - name: "SCORED | 2.2.12 | PATCH | L1 Ensure Change the time zone is set to Administrators LOCAL SERVICE" -# win_user_right: -# name: SeTimeZonePrivilege -# users: -# - Administrators -# - Local Service -# action: set -# when: rule_2_2_12 -# tags: -# - level1 -# - level2 -# - rule_2.2.12 -# - patch - -# - name: "SCORED | 2.2.13 | PATCH | L1 Ensure Create a pagefile is set to Administrators" -# win_user_right: -# name: SeCreatePagefilePrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_13 -# tags: -# - level1 -# - level2 -# - rule_2.2.13 -# - patch - -# - name: "SCORED | 2.2.14 | PATCH | L1 Ensure Create a token object is set to No One" -# win_user_right: -# name: SeCreateTokenPrivilege -# users: -# action: set -# when: rule_2_2_14 -# tags: -# - level1 -# - level2 -# - rule_2.2.14 -# - patch - -# - name: "SCORED | 2.2.15 | PATCH | L1 Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" -# win_user_right: -# name: SeCreateGlobalPrivilege -# users: -# - Administrators -# - Local Service -# - Network Service -# - Service -# action: set -# when: rule_2_2_15 -# tags: -# - level1 -# - level2 -# - rule_2.2.15 -# - patch - -# - name: "SCORED | 2.2.16 | PATCH | L1 Ensure Create permanent shared objects is set to No One" -# win_user_right: -# name: SeCreatePermanentPrivilege -# users: -# action: set -# when: rule_2_2_16 -# tags: -# - level1 -# - level2 -# - rule_2.2.16 -# - patch - -# - name: "SCORED | 2.2.17 | PATCH | L1 Ensure Create symbolic links is set to Administrators DC only" -# win_user_right: -# name: SeCreateSymbolicLinkPrivilege -# users: -# - Administrators -# action: set -# when: -# - rule_2_2_17 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.17 -# - patch - -# - name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" -# win_user_right: -# name: SeCreateSymbolicLinkPrivilege -# users: -# - Administrators -# - NT VIRTUAL MACHINE\Virtual Machines -# action: set -# when: -# - rule_2_2_18 -# - ansible_windows_domain_role == "Member server" -# tags: -# - level1 -# - level2 -# - rule_2.2.18 -# - patch - -# - name: "SCORED | 2.2.19 | PATCH | L1 Ensure Debug programs is set to Administrators" -# win_user_right: -# name: SeDebugPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_19 -# tags: -# - level1 -# - level2 -# - rule_2.2.19 -# - patch - -# #Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes -# - name: "SCORED | 2.2.20 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests DC only" -# win_user_right: -# name: SeDenyNetworkLogonRight -# users: -# - Guests -# action: set -# when: -# - rule_2_2_20 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.20 -# - patch - -# - name: "SCORED | 2.2.21 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" -# win_user_right: -# name: SeDenyNetworkLogonRight -# users: -# - Guests -# #- Local Account -# #- Administrators -# action: set -# when: -# - rule_2_2_21 -# - ansible_windows_domain_member -# tags: -# - level1 -# - level2 -# - rule_2.2.21 -# - patch - -# - name: "SCORED | 2.2.22 | PATCH | L1 Ensure Deny log on as a batch job to include Guests" -# win_user_right: -# name: SeDenyBatchLogonRight -# users: -# - Guests -# action: set -# when: rule_2_2_22 -# tags: -# - level1 -# - level2 -# - rule_2.2.22 -# - patch - -# - name: "SCORED | 2.2.23 | PATCH | L1 Ensure Deny log on as a service to include Guests" -# win_user_right: -# name: SeDenyServiceLogonRight -# users: -# - Guests -# action: set -# when: rule_2_2_23 -# tags: -# - level1 -# - level2 -# - rule_2.2.23 -# - patch - -# - name: "SCORED | 2.2.24 | PATCH | L1 Ensure Deny log on locally to include Guests" -# win_user_right: -# name: SeDenyInteractiveLogonRight -# users: -# - Guests -# action: set -# when: rule_2_2_24 -# tags: -# - level1 -# - level2 -# - rule_2.2.24 -# - patch - -# - name: "SCORED | 2.2.25 | PATCH | L1 Ensure Deny log on through Remote Desktop Services to include Guests DC only" -# win_user_right: -# name: SeDenyRemoteInteractiveLogonRight -# users: -# - Guests -# #- Local Account -# action: set -# when: -# - rule_2_2_25 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.25 -# - patch - -# - name: "SCORED | 2.2.26 | PATCH | L1 Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" -# win_user_right: -# name: SeDenyRemoteInteractiveLogonRight -# users: -# - Guests -# #- Local Account -# action: set -# when: -# - rule_2_2_26 -# - ansible_windows_domain_member -# tags: -# - level1 -# - level2 -# - rule_2.2.26 -# - patch - -# - name: "SCORED | 2.2.27 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" -# win_user_right: -# name: SeEnableDelegationPrivilege -# users: Administrators -# action: set -# when: -# - rule_2_2_27 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.27 -# - patch - -# - name: "SCORED | 2.2.28 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" -# win_user_right: -# name: SeEnableDelegationPrivilege -# users: -# action: set -# when: -# - rule_2_2_28 -# - ansible_windows_domain_member -# tags: -# - level1 -# - level2 -# - rule_2.2.28 -# - patch - -# - name: "SCORED | 2.2.29 | PATCH | L1 Ensure Force shutdown from a remote system is set to Administrators" -# win_user_right: -# name: SeRemoteShutdownPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_29 -# tags: -# - level1 -# - level2 -# - rule_2.2.29 -# - patch - -# - name: "SCORED | 2.2.30 | PATCH | L1 Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" -# win_user_right: -# name: SeAuditPrivilege -# users: -# - Local Service -# - Network Service -# action: set -# when: rule_2_2_30 -# tags: -# - level1 -# - level2 -# - rule_2.2.30 -# - patch - -# - name: "SCORED | 2.2.31 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" -# win_user_right: -# name: SeImpersonatePrivilege -# users: -# - Administrators -# - Local Service -# - Network Service -# - Service -# action: set -# when: -# - rule_2_2_31 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.31 -# - patch - -# - name: "SCORED | 2.2.32 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" -# win_user_right: -# name: SeImpersonatePrivilege -# users: -# - Administrators -# - IIS_IUSRS -# - Local Service -# - Network Service -# - Service -# action: set -# when: -# - rule_2_2_32 -# - ansible_windows_domain_member -# tags: -# - level1 -# - level2 -# - rule_2.2.32 -# - patch - -# - name: "SCORED | 2.2.33 | PATCH | L1 Ensure Increase scheduling priority is set to Administrators" -# win_user_right: -# name: SeIncreaseBasePriorityPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_33 -# tags: -# - level1 -# - level2 -# - rule_2.2.33 -# - patch - -# - name: "SCORED | 2.2.34 | PATCH | L1 Ensure Load and unload device drivers is set to Administrators" -# win_user_right: -# name: SeLoadDriverPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_34 -# tags: -# - level1 -# - level2 -# - rule_2.2.34 -# - patch - -# - name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" -# win_user_right: -# name: SeLockMemoryPrivilege -# users: -# action: set -# when: rule_2_2_35 -# tags: -# - level1 -# - level2 -# - rule_2.2.35 -# - patch - -# - name: "SCORED | 2.2.36 | PATCH | L2 Ensure Log on as a batch job is set to Administrators DC Only" -# win_user_right: -# name: SeBatchLogonRight -# users: Administrators -# action: set -# when: -# - rule_2_2_36 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.36 -# - patch - -# - name: "SCORED | 2.2.37 & 2.2.38 | PATCH | L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" -# win_user_right: -# name: SeSecurityPrivilege -# users: -# - Administrators -# action: set -# when: -# - rule_2_2_37 or rule_2_2_38 -# tags: -# - rule_2.2.37 -# - rule_2.2.38 -# - patch - -# - name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" -# win_user_right: -# name: SeReLabelPrivilege -# users: -# action: set -# when: rule_2_2_39 -# tags: -# - level1 -# - level2 -# - rule_2.2.39 -# - patch - -# - name: "SCORED | 2.2.40 | PATCH | L1 Ensure Modify firmware environment values is set to Administrators" -# win_user_right: -# name: SeSystemEnvironmentPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_40 -# tags: -# - level1 -# - level2 -# - rule_2.2.40 -# - patch - -# - name: "SCORED | 2.2.41 | PATCH | L1 Ensure Perform volume maintenance tasks is set to Administrators" -# win_user_right: -# name: SeManageVolumePrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_41 -# tags: -# - level1 -# - level2 -# - rule_2.2.41 -# - patch - -# - name: "SCORED | 2.2.42 | PATCH | L1 Ensure Profile single process is set to Administrators" -# win_user_right: -# name: SeProfileSingleProcessPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_42 -# tags: -# - level1 -# - level2 -# - rule_2.2.42 -# - patch - -# - name: "SCORED | 2.2.43 | PATCH | L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" -# win_user_right: -# name: SeSystemProfilePrivilege -# users: -# - Administrators -# - NT SERVICE\WdiServiceHost -# action: set -# when: rule_2_2_43 -# tags: -# - level1 -# - level2 -# - rule_2.2.43 -# - patch - -# - name: "SCORED | 2.2.44 | PATCH | L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" -# win_user_right: -# name: SeAssignPrimaryTokenPrivilege -# users: -# - LOCAL SERVICE -# - NETWORK SERVICE -# action: set -# when: rule_2_2_44 -# tags: -# - level1 -# - level2 -# - rule_2.2.44 -# - patch - -# - name: "SCORED | 2.2.45 | PATCH | L1 Ensure Restore files and directories is set to Administrators" -# win_user_right: -# name: SeRestorePrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_45 -# tags: -# - level1 -# - level2 -# - rule_2.2.45 -# - patch - -# - name: "SCORED | 2.2.46 | PATCH | L1 Ensure Shut down the system is set to Administrators" -# win_user_right: -# name: SeShutdownPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_46 -# tags: -# - level1 -# - level2 -# - rule_2.2.46 -# - patch - -# - name: "SCORED | 2.2.47 | PATCH | L1 Ensure Synchronize directory service data is set to No One DC only" -# win_user_right: -# name: SeSyncAgentPrivilege -# users: -# action: set -# when: -# - rule_2_2_47 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.2.47 -# - patch - -# - name: "SCORED | 2.2.48 | PATCH | L1 Ensure Take ownership of files or other objects is set to Administrators" -# win_user_right: -# name: SeTakeOwnershipPrivilege -# users: -# - Administrators -# action: set -# when: rule_2_2_48 -# tags: -# - level1 -# - level2 -# - rule_2.2.48 -# - patch - -# - name: "SCORED | 2.3.1.1 | PATCH | L1 Ensure Accounts Administrator account status is set to Disabled MS only" -# win_security_policy: -# section: System Access -# key: EnableAdminAccount -# value: 0 -# when: -# - rule_2_3_1_1 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.1.1 -# - patch - -# - name: "SCORED | 2.3.1.2 | PATCH | L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: NoConnectedUser -# data: 3 -# type: dword -# when: rule_2_3_1_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.1.2 -# - patch - -# - name: "SCORED | 2.3.1.3 | PATCH | L1 Ensure Accounts Guest account status is set to Disabled MS only" -# win_security_policy: -# section: System Access -# key: EnableGuestAccount -# value: 0 -# when: rule_2_3_1_3 -# tags: -# - level1 -# - level2 -# - rule_2.3.1.3 -# - patch - -# - name: "SCORED | 2.3.1.4 | PATCH | L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: LimitBlankPasswordUse -# data: 1 -# type: dword -# when: rule_2_3_1_4 -# tags: -# - level1 -# - level2 -# - rule_2.3.1.4 -# - patch - -# - name: "SCORED | 2.3.1.5 | PATCH | L1 Configure Accounts Rename administrator account" -# win_security_policy: -# section: System Access -# key: newadministratorname -# value: GeorgeSharp -# when: rule_2_3_1_5 -# tags: -# - level1 -# - level2 -# - rule_2.3.1.5 -# - patch - -# - name: "SCORED | 2.3.1.6 | PATCH | L1 Configure Accounts Rename guest account" -# win_security_policy: -# section: System Access -# key: NewGuestName -# value: BobCooper -# when: rule_2_3_1_6 -# tags: -# - level1 -# - level2 -# - rule_2.3.1.6 -# - patch - -# - name: "SCORED | 2.3.2.1 | PATCH | L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: SCENoApplyLegacyAuditPolicy -# data: 1 -# type: dword -# when: rule_2_3_2_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.2.1 -# - patch - -# - name: "SCORED | 2.3.2.2 | PATCH | L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: CrashOnAuditFail -# data: 0 -# type: dword -# when: rule_2_3_2_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.2.2 -# - patch - -# - name: "SCORED | 2.3.4.1 | PATCH | L1 Ensure Devices Allowed to format and eject removable media is set to Administrators" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon -# name: AllocateDASD -# data: 0 -# type: string -# when: rule_2_3_4_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.4.1 -# - patch - -# - name: "SCORED | 2.3.4.2 | PATCH | L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers -# name: AddPrinterDrivers -# data: 1 -# type: dword -# when: rule_2_3_4_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.4.2 -# - patch - -# - name: "SCORED | 2.3.5.1 | PATCH | L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" -# win_regedit: -# path: HKLM:\System\CurrentControlSet\Control\Lsa -# name: SubmitControl -# data: 0 -# type: dword -# when: -# - rule_2_3_5_1 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.3.5.1 -# - patch - -# - name: "SCORED | 2.3.5.2 | PATCH | L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" -# win_regedit: -# path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters -# name: LDAPServerIntegrity -# data: 2 -# type: dword -# when: -# - rule_2_3_5_2 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.3.5.2 -# - patch - -# - name: "SCORED | 2.3.5.3 | PATCH | L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" -# win_regedit: -# path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters -# name: RefusePasswordChange -# data: 0 -# type: dword -# when: -# - rule_2_3_5_3 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.3.5.3 -# - patch - -# - name: "SCORED | 2.3.6.1 | PATCH | L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters -# name: RequireSignOrSeal -# data: 1 -# type: dword -# when: -# - rule_2_3_6_1 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.6.1 -# - patch - -# - name: "SCORED | 2.3.6.2 | PATCH | L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters -# name: sealsecurechannel -# data: 1 -# type: dword -# when: -# - rule_2_3_6_2 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.6.2 -# - patch - -# - name: "SCORED | 2.3.6.3 | PATCH | L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters -# name: signsecurechannel -# data: 1 -# type: dword -# when: -# - rule_2_3_6_3 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.6.3 -# - patch - -# - name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters -# name: disablepasswordchange -# data: 1 -# type: dword -# when: -# - rule_2_3_6_4 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.6.4 -# - patch - -# - name: "SCORED | 2.3.6.5 | PATCH | L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters -# name: MaximumPasswordAge -# data: 30 -# type: dword -# when: -# - rule_2_3_6_5 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.6.5 -# - patch - -# - name: "SCORED | 2.3.6.6 | PATCH | L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters -# name: RequireStrongKey -# data: 1 -# type: dword -# when: -# - rule_2_3_6_6 -# - not ansible_windows_domain_role == "Primary domain controller" -# tags: -# - level1 -# - level2 -# - rule_2.3.6.6 -# - patch - -# - name: "SCORED | 2.3.7.1 | PATCH | L1 Ensure Interactive logon Dont display last signed-in is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: DontDisplayLastUserName -# data: 1 -# type: dword -# when: rule_2_3_7_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.1 -# - patch - -# - name: "SCORED | 2.3.7.2 | PATCH | L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: DisableCAD -# data: 0 -# type: dword -# when: rule_2_3_7_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.2 -# - patch - -# - name: "SCORED | 2.3.7.3 | PATCH | L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: InactivityTimeoutSecs -# data: 900 -# type: dword -# when: rule_2_3_7_3 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.3 -# - patch - -# - name: "SCORED | 2.3.7.4 | PATCH | L1 Configure Interactive logon Message text for users attempting to log on" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: LegalNoticeText -# data: "{{ legalnoticetext }}" -# type: string -# when: rule_2_3_7_4 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.4 -# - patch - -# - name: "SCORED | 2.3.7.5 | PATCH | L1 Configure Interactive logon Message title for users attempting to log on" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: LegalNoticeCaption -# data: "{{ legalnoticecaption }}" -# type: string -# when: rule_2_3_7_5 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.5 -# - patch - -# - name: "SCORED | 2.3.7.6 | PATCH | L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon -# name: cachedlogonscount -# data: 1 -# type: string -# when: rule_2_3_7_6 -# tags: -# - level2 -# - rule_2.3.7.6 -# - patch - -# - name: "SCORED | 2.3.7.7 | PATCH | L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon -# name: PasswordExpiryWarning -# data: 14 -# type: dword -# when: rule_2_3_7_7 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.7 -# - patch - -# - name: "SCORED | 2.3.7.8 | PATCH | L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon -# name: ForceUnlockLogon -# data: 1 -# type: dword -# when: -# - rule_2_3_7_8 -# - ansible_windows_domain_role == "Member server" -# tags: -# - level1 -# - level2 -# - rule_2.3.7.8 -# - patch - -# - name: "SCORED | 2.3.7.9 | PATCH | L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon -# name: scremoveoption -# data: 1 -# type: string -# when: rule_2_3_7_9 -# tags: -# - level1 -# - level2 -# - rule_2.3.7.9 -# - patch - -# - name: "SCORED | 2.3.8.1 | PATCH | L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters -# name: RequireSecuritySignature -# data: 1 -# type: dword -# when: rule_2_3_8_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.8.1 -# - patch - -# - name: "SCORED | 2.3.8.2 | PATCH | L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters -# name: EnableSecuritySignature -# data: 1 -# type: dword -# when: rule_2_3_8_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.8.2 -# - patch - -# - name: "SCORED | 2.3.8.3 | PATCH | L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters -# name: EnablePlainTextPassword -# data: 0 -# type: dword -# when: rule_2_3_8_3 -# tags: -# - level1 -# - level2 -# - rule_2.3.8.3 -# - patch - -# - name: "SCORED | 2.3.9.1 | PATCH | L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: autodisconnect -# data: 15 -# type: dword -# when: rule_2_3_9_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.9.1 -# - patch - -# - name: "SCORED | 2.3.9.2 | PATCH | L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: requiresecuritysignature -# data: 1 -# type: dword -# when: rule_2_3_9_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.9.2 -# - patch - -# - name: "SCORED | 2.3.9.3 | PATCH | L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: enablesecuritysignature -# data: 1 -# type: dword -# when: rule_2_3_9_3 -# tags: -# - level1 -# - level2 -# - rule_2.3.9.3 -# - patch - -# - name: "SCORED | 2.3.9.4 | PATCH | L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: enableforcedlogoff -# data: 1 -# type: dword -# when: rule_2_3_9_4 -# tags: -# - level1 -# - level2 -# - rule_2.3.9.4 -# - patch - -# - name: "SCORED | 2.3.9.5 | PATCH | L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: SMBServerNameHardeningLevel -# data: 1 -# type: dword -# when: -# - rule_2_3_9_5 -# - ansible_windows_domain_role == "Member server" -# tags: -# - level1 -# - level2 -# - rule_2.3.9.5 -# - patch - -# - name: "SCORED | 2.3.10.1 | PATCH | L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled" -# win_security_policy: -# section: System Access -# key: LSAAnonymousNameLookup -# value: 0 -# when: rule_2_3_10_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.1 -# - patch - -# - name: "SCORED | 2.3.10.2 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: RestrictAnonymousSAM -# data: 1 -# type: dword -# when: -# - rule_2_3_10_2 -# - ansible_windows_domain_role == "Member server" -# tags: -# - level1 -# - level2 -# - rule_2.3.10.2 -# - patch - -# - name: "SCORED | 2.3.10.3 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: RestrictAnonymous -# data: 1 -# type: dword -# when: -# - rule_2_3_10_3 -# - ansible_windows_domain_role == "Member server" -# tags: -# - level1 -# - level2 -# - rule_2.3.10.3 -# - patch - -# - name: "SCORED | 2.3.10.4 | PATCH | L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: DisableDomainCreds -# data: 1 -# type: dword -# when: rule_2_3_10_4 -# tags: -# - level2 -# - rule_2.3.10.4 -# - patch - -# - name: "SCORED | 2.3.10.5 | PATCH | L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: EveryoneIncludesAnonymous -# data: 0 -# type: dword -# when: rule_2_3_10_5 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.5 -# - patch - -# - name: "SCORED | 2.3.10.6 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously DC only" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: NullSessionPipes -# data: "" -# type: multistring -# when: -# - rule_2_3_10_6 -# - ansible_windows_domain_role == "Primary domain controller" -# tags: -# - rule_2.3.10.6 -# - patch - -# - name: "SCORED | 2.3.10.7 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously MS only" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: NullSessionPipes -# data: "" -# type: multistring -# when: -# - rule_2_3_10_7 -# - ansible_windows_domain_role == "Member server" -# tags: -# - level1 -# - level2 -# - rule_2.3.10.7 -# - patch - -# - name: "SCORED | 2.3.10.8 | PATCH | L1 Configure Network access Remotely accessible registry paths" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths -# name: "Machine" -# data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] -# type: multistring -# when: rule_2_3_10_8 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.8 -# - patch - -# - name: "SCORED | 2.3.10.9 | PATCH | L1 Configure Network access Remotely accessible registry paths and sub-paths" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths -# name: "Machine" -# data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] -# type: multistring -# when: rule_2_3_10_9 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.9 -# - patch - -# - name: "SCORED | 2.3.10.10 | PATCH | L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: RestrictNullSessAccess -# data: 1 -# type: dword -# when: rule_2_3_10_10 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.10 -# - patch - -# - name: "SCORED | 2.3.10.11 | PATCH | L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" -# win_regedit: -# path: HKLM:\System\CurrentControlSet\Control\Lsa -# name: RestrictRemoteSAM -# data: "O:BAG:BAD:(A;;RC;;;BA)" -# type: string -# when: rule_2_3_10_11 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.11 -# - patch - -# - name: "SCORED | 2.3.10.12 | PATCH | L1 Ensure Network access Shares that can be accessed anonymously is set to None" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters -# name: NullSessionShares -# data: "" -# type: multistring -# when: rule_2_3_10_12 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.12 -# - patch - -# - name: "SCORED | 2.3.10.13 | PATCH | L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: ForceGuest -# data: 0 -# type: dword -# when: rule_2_3_10_13 -# tags: -# - level1 -# - level2 -# - rule_2.3.10.13 -# - patch - -# - name: "SCORED | 2.3.11.1 | PATCH | L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: UseMachineId -# data: 1 -# type: dword -# when: rule_2_3_11_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.1 -# - patch - -# - name: "SCORED | 2.3.11.2 | PATCH | L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 -# name: allownullsessionfallback -# data: 0 -# type: dword -# when: rule_2_3_11_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.2 -# - patch - -# - name: "SCORED | 2.3.11.3 | PATCH | L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U -# name: AllowOnlineID -# data: 0 -# type: dword -# when: rule_2_3_11_3 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.3 -# - patch - -# - name: "SCORED | 2.3.11.4 | PATCH | L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters -# name: SupportedEncryptionTypes -# data: 2147483644 -# type: dword -# when: rule_2_3_11_4 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.4 -# - patch - -# - name: "SCORED | 2.3.11.5 | PATCH | L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: NoLMHash -# data: 1 -# type: dword -# when: rule_2_3_11_5 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.5 -# - patch - -# - name: "SCORED | 2.3.11.6 | PATCH | L1 Ensure Network security Force logoff when logon hours expire is set to Enabled" -# win_regedit: -# path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters -# name: EnableForcedLogOff -# data: 1 -# type: dword -# when: rule_2_3_11_6 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.6 -# - patch - -# - name: "SCORED | 2.3.11.7 | PATCH | L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa -# name: LMCompatibilityLevel -# data: 5 -# type: dword -# when: rule_2_3_11_7 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.7 -# - patch - -# - name: "SCORED | 2.3.11.8 | PATCH | L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Services\Ldap -# name: LDAPClientIntegrity -# data: 1 -# type: dword -# when: rule_2_3_11_8 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.8 -# - patch - -# - name: "SCORED | 2.3.11.9 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 -# name: NTLMMinClientSec -# data: 537395200 -# type: dword -# when: rule_2_3_11_9 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.9 -# - patch - -# - name: "SCORED | 2.3.11.10 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 -# name: NTLMMinServerSec -# data: 537395200 -# type: dword -# when: rule_2_3_11_10 -# tags: -# - level1 -# - level2 -# - rule_2.3.11.10 -# - patch - -# - name: "SCORED | 2.3.13.1 | PATCH | L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: ShutdownWithoutLogon -# data: 0 -# type: dword -# when: rule_2_3_13_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.13.1 -# - patch - -# - name: "SCORED | 2.3.15.1 | PATCH | L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel -# name: ObCaseInsensitive -# data: 1 -# type: dword -# when: rule_2_3_15_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.15.1 -# - patch - -# - name: "SCORED | 2.3.15.2 | PATCH | L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" -# win_regedit: -# path: HKLM:\System\Currentcontrolset\Control\Session Manager -# name: ProtectionMode -# data: 1 -# type: dword -# when: rule_2_3_15_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.15.2 -# - patch - -# - name: "SCORED | 2.3.17.1 | PATCH | L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: FilterAdministratorToken -# data: 1 -# type: dword -# when: rule_2_3_17_1 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.1 -# - patch - -# - name: "SCORED | 2.3.17.2 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: EnableUIADesktopToggle -# data: 0 -# type: dword -# when: rule_2_3_17_2 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.2 -# - patch - -# - name: "SCORED | 2.3.17.3 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: ConsentPromptBehaviorAdmin -# data: 2 -# type: dword -# when: rule_2_3_17_3 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.3 -# - patch - -# - name: "SCORED | 2.3.17.4 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: ConsentPromptBehaviorUser -# data: 0 -# type: dword -# when: rule_2_3_17_4 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.4 -# - patch - -# - name: "SCORED | 2.3.17.5 | PATCH | L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: EnableInstallerDetection -# data: 1 -# type: dword -# when: rule_2_3_17_5 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.5 -# - patch - -# - name: "SCORED | 2.3.17.6 | PATCH | L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: EnableSecureUIAPaths -# data: 1 -# type: dword -# when: rule_2_3_17_6 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.6 -# - patch - -# - name: "SCORED | 2.3.17.7 | PATCH | L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: EnableLUA -# data: 1 -# type: dword -# when: rule_2_3_17_7 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.7 -# - patch - -# - name: "SCORED | 2.3.17.8 | PATCH | L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: PromptOnSecureDesktop -# data: 1 -# type: dword -# when: rule_2_3_17_8 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.8 -# - patch - -# - name: "SCORED | 2.3.17.9 | PATCH | L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" -# win_regedit: -# path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System -# name: EnableVirtualization -# data: 1 -# type: dword -# when: rule_2_3_17_9 -# tags: -# - level1 -# - level2 -# - rule_2.3.17.9 -# - patch diff --git a/tasks/old_section17.yml b/tasks/old_section17.yml deleted file mode 100644 index ab2d25b..0000000 --- a/tasks/old_section17.yml +++ /dev/null @@ -1,765 +0,0 @@ ---- -- name: "SCORED | 17.1.1 | AUDIT | L1 Ensure Audit Credential Validation is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_1_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_1_1 - tags: - - level1 - - level2 - - rule_17.1.1 - - audit - -- name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure" - block: - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable - when: "'Success' not in rule_17_1_1_audit.stdout" - changed_when: "'Success' not in rule_17_1_1_audit.stdout" - - - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable - when: "'Failure' not in rule_17_1_1_audit.stdout" - changed_when: "'Failure' not in rule_17_1_1_audit.stdout" - when: - - rule_17_1_1 - - rule_17_1_1_audit is defined - - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_1_1_audit.stdout" - tags: - - level1 - - level2 - - rule_17.1.1 - - patch - -- name: "SCORED | 17.2.1 | AUDIT | L1 Ensure Audit Application Group Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_1 - tags: - - level1 - - level2 - - rule_17.2.1 - - audit - -- name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" - block: - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable - when: "'Success' not in rule_17_2_1_audit.stdout" - changed_when: "'Success' not in rule_17_2_1_audit.stdout" - - - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable - when: "'Failure' not in rule_17_2_1_audit.stdout" - changed_when: "'Failure' not in rule_17_2_1_audit.stdout" - when: - - rule_17_2_1 - - rule_17_2_1_audit is defined - - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_2_1_audit.stdout" - tags: - - level1 - - level2 - - rule_17.2.1 - - patch - -- name: "SCORED | 17.2.2 | AUDIT | L1 Ensure Audit Computer Account Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_2_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_2_2 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_17.2.2 - - audit - -- name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable - when: - - rule_17_2_2 - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_2_audit is defined - - "'Success' not in rule_17_2_2_audit.stdout" - changed_when: "'Success' not in rule_17_2_2_audit.stdout" - tags: - - level1 - - level2 - - rule_17.2.2 - - patch - -- name: "SCORED | 17.2.3 | AUDIT | L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only" - win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_3_audit - changed_when: no - ignore_errors: yes - when: - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_3 - tags: - - rule_17.2.3 - - audit - -- name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only" - win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable - when: - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_2_3 - - rule_17_2_3_audit is defined - - "'Success' not in rule_17_2_3_audit.stdout" - changed_when: "'Success' not in rule_17_2_3_audit.stdout" - tags: - - rule_17.2.3 - - patch - -- name: "SCORED | 17.2.4 | AUDIT | L1 Ensure Audit Other Account Management Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_4 - tags: - - level1 - - level2 - - rule_17.2.4 - - audit - -- name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable - when: - - rule_17_2_4 - - rule_17_2_4_audit is defined - - ansible_windows_domain_role == "Primary domain controller" - - "'Success' not in rule_17_2_4_audit.stdout" - changed_when: "'Success' not in rule_17_2_4_audit.stdout" - tags: - - level1 - - level2 - - rule_17.2.4 - - patch - -- name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_5 - tags: - - level1 - - level2 - - rule_17.2.5 - - audit - -- name: "SCORED | 17.2.5 | PATCH | L1 Ensure Audit Security Group Management is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable - when: - - rule_17_2_5 - - rule_17_2_5_audit is defined - - "'Success' not in rule_17_2_5_audit.stdout" - tags: - - level1 - - level2 - - rule_17.2.5 - - patch - -- name: "SCORED | 17.2.6 | AUDIT | L1 Ensure Audit User Account Management is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_2_6_audit - changed_when: no - ignore_errors: yes - when: rule_17_2_6 - tags: - - level1 - - level2 - - rule_17.2.6 - - audit - -- name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure" - block: - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable - when: "'Success' not in rule_17_2_6_audit.stdout" - changed_when: "'Success' not in rule_17_2_6_audit.stdout" - - - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable - when: "'Failure' not in rule_17_2_6_audit.stdout" - changed_when: "'Failure' not in rule_17_2_6_audit.stdout" - when: - - rule_17_2_6 - - rule_17_2_6_audit is defined - tags: - - level1 - - level2 - - rule_17.2.6 - - patch - -- name: "SCORED | 17.3.1 | AUDIT | L1 Ensure Audit PNP Activity is set to Success" - win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_3_1 - tags: - - level1 - - level2 - - rule_17.3.1 - - audit - -- name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to Success" - win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable - changed_when: "'Success' not in rule_17_3_1_audit.stdout" - when: - - rule_17_3_1 - - rule_17_3_1_audit is defined - - "'Success' not in rule_17_3_1_audit.stdout" - tags: - - level1 - - level2 - - rule_17.3.1 - - patch - -- name: "SCORED | 17.3.2 | AUDIT | L1 Ensure Audit Process Creation is set to Success" - win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_3_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_3_2 - tags: - - level1 - - level2 - - rule_17.3.2 - - audit - -- name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to Success" - win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable - changed_when: "'Success' not in rule_17_3_2_audit.stdout" - when: - - rule_17_3_2 - - rule_17_3_2_audit is defined - - "'Success' not in rule_17_3_2_audit.stdout" - tags: - - level1 - - level2 - - rule_17.3.2 - - patch - -- name: "SCORED | 17.4.1 | AUDIT | L1 Ensure Audit Directory Service Access is set to Success and Failure DC only" - win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_4_1 - tags: - - rule_17.4.1 - - audit - -- name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to Success and Failure DC only" - win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable - changed_when: "'Success' not in rule_17_4_1_audit.stdout" - when: - - rule_17_4_1 - - rule_17_4_1_audit is defined - - "'Success' not in rule_17_4_1_audit.stdout" - tags: - - rule_17.4.1 - - patch - -- name: "SCORED | 17.4.2 | AUDIT | L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only" - win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_4_2_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_17.4.2 - - audit - -- name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only" - win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable - changed_when: "'Success' not in rule_17_4_2_audit.stdout" - when: - - rule_17_4_2 - - ansible_windows_domain_role == "Primary domain controller" - - rule_17_4_2_audit is defined - - "'Success' not in rule_17_4_2_audit.stdout" - tags: - - rule_17.4.2 - - patch - -- name: "SCORED | 17.5.1 | AUDIT | L1 Ensure Audit Account Lockout is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_1 - tags: - - level1 - - level2 - - rule_17.5.1 - - audit - -- name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable - changed_when: "'Failure' not in rule_17_5_1_audit.stdout" - when: - - rule_17_5_1 - - rule_17_5_1_audit is defined - - "'Failure' not in rule_17_5_1_audit.stdout" - tags: - - level1 - - level2 - - rule_17.5.1 - - patch - -- name: "SCORED | 17.5.2 | AUDIT | L1 Ensure Audit Group Membership is set to Success" - win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_2 - tags: - - level1 - - level2 - - rule_17.5.2 - - audit - -- name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to Success" - win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable - changed_when: "'Success' not in wn19_au_000170_audit.stdout" - when: - - rule_17_5_2 - - wn19_au_000170_audit is defined - - "'Success' not in wn19_au_000170_audit.stdout" - tags: - - level1 - - level2 - - rule_17.5.2 - - patch - -- name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to Success" - win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_3 - tags: - - level1 - - level2 - - rule_17.5.3 - - audit - -- name: "SCORED | 17.5.3 | PATCH | L1 Ensure Audit Logoff is set to Success" - win_shell: AuditPol /set /subcategory:"Logoff" /success:enable - changed_when: "'Success' not in rule_17_5_3_audit.stdout" - when: - - rule_17_5_3 - - rule_17_5_3_audit is defined - - "'Success' not in rule_17_5_3_audit.stdout" - tags: - - level1 - - level2 - - rule_17.5.3 - - patch - -- name: "SCORED | 17.5.4 | AUDIT | L1 Ensure Audit Logon is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_4 - tags: - - level1 - - level2 - - rule_17.5.4 - - audit - -- name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure" - block: - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Logon" /success:enable - changed_when: "'Success' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" - - - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Logon" /failure:enable - changed_when: "'Failure' not in rule_17_5_4_audit.stdout" - when: - - rule_17_5_4_audit is defined - - "'Failure' not in rule_17_5_4_audit.stdout" - when: rule_17_5_4 - tags: - - level1 - - level2 - - rule_17.5.4 - - patch - -- name: "SCORED | 17.5.5 | AUDIT | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_5_audit - changed_when: no - ignore_errors: yes - when: - - rule_17_5_5 - tags: - - level1 - - level2 - - rule_17.5.5 - - audit - -- name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" - block: - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable - changed_when: "'Success' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5_audit is defined - - "'Success' not in rule_17_5_5_audit.stdout" - - - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable - changed_when: "'Failure' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5_audit is defined - - "'Failure' not in rule_17_5_5_audit.stdout" - when: - - rule_17_5_5 - tags: - - level1 - - level2 - - rule_17.5.5 - - patch - -- name: "SCORED | 17.5.6 | AUDIT | L1 Ensure Audit Special Logon is set to Success" - win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_5_6_audit - changed_when: no - ignore_errors: yes - when: rule_17_5_6 - tags: - - level1 - - level2 - - rule_17.5.6 - - audit - -- name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to Success" - win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable - changed_when: "'Success' not in rule_17_5_6_audit.stdout" - when: - - rule_17_5_6 - - rule_17_5_6_audit is defined - - "'Success' not in rule_17_5_6_audit.stdout" - tags: - - level1 - - level2 - - rule_17.5.6 - - patch - -- name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Other Object Access Events is set to Success and Failure" - win_audit_policy_system: - subcategory: Other Object Access Events - audit_type: success, failure - when: rule_17_6_1 - tags: - - level1 - - level2 - - rule_17.6.1 - - patch - -- name: "SCORED | 17.6.2 | AUDIT | L1 Ensure Audit Removable Storage is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_6_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_6_2 - tags: - - level1 - - level2 - - rule_17.6.2 - - audit - -- name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable - changed_when: "'Success' not in rule_17_6_2_audit.stdout" - when: - - rule_17_6_2 - - rule_17_6_2_audit is defined - - "'Success' not in rule_17_6_2_audit.stdout" - tags: - - level1 - - level2 - - rule_17.6.2 - - patch - -- name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_1 - tags: - - level1 - - level2 - - rule_17.7.1 - - audit - -- name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_1_audit.stdout" - when: - - rule_17_7_1 - - rule_17_7_1_audit is defined - - "'Success' not in rule_17_7_1_audit.stdout" - tags: - - level1 - - level2 - - rule_17.7.1 - - patch - -- name: "SCORED | 17.7.2 | AUDIT | L1 Ensure Audit Authentication Policy Change is set to Success" - win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_2 - tags: - - level1 - - level2 - - rule_17.7.2 - - audit - -- name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to Success" - win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_2_audit.stdout" - when: - - rule_17_7_2 - - rule_17_7_2_audit is defined - - "'Success' not in rule_17_7_2_audit.stdout" - tags: - - level1 - - level2 - - rule_17.7.2 - - patch - -- name: "SCORED | 17.7.3 | AUDIT | L1 Ensure Audit Authorization Policy Change is set to Success" - win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_7_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_7_3 - tags: - - level1 - - level2 - - rule_17.7.3 - - audit - -- name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to Success" - win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable - changed_when: "'Success' not in rule_17_7_3_audit.stdout" - when: - - rule_17_7_3 - - rule_17_7_3_audit is defined - - "'Success' not in rule_17_7_3_audit.stdout" - tags: - - level1 - - level2 - - rule_17.7.3 - - patch - -- name: "SCORED | 17.8.1 | AUDIT | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_8_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_8_1 - tags: - - level1 - - level2 - - rule_17.8.1 - - audit - -- name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" - block: - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable - changed_when: "'Success' not in rule_17_8_1_audit.stdout" - when: - - rule_17_8_1_audit is defined - - "'Success' not in rule_17_8_1_audit.stdout" - - - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable - changed_when: "'Failure' not in rule_17_8_1_audit.stdout" - when: - - rule_17_8_1_audit is defined - - "'Failure' not in rule_17_8_1_audit.stdout" - - when: rule_17_8_1 - tags: - - level1 - - level2 - - rule_17.8.1 - - patch - -- name: "SCORED | 17.9.1 | AUDIT | L1 Ensure Audit IPsec Driver is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_1_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_1 - tags: - - level1 - - level2 - - rule_17.9.1 - - audit - -- name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure" - block: - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable - changed_when: "'Success' not in rule_17_9_1_audit.stdout" - when: - - rule_17_9_1_audit is defined - - "'Success' not in rule_17_9_1_audit.stdout" - - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable - changed_when: "'Failure' not in rule_17_9_1_audit.stdout" - when: - - rule_17_9_1_audit is defined - - "'Failure' not in rule_17_9_1_audit.stdout" - - when: rule_17_9_1 - tags: - - level1 - - level2 - - rule_17.9.1 - - patch - -- name: "SCORED | 17.9.2 | AUDIT | L1 Ensure Audit Other System Events is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_2_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_2 - tags: - - level1 - - level2 - - rule_17.9.2 - - audit - -- name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure" - block: - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable - changed_when: "'Success' not in rule_17_9_2_audit.stdout" - when: - - rule_17_9_2_audit is defined - - "'Success' not in rule_17_9_2_audit.stdout" - - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable - changed_when: "'Failure' not in rule_17_9_2_audit.stdout" - when: - - rule_17_9_2_audit is defined - - "'Failure' not in rule_17_9_2_audit.stdout" - when: rule_17_9_2 - tags: - - level1 - - level2 - - rule_17.9.2 - - patch - -- name: "SCORED | 17.9.3 | AUDIT | L1 Ensure Audit Security State Change is set to Success" - win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_3_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_3 - tags: - - level1 - - level2 - - rule_17.9.3 - - audit - -- name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to Success" - win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable - changed_when: "'Success' not in rule_17_9_3_audit.stdout" - when: - - rule_17_9_3 - - rule_17_9_3_audit is defined - - "'Success' not in rule_17_9_3_audit.stdout" - tags: - - level1 - - level2 - - rule_17.9.3 - - patch - -- name: "SCORED | 17.9.4 | AUDIT | L1 Ensure Audit Security System Extension is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_4_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_4 - tags: - - level1 - - level2 - - rule_17.9.4 - - audit - -- name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to Success and Failure" - win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable - changed_when: "'Success' not in rule_17_9_4_audit.stdout" - when: - - rule_17_9_4 - - rule_17_9_4_audit is defined - - "'Success' not in rule_17_9_4_audit.stdout" - tags: - - level1 - - level2 - - rule_17.9.4 - - patch - -- name: "SCORED | 17.9.5 | AUDIT | L1 Ensure Audit System Integrity is set to Success and Failure" - win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" - register: rule_17_9_5_audit - changed_when: no - ignore_errors: yes - when: rule_17_9_5 - tags: - - level1 - - level2 - - rule_17.9.5 - - audit - -- name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure" - block: - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Success" - win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable - changed_when: "'Success' not in rule_17_9_5_audit.stdout" - when: - - rule_17_9_5_audit is defined - - "'Success' not in rule_17_9_5_audit.stdout" - - - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Failure" - win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable - changed_when: "'Failure' not in rule_17_9_5_audit.stdout" - when: - - rule_17_9_5_audit is defined - - "'Failure' not in rule_17_9_5_audit.stdout" - when: rule_17_9_5 - tags: - - level1 - - level2 - - rule_17.9.5 - - patch - diff --git a/tasks/old_section18.yml b/tasks/old_section18.yml deleted file mode 100644 index 98a58e8..0000000 --- a/tasks/old_section18.yml +++ /dev/null @@ -1,2553 +0,0 @@ ---- -#one of the settings in the file render the server unreachable from ansible with this message "the specified credentials were rejected by the server" -- name: "SCORED | 18.1.1.1 | PATCH | L1 Ensure Prevent enabling lock screen camera is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Personalization - name: NoLockScreenCamera - data: 1 - type: dword - when: rule_18_1_1_1 - tags: - - level1 - - level2 - - rule_18.1.1.1 - - patch - -- name: "SCORED | 18.1.1.2 | PATCH | L1 Ensure Prevent enabling lock screen slide show is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Personalization - name: NoLockScreenSlideshow - data: 1 - type: dword - when: rule_18_1_1_2 - tags: - - level1 - - level2 - - rule_18.1.1.2 - - patch - -- name: "SCORED | 18.1.2.2 | AUDIT | L1 Ensure Allow input personalization is set to Disabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_1_2_2 - tags: - - level1 - - level2 - - rule_18.1.2.2 - - audit - -- name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow input personalization is set to Disabled" - command: "echo true" - when: - - is_implemented - - rule_18_1_2_2 - tags: - - level1 - - level2 - - rule_18.1.2.2 - - patch - -- name: "SCORED | 18.1.3 | AUDIT | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_1_3 - tags: - - level2 - - rule_18.1.3 - - audit - -- name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" - command: "echo true" - when: - - is_implemented - - rule_18_1_3 - tags: - - level2 - - rule_18.1.3 - - patch - -- name: "SCORED | 18.2.1 | AUDIT | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.1 - - audit - -- name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.1 - - patch - -- name: "SCORED | 18.2.2 | AUDIT | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.2 - - audit - -- name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.2 - - patch - -- name: "SCORED | 18.2.3 | AUDIT | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.3 - - audit - -- name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_3 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.3 - - patch - -- name: "SCORED | 18.2.4 | AUDIT | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.4 - - audit - -- name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_4 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.4 - - patch - -- name: "SCORED | 18.2.5 | AUDIT | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.5 - - audit - -- name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.5 - - patch - -- name: "SCORED | 18.2.6 | AUDIT | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.6 - - audit - -- name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" - command: "echo true" - when: - - is_implemented - - rule_18_2_6 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.2.6 - - patch - -- name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.3.1 - - audit - -- name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" - command: "echo true" - when: - - is_implemented - - rule_18_3_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.3.1 - - patch - -- name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_2 - tags: - - level1 - - level2 - - rule_18.3.2 - - audit - -- name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" - command: "echo true" - when: - - is_implemented - - rule_18_3_2 - tags: - - level1 - - level2 - - rule_18.3.2 - - patch - -- name: "SCORED | 18_3_3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters - name: SMB1 - data: 0 - type: dword - state: present - notify: reboot_windows - when: rule_18_3_3 - tags: - - level1 - - level2 - - rule_18.3.3 - - patch - -- name: "SCORED | 18_3_4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel - name: DisableExceptionChainValidation - data: 1 - type: dword - state: present - when: rule_18_3_4 - tags: - - level1 - - level2 - - rule_18.3.4 - - patch - -- name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" - command: "echo true" - register: result - changed_when: no - ignore_errors: yes - when: - - is_implemented - - rule_18_3_5 - tags: - - level1 - - level2 - - rule_18.3.5 - - audit - -- name: "SCORED | 18.3.5 | PATCH | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" - command: "echo true" - when: - - is_implemented - - rule_18_3_5 - tags: - - level1 - - level2 - - rule_18.3.5 - - patch - -- name: "SCORED | 18.3.6 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest - state: present - value: UseLogonCredential - data: 0 - datatype: dword - when: rule_18_3_6 - tags: - - level1 - - level2 - - rule_18.3.6 - - patch - -- name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - state: present - value: AutoAdminLogon - data: 0 - datatype: dword - when: rule_18_4_1 - tags: - - level1 - - level2 - - rule_18.4.1 - - patch - -- name: "SCORED | 18.4.2 | PATCH | L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters - state: present - value: DisableIPSourceRouting - data: 2 - datatype: dword - when: rule_18_4_2 - tags: - - level1 - - level2 - - rule_18.4.2 - - patch - -- name: "SCORED | 18.4.3 | PATCH | L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present - value: DisableIPSourceRouting - data: 2 - datatype: dword - when: rule_18_4_3 - tags: - - level1 - - level2 - - rule_18.4.3 - - patch - -- name: "SCORED | 18.4.4 | PATCH | L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present - value: EnableICMPRedirect - data: 0 - datatype: dword - when: rule_18_4_4 - tags: - - level1 - - level2 - - rule_18.4.4 - - patch - -- name: "SCORED | 18.4.5 | PATCH | L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" - win_regedit: - path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters - state: present - value: KeepAliveTime - data: 300000 - datatype: dword - when: rule_18_4_5 - tags: - - level2 - - rule_18.4.5 - - patch - -- name: "SCORED | 18.4.6 | PATCH | L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters - state: present - name: NoNameReleaseOnDemand - data: 1 - type: dword - when: rule_18_4_6 - tags: - - level1 - - level2 - - rule_18.4.6 - - patch - -- name: "SCORED | 18.4.7 | PATCH | L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - state: present - name: PerformRouterDiscovery - data: 0 - type: dword - when: rule_18_4_7 - tags: - - level2 - - rule_18.4.7 - - patch - -- name: "SCORED | 18.4.8 | PATCH | L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" - win_regedit: - path: HKLM:\System\Currentcontrolset\Control\Session Manager - name: SafeDllSearchMode - data: 1 - type: dword - state: present - when: rule_18_4_8 - tags: - - level1 - - level2 - - rule_18.4.8 - - patch - -- name: "SCORED | 18.4.9 | PATCH | L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" - win_regedit: - path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon - name: ScreenSaverGracePeriod - data: 5 - type: string - state: present - when: rule_18_4_9 - tags: - - level1 - - level2 - - rule_18.4.9 - - patch - -- name: "SCORED | 18.4.10 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters - name: TcpMaxDataRetransmissions - data: 3 - type: dword - when: rule_18_4_10 - tags: - - level2 - - rule_18.4.10 - - patch - -- name: "SCORED | 18.4.11 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters - name: TcpMaxDataRetransmissions - data: 3 - type: dword - when: rule_18_4_11 - tags: - - level2 - - rule_18.4.11 - - patch - -- name: "SCORED | 18.4.12 | PATCH | L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" - win_regedit: - path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security - name: WarningLevel - data: 90 - type: dword - when: rule_18_4_12 - tags: - - level1 - - level2 - - rule_18.4.12 - - patch - - -- name: "SCORED | 18.5.4.1 | PATCH | L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\NetBT\Parameters - name: NodeType - data: 2 - type: dword - when: - - rule_18_5_4_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.5.4.1 - - patch - -- name: "SCORED | 18.5.4.2 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient - name: EnableMulticast - data: 0 - type: dword - when: - - rule_18_5_4_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.5.4.2 - - patch - -- name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System - name: EnableFontProviders - data: 0 - type: dword - when: rule_18_5_5_1 - tags: - - level2 - - rule_18.5.5.1 - - patch - -- name: "SCORED | 18.5.8.1 | PATCH | L1 Ensure Enable insecure guest logons is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation - name: AllowInsecureGuestAuth - data: 0 - type: dword - when: rule_18_5_8_1 - tags: - - level1 - - level2 - - rule_18.5.8.1 - - patch - -- name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" - block: - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowLLTDIOOndomain - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowLLTDIOOnPublicNet - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: EnableLLTDIO - data: 0 - type: dword - - - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: ProhibitLLTDIOOnPrivateNet - data: 0 - type: dword - when: rule_18_5_9_1 - tags: - - level2 - - rule_18.5.9.1 - - patch - -- name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled" - block: - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowRspndrOnDomain - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: AllowRspndrOnPublicNet - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: EnableRspndr - data: 0 - type: dword - - - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Lltd - name: ProhibitRspndrOnPrivateNet - data: 0 - type: dword - when: rule_18_5_9_2 - tags: - - level2 - - rule_18.5.9.2 - - patch - -- name: "SCORED | 18.5.10.2 | PATCH | L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Peernet - name: Disabled - data: 1 - type: dword - when: rule_18_5_10_2 - tags: - - level2 - - rule_18.5.10.2 - - patch - -- name: "SCORED | 18.5.11.2 | PATCH | L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections - name: NC_AllowNetBridge_NLA - data: 0 - type: dword - when: rule_18_5_11_2 - tags: - - level1 - - level2 - - rule_18.5.11.2 - - patch - -- name: "SCORED | 18.5.11.3 | PATCH | L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections - name: NC_ShowSharedAccessUI - data: 0 - type: dword - when: rule_18_5_11_3 - tags: - - level1 - - level2 - - rule_18.5.11.3 - - patch - -- name: "SCORED | 18.5.11.4 | PATCH | L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections - name: NC_StdDomainUserSetLocation - data: 1 - type: dword - when: rule_18_5_11_4 - tags: - - level1 - - level2 - - rule_18.5.11.4 - - patch - -- name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" - block: - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths - name: "\\\\*\\NETLOGON" - data: "RequireMutualAuthentication=1, RequireIntegrity=1" - type: string - - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths - name: "\\\\*\\SYSVOL" - data: "RequireMutualAuthentication=1, RequireIntegrity=1" - type: string - when: rule_18_5_14_1 - tags: - - level1 - - level2 - - rule_18.5.14.1 - - patch - -- name: "SCORED | 18.5.19.2.1 | PATCH | L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" - win_regedit: - path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters - name: DisabledComponents - data: 255 - type: dword - when: rule_18_5_19_2_1 - tags: - - level2 - - rule_18.5.19.2.1 - - patch - -- name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" - block: - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: EnableRegistrars - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableUPnPRegistrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableInBand802DOT11Registrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableFlashConfigRegistrar - data: 0 - type: dword - - - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars - name: DisableWPDRegistrar - data: 0 - type: dword - when: rule_18_5_20_1 - tags: - - level2 - - rule_18.5.20.1 - - patch - -- name: "SCORED | 18.5.20.2 | PATCH | L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui - name: DisableWcnUi - data: 1 - type: dword - when: rule_18_5_20_2 - tags: - - level2 - - rule_18.5.20.2 - - patch - -- name: "SCORED | 18.5.21.1 | PATCH | L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy - name: fMinimizeConnections - data: 1 - type: dword - when: rule_18_5_21_1 - tags: - - level1 - - level2 - - rule_18.5.21.1 - - patch - -- name: "SCORED | 18.5.21.2 | PATCH | L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy - name: fBlockNonDomain - data: 1 - type: dword - when: - - rule_18_5_21_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level2 - - rule_18.5.21.2 - - patch - -- name: "SCORED | 18.8.3.1 | PATCH | L1 Ensure Include command line in process creation events is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit - name: ProcessCreationIncludeCmdLine_Enabled - data: 0 - type: dword - when: rule_18_8_3_1 - tags: - - level1 - - level2 - - rule_18.8.3.1 - - patch - - -- name: "SCORED | 18.8.4.1 | PATCH | L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation - name: AllowProtectedCreds - data: 1 - type: dword - when: rule_18_8_4_1 - tags: - - level1 - - level2 - - rule_18.8.4.1 - - patch - -- name: "SCORED | 18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: EnableVirtualizationBasedSecurity - data: 1 - type: dword - when: - - rule_18_8_5_1 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.1 - - patch - -- name: "SCORED | 18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: RequirePlatformSecurityFeatures - data: 3 - type: dword - when: - - rule_18_8_5_2 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.2 - - patch - -- name: "SCORED | 18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: HypervisorEnforcedCodeIntegrity - data: 1 - type: dword - when: - - rule_18_8_5_3 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.3 - - patch - -- name: "SCORED | 18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: HVCIMATRequired - data: 1 - type: dword - when: - - rule_18_8_5_4 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.4 - - patch - -- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: LsaCfgFlags - data: 1 - type: dword - when: - - rule_18_8_5_5 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - rule_18.8.5.5 - - patch - -- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard - name: LsaCfgFlags - data: 1 - type: dword - when: - - rule_18_8_5_5 - - ansible_windows_domain_role == "Member server" - tags: - - rule_18.8.5.5 - - patch - -- name: "SCORED | 18.8.14.1 | PATCH | L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" - win_regedit: - path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch - name: DriverLoadPolicy - data: 3 - type: dword - when: rule_18_8_14_1 - tags: - - level1 - - level2 - - rule_18.8.14.1 - - patch - -- name: "SCORED | 18.8.21.2 | PATCH | L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} - name: NoBackgroundPolicy - data: 0 - type: dword - when: rule_18_8_21_2 - tags: - - level1 - - level2 - - rule_18.8.21.2 - - patch - -- name: "SCORED | 18.8.21.3 | PATCH | L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} - name: NoGPOListChanges - data: 0 - type: dword - when: rule_18_8_21_3 - tags: - - level1 - - level2 - - rule_18.8.21.3 - - patch - -- name: "SCORED | 18.8.21.4 | PATCH | L1 Ensure Continue experiences on this device is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System - name: EnableCdp - data: 0 - type: dword - when: rule_18_8_21_4 - tags: - - level1 - - level2 - - rule_18.8.21.4 - - patch - -- name: "SCORED | 18.8.21.5 | PATCH | L1 Ensure Turn off background refresh of Group Policy is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy - state: absent - delete_key: yes - when: rule_18_8_21_5 - tags: - - level1 - - level2 - - rule_18.8.21.5 - - patch - -- name: "SCORED | 18.8.22.1.1 | PATCH | L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers - name: DisableWebPnPDownload - data: 1 - type: dword - when: rule_18_8_22_1_1 - tags: - - level1 - - level2 - - rule_18.8.22.1.1 - - patch - -- name: "SCORED | 18.8.22.1.2 | PATCH | L2 Ensure Turn off handwriting personalization data sharing is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc - name: PreventHandwritingDataSharing - data: 1 - type: dword - when: rule_18_8_22_1_2 - tags: - - level2 - - rule_18.8.22.1.2 - - patch - -- name: "SCORED | 18.8.22.1.3 | PATCH | L2 Ensure Turn off handwriting recognition error reporting is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports - name: PreventHandwritingErrorReports - data: 1 - type: dword - when: rule_18_8_22_1_3 - tags: - - level2 - - rule_18.8.22.1.3 - - patch - -- name: "SCORED | 18.8.22.1.4 | PATCH | L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard - name: ExitOnMSICW - data: 1 - type: dword - when: rule_18_8_22_1_4 - tags: - - level2 - - rule_18.8.22.1.4 - - patch - -- name: "SCORED | 18.8.22.1.5 | PATCH | L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoWebServices - data: 1 - type: dword - when: rule_18_8_22_1_5 - tags: - - level1 - - level2 - - rule_18.8.22.1.5 - - patch - -- name: "SCORED | 18.8.22.1.6 | PATCH | L2 Ensure Turn off printing over HTTP is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers - name: DisableHTTPPrinting - data: 1 - type: dword - when: rule_18_8_22_1_6 - tags: - - level1 - - level2 - - rule_18.8.22.1.6 - - patch - -- name: "SCORED | 18.8.22.1.7 | PATCH | L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control - name: NoRegistration - data: 1 - type: dword - when: rule_18_8_22_1_7 - tags: - - level2 - - rule_18.8.22.1.7 - - patch - -- name: "SCORED |18.8.22.1.8 | PATCH | L2 Ensure Turn off Search Companion content file updates is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Searchcompanion - name: DisableContentFileUpdates - data: 1 - type: dword - when: rule_18_8_22_1_8 - tags: - - level2 - - rule_18.8.22.1.8 - - patch - -- name: "SCORED | 18.8.22.1.9 | PATCH | L2 Ensure Turn off the Order Prints picture task is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoOnlinePrintsWizard - data: 1 - type: dword - when: rule_18_8_22_1_9 - tags: - - level2 - - rule_18.8.22.1.9 - - patch - -- name: "SCORED | 18.8.22.1.10 | PATCH | L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoPublishingWizard - data: 1 - type: dword - when: rule_18_8_22_1_10 - tags: - - level2 - - rule_18.8.22.1.10 - - patch - -- name: "SCORED | 18.8.22.1.11 | PATCH | L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Messenger\Client - name: CEIP - data: 2 - type: dword - when: rule_18_8_22_1_11 - tags: - - level2 - - rule_18.8.22.1.11 - - patch - -- name: "SCORED | 18.8.22.1.12 | PATCH | L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows - name: CEIPEnable - data: 0 - type: dword - when: rule_18_8_22_1_12 - tags: - - level2 - - rule_18.8.22.1.12 - - patch - -- name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled" - block: - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting - name: Disabled - data: 1 - type: dword - - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting - name: DoReport - data: 0 - type: dword - when: rule_18_8_22_1_13 - tags: - - level2 - - rule_18.8.22.1.13 - - patch - -- name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic" - block: - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters - name: DevicePKInitBehavior - data: 0 - type: dword - - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters - name: DevicePKInitEnabled - data: 1 - type: dword - when: rule_18_8_25_1 - tags: - - level2 - - rule_18.8.25.1 - - patch - -- name: "SCORED | 18.8.26.1 | PATCH | L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Control Panel\International - name: BlockUserInputMethodsForSignIn - data: 1 - type: dword - when: rule_18_8_26_1 - tags: - - level2 - - rule_18.8.26.1 - - patch - -- name: "SCORED | 18.8.27.1 | PATCH | L1 Ensure Block user from showing account details on sign-in is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: BlockUserFromShowingAccountDetailsOnSignin - data: 1 - type: dword - when: rule_18_8_27_1 - tags: - - level1 - - level2 - - rule_18.8.27.1 - - patch - -- name: "SCORED | 18.8.27.2 | PATCH | L1 Ensure Do not display network selection UI is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DontDisplayNetworkSelectionUI - data: 1 - type: dword - when: rule_18_8_27_2 - tags: - - level1 - - level2 - - rule_18.8.27.2 - - patch - -- name: "SCORED | 18.8.27.3 | PATCH | L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DontEnumerateConnectedUsers - data: 1 - type: dword - when: rule_18_8_27_3 - tags: - - level1 - - level2 - - rule_18.8.27.3 - - patch - -- name: "SCORED | 18.8.27.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: EnumerateLocalUsers - data: 0 - type: dword - when: rule_18_8_27_4 - tags: - - level1 - - level2 - - rule_18.8.27.4 - - patch - -- name: "SCORED | 18.8.27.5 | PATCH | L1 Ensure Turn off app notifications on the lock screen is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: DisableLockScreenAppNotifications - data: 1 - type: dword - when: rule_18_8_27_5 - tags: - - level1 - - level2 - - rule_18.8.27.5 - - patch - -- name: "SCORED | 18.8.27.6 | PATCH | L1 Ensure Turn off picture password sign-in is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: BlockDomainPicturePassword - data: 1 - type: dword - when: rule_18_8_27_6 - tags: - - level1 - - level2 - - rule_18.8.27.6 - - patch - -- name: "SCORED | 18.8.27.7 | PATCH | L1 Ensure Turn on convenience PIN sign-in is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: AllowDomainPINLogon - data: 0 - type: dword - when: rule_18_8_27_7 - tags: - - level1 - - level2 - - rule_18.8.27.7 - - patch - -- name: "SCORED | | PATCH | L1 Ensure Untrusted Font Blocking is set to Enabled Block untrusted fonts and log events" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\MitigationOptions - name: MitigationOptions_FontBocking - data: 0 - type: dword - when: rule_18_8_28_1 - tags: - - level1 - - level2 - - rule_18.8.28.1 - - patch - -- name: "SCORED | 18.8.33.6.2 | PATCH | L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 - name: ACSettingIndex - data: 0 - type: dword - when: rule_18_8_33_6_2 - tags: - - level2 - - rule_18.8.33.6.2 - - patch - -- name: "SCORED | 18.8.33.6.3 | PATCH | L1 Ensure Require a password when a computer wakes on battery is set to Enabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 - name: DCSettingIndex - data: 1 - type: dword - when: rule_18_8_33_6_3 - tags: - - level1 - - level2 - - rule_18.8.33.6.3 - - patch - -- name: "SCORED | 18.8.33.6.4 | PATCH | L1 Ensure Require a password when a computer wakes plugged in is set to Enabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 - name: ACSettingIndex - data: 1 - type: dword - when: rule_18_8_33_6_4 - tags: - - level1 - - level2 - - rule_18.8.33.6.4 - - patch - -- name: "SCORED | 18.8.35.1 | PATCH | L1 Ensure Configure Offer Remote Assistance is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fAllowUnsolicited - data: 0 - type: dword - when: rule_18_8_35_1 - tags: - - level1 - - level2 - - rule_18.8.35.1 - - patch - -- name: "SCORED | 18.8.35.2 | PATCH | L1 Ensure Configure Solicited Remote Assistance is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fAllowToGetHelp - data: 0 - type: dword - when: rule_18_8_35_2 - tags: - - level1 - - level2 - - rule_18.8.35.2 - - patch - -- name: "SCORED | 18.8.36.1 | PATCH | L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc - name: EnableAuthEpResolution - data: 1 - type: dword - when: - - rule_18_8_36_1 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level1 - - level2 - - rule_18.8.36.1 - - patch - -- name: "SCORED | 18.8.36.2 | PATCH | L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc - name: RestrictRemoteClients - data: 1 - type: dword - when: - - rule_18_8_36_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level2 - - rule_18.8.36.2 - - patch - -- name: "SCORED | 18.8.44.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy - name: DisableQueryRemoteServer - data: 0 - type: dword - when: rule_18_8_44_5_1 - tags: - - level2 - - rule_18.8.44.5.1 - - patch - -- name: "SCORED | 18.8.44.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} - name: ScenarioExecutionEnabled - data: 0 - type: dword - when: rule_18_8_44_11_1 - tags: - - level2 - - rule_18.8.44.11.1 - - patch - -- name: "SCORED | 18.8.46.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo - name: DisabledByGroupPolicy - data: 1 - type: dword - when: rule_18_8_46_1 - tags: - - level2 - - rule_18.8.46.1 - - patch - -- name: "SCORED | 18.8.49.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient - name: Enabled - data: 1 - type: dword - when: rule_18_8_49_1_1 - tags: - - level2 - - rule_18.8.49.1.1 - - patch - -- name: "SCORED | 18.8.49.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver - name: Enabled - data: 1 - type: dword - when: - - rule_18_8_49_1_2 - - not ansible_windows_domain_role == "Primary domain controller" - tags: - - level2 - - rule_18.8.49.1.2 - - patch - -- name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager - name: AllowSharedLocalAppData - data: 0 - type: dword - when: rule_18_9_4_1 - tags: - - level2 - - rule_18.9.4.1 - - patch - -- name: "SCORED | 18.9.6.1 | PATCH | L1 Ensure Allow Microsoft accounts to be optional is set to Enabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: MSAOptional - data: 1 - type: dword - when: rule_18_9_6_1 - tags: - - level1 - - level2 - - rule_18.9.6.1 - - patch - -- name: "SCORED | 18.9.8.1 | PATCH | L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoAutoplayfornonVolume - data: 1 - type: dword - when: rule_18_9_8_1 - tags: - - level1 - - level2 - - rule_18.9.8.1 - - patch - -- name: "SCORED | 18.9.8.2 | PATCH | L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoAutorun - data: 1 - type: dword - when: rule_18_9_8_2 - tags: - - level1 - - level2 - - rule_18.9.8.2 - - patch - -- name: "SCORED | 18.9.8.3 | PATCH | L1 Ensure Turn off Autoplay is set to Enabled All drives" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: NoDriveTypeAutoRun - data: 255 - type: dword - when: rule_18_9_8_3 - tags: - - level1 - - level2 - - rule_18.9.8.3 - - patch - -- name: "SCORED | 18.9.10.1.1 | PATCH | L1 Ensure Configure enhanced anti-spoofing is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures - name: EnhancedAntiSpoofing - data: 1 - type: dword - when: rule_18_9_10_1_1 - tags: - - level1 - - level2 - - rule_18.9.10.1.1 - - patch - -- name: "SCORED | 18.9.12.1 | PATCH | L2 Ensure Allow Use of Camera is set to Disabled" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Camera - name: AllowCamera - data: 1 - type: dword - when: rule_18_9_12_1 - tags: - - level2 - - rule_18.9.12.1 - - patch - -- name: "SCORED | 18.9.13.1 | PATCH | L1 Ensure Turn off Microsoft consumer experiences is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent - name: DisableWindowsConsumerFeatures - data: 1 - type: dword - when: rule_18_9_13_1 - tags: - - level1 - - level2 - - rule_18.9.13.1 - - patch - -- name: "SCORED | 18.9.14.1 | PATCH | L1 Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect - name: RequirePinForPairing - data: 1 - type: dword - when: rule_18_9_14_1 - tags: - - level1 - - level2 - - rule_18.9.14.1 - - patch - -- name: "SCORED | 18.9.15.1 | PATCH | L1 Ensure Do not display the password reveal button is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Credui - name: DisablePasswordReveal - data: 1 - type: dword - when: rule_18_9_15_1 - tags: - - level1 - - level2 - - rule_18.9.15.1 - - patch - -- name: "SCORED | 18.9.15.2 | PATCH | L1 Ensure Enumerate administrator accounts on elevation is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui - name: EnumerateAdministrators - data: 0 - type: dword - when: rule_18_9_15_2 - tags: - - level1 - - level2 - - rule_18.9.15.2 - - patch - -- name: "SCORED | 18.9.16.1 | PATCH | L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: AllowTelemetry - data: 0 - type: dword - when: rule_18_9_16_1 - tags: - - level1 - - level2 - - rule_18.9.16.1 - - patch - -- name: "SCORED | 18.9.16.2 | PATCH | L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: DisableEnterpriseAuthProxy - data: 0 - type: dword - when: rule_18_9_16_2 - tags: - - level2 - - rule_18.9.16.2 - - patch - -- name: "SCORED | 18.9.16.3 | PATCH | L1 Ensure Disable pre-release features or settings is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds - name: EnableConfigFlighting - data: 01 - type: dword - when: rule_18_9_16_3 - tags: - - level1 - - level2 - - rule_18.9.16.3 - - patch - -- name: "SCORED | 18.9.16.4 | PATCH | L1 Ensure Do not show feedback notifications is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection - name: DoNotShowFeedbackNotifications - data: 1 - type: dword - when: rule_18_9_16_4 - tags: - - level1 - - level2 - - rule_18.9.16.4 - - patch - -- name: "SCORED | 18.9.16.5 | PATCH | L1 Ensure Toggle user control over Insider builds is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds - name: AllowBuildPreview - data: 0 - type: dword - when: rule_18_9_16_5 - tags: - - level1 - - level2 - - rule_18.9.16.5 - - patch - -- name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application - name: Retention - data: 0 - type: dword - when: rule_18_9_26_1_1 - tags: - - level1 - - level2 - - rule_18.9.26.1.1 - - patch - -- name: "SCORED | 18.9.26.1.2 | PATCH | L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application - name: MaxSize - data: 65538 - type: dword - when: rule_18_9_26_1_2 - tags: - - level1 - - level2 - - rule_18.9.26.1.2 - - patch - -- name: "SCORED | 18.9.26.2.1 | PATCH | L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: Retention - data: 0 - type: string - when: rule_18_9_26_2_1 - tags: - - level1 - - level2 - - rule_18.9.26.2.1 - - patch - -- name: "SCORED | 18.9.26.2.2 | PATCH | L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security - name: MaxSize - data: 196608 - type: dword - when: rule_18_9_26_2_2 - tags: - - level1 - - level2 - - rule_18.9.26.2.2 - - patch - -- name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application - name: Retention - data: 0 - type: string - when: rule_18_9_26_3_1 - tags: - - level1 - - level2 - - rule_18.9.26.3.1 - - patch - -- name: "SCORED | 18.9.26.3.2 | PATCH | L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup - name: MaxSize - data: 32768 - type: dword - when: rule_18_9_26_3_2 - tags: - - level1 - - level2 - - rule_18.9.26.3.2 - - patch - -- name: "SCORED | 18.9.26.4.1 | PATCH | L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: Retention - data: 0 - type: string - when: rule_18_9_26_4_1 - tags: - - level1 - - level2 - - rule_18.9.26.4.1 - - patch - -- name: "SCORED | 18.9.26.4.2 | PATCH | L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System - name: MaxSize - data: 65538 - type: dword - when: rule_18_9_26_4_2 - tags: - - level1 - - level2 - - rule_18.9.26.4.2 - - patch - -- name: "SCORED | 18.9.30.2 | PATCH | L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoDataExecutionPrevention - data: 0 - type: dword - when: rule_18_9_30_2 - tags: - - level1 - - level2 - - rule_18.9.30.2 - - patch - -- name: "SCORED | 18.9.30.3 | PATCH | L1 Ensure Turn off heap termination on corruption is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Explorer - name: NoHeapTerminationOnCorruption - data: 0 - type: dword - when: rule_18_9_30_3 - tags: - - level1 - - level2 - - rule_18.9.30.3 - - patch - -- name: "SCORED | 18.9.30.4 | PATCH | L1 Ensure Turn off shell protocol protected mode is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer - name: PreXPSP2ShellProtocolBehavior - data: 0 - type: dword - when: rule_18_9_30_4 - tags: - - level1 - - level2 - - rule_18.9.30.4 - - patch - -- name: "SCORED | 18.9.39.2 | PATCH | L2 Ensure Turn off location is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors - name: DisableLocation - data: 1 - type: dword - when: rule_18_9_39_2 - tags: - - level2 - - rule_18.9.39.2 - - patch - -- name: "SCORED | 18.9.43.1 | PATCH | L2 Ensure Allow Message Service Cloud Sync is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Messaging - name: AllowMessageSync - data: 0 - type: dword - when: rule_18_9_43_1 - tags: - - level2 - - rule_18.9.43.1 - - patch - -- name: "SCORED | 18.9.44.1 | PATCH | L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount - name: DisableUserAuth - data: 1 - type: dword - when: rule_18_9_44_1 - tags: - - level1 - - level2 - - rule_18.9.44.1 - - patch - -- name: "SCORED | 18.9.52.1 | PATCH | L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive - name: DisableFileSyncNGSC - data: 1 - type: dword - when: rule_18_9_52_1 - tags: - - level1 - - level2 - - rule_18.9.52.1 - - patch - -- name: "SCORED | 18.9.58.2.2 | PATCH | L1 Ensure Do not allow passwords to be saved is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DisablePasswordSaving - data: 1 - type: dword - when: rule_18_9_58_2_2 - tags: - - level1 - - level2 - - rule_18.9.58.2.2 - - patch - -- name: "SCORED | 18.9.58.3.2.1 | PATCH | L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fSingleSessionPerUser - data: 1 - type: dword - when: rule_18_9_58_3_2_1 - tags: - - level2 - - rule_18.9.58.3.2.1 - - patch - -- name: "SCORED | 18.9.58.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCcm - data: 1 - type: dword - when: rule_18_9_58_3_3_1 - tags: - - level2 - - rule_18.9.58.3.3.1 - - patch - -- name: "SCORED | 18.9.58.3.3.2 | PATCH | L1 Ensure Do not allow drive redirection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableCdm - data: 1 - type: dword - when: rule_18_9_58_3_3_2 - tags: - - level1 - - level2 - - rule_18.9.58.3.3.2 - - patch - -- name: "SCORED | 18.9.58.3.3.3 | PATCH | L2 Ensure Do not allow LPT port redirection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisableLPT - data: 1 - type: dword - when: rule_18_9_58_3_3_3 - tags: - - level2 - - rule_18.9.58.3.3.3 - - patch - -- name: "SCORED | 18.9.58.3.3.4 | PATCH | L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fDisablePNPRedir - data: 1 - type: dword - when: rule_18_9_58_3_3_4 - tags: - - level2 - - rule_18.9.58.3.3.4 - - patch - -- name: "SCORED | 18.9.58.3.9.1 | PATCH | L1 Ensure Always prompt for password upon connection is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fPromptForPassword - data: 1 - type: dword - when: rule_18_9_58_3_9_1 - tags: - - level1 - - level2 - - rule_18.9.58.3.9.1 - - patch - -- name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: fEncryptRPCTraffic - data: 1 - type: dword - when: rule_18_9_58_3_9_2 - tags: - - level1 - - level2 - - rule_18.9.58.3.9.2 - - audit - -- name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services - name: fEncryptRPCTraffic - data: 1 - type: dword - when: rule_18_9_58_3_9_2 - tags: - - level1 - - level2 - - rule_18.9.58.3.9.2 - - patch - -- name: "SCORED | 18.9.58.3.9.3 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MinEncryptionLevel - data: 3 - type: dword - when: rule_18_9_58_3_9_3 - tags: - - level1 - - level2 - - rule_18.9.58.3.9.3 - - patch - -- name: "SCORED | 18.9.58.3.10.1 | PATCH | L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxIdleTime - data: 3600000 - type: dword - when: rule_18_9_58_3_10_1 - tags: - - level2 - - rule_18.9.58.3.10.1 - - patch - -- name: "SCORED | 18.9.58.3.10.2 | PATCH | L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: MaxDisconnectionTime - data: 28800000 - type: dword - when: rule_18_9_58_3_10_2 - tags: - - level2 - - rule_18.9.58.3.10.2 - - patch - -- name: "SCORED | 18.9.58.3.11.1 | PATCH | L1 Ensure Do not delete temp folders upon exit is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: DeleteTempDirsOnExit - data: 1 - type: dword - when: rule_18_9_58_3_11_1 - tags: - - level1 - - level2 - - rule_18.9.58.3.11.1 - - patch - -- name: "SCORED | 18.9.58.3.11.2 | PATCH | L1 Ensure Do not use temporary folders per session is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services - name: PerSessionTempDir - data: 1 - type: dword - when: rule_18_9_58_3_11_2 - tags: - - level1 - - level2 - - rule_18.9.58.3.11.2 - - patch - -- name: "SCORED | 18.9.59.1 | PATCH | L1 Ensure Prevent downloading of enclosures is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds - name: DisableEnclosureDownload - data: 1 - type: dword - when: rule_18_9_59_1 - tags: - - level1 - - level2 - - rule_18.9.59.1 - - patch - -- name: "SCORED | 18.9.60.2 | PATCH | L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowCloudSearch - data: 0 - type: dword - when: rule_18_9_60_2 - tags: - - level2 - - rule_18.9.60.2 - - patch - -- name: "SCORED | 18.9.60.3 | PATCH | L1 Ensure Allow indexing of encrypted files is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search - name: AllowIndexingEncryptedStoresOrItems - data: 0 - type: dword - when: rule_18_9_60_3 - tags: - - level1 - - level2 - - rule_18.9.60.3 - - patch - -- name: "SCORED | 18.9.65.1 | PATCH | L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform - name: NoGenTicket - data: 1 - type: dword - when: rule_18_9_65_1 - tags: - - level2 - - rule_18.9.65.1 - - patch - -- name: "SCORED | 18.9.76.3.1 | PATCH | L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: LocalSettingOverrideSpynetReporting - data: 0 - type: dword - when: rule_18_9_76_3_1 - tags: - - level1 - - level2 - - rule_18.9.76.3.1 - - patch - -- name: "SCORED | 18.9.76.3.2 | PATCH | L2 Ensure Join Microsoft MAPS is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet - name: SpynetReporting - data: 0 - type: dword - when: rule_18_9_76_3_2 - tags: - - level2 - - rule_18.9.76.3.2 - - patch - -- name: "SCORED | 18.9.76.7.1 | PATCH | L1 Ensure Turn on behavior monitoring is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection - name: DisableBehaviorMonitoring - data: 0 - type: dword - when: rule_18_9_76_7_1 - tags: - - level1 - - level2 - - rule_18.9.76.7.1 - - patch - -- name: "SCORED | 18.9.76.9.1 | PATCH | L2 Ensure Configure Watson events is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting - name: DisableGenericRePorts - data: 1 - type: dword - when: rule_18_9_76_9_1 - tags: - - level2 - - rule_18.9.76.9.1 - - patch - -- name: "SCORED | 18.9.76.10.1 | PATCH | L1 Ensure Scan removable drives is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableRemovableDriveScanning - data: 0 - type: dword - when: rule_18_9_76_10_1 - tags: - - level1 - - level2 - - rule_18.9.76.10.1 - - patch - -- name: "SCORED | 18.9.76.10.2 | PATCH | L1 Ensure Turn on e-mail scanning is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan - name: DisableEmailScanning - data: 0 - type: dword - when: rule_18_9_76_10_2 - tags: - - level1 - - level2 - - rule_18.9.76.10.2 - - patch - -- name: "SCORED | 18.9.76.13.1.1 | PATCH | L1 Ensure Configure Attack Surface Reduction rules is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR - name: ExploitGuard_ASR_Rules - data: 1 - type: dword - when: rule_18_9_76_13_1_1 - tags: - - level1 - - level2 - - rule_18.9.76.13.1.1 - - patch - -- name: "SCORED | 18.9.76.13.1.2 | PATCH | L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules - name: "{{ item }}" - data: 1 - type: string # aka REG_SZ - loop: - - 26190899-1602-49e8-8b27-eb1d0a1ce869 - - 3b576869-a4ec-4529-8536-b80a7769e899 - - 5beb7efe-fd9a-4556-801d-275e5ffc04cc - - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 - - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b - - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 - - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 - - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 - - d3e037e1-3eb8-44c8-a917-57927947596d - - d4f940ab-401b-4efc-aadc-ad5f3c50688a - when: rule_18_9_76_13_1_2 - tags: - - level1 - - level2 - - rule_18.9.76.13.1.2 - - patch - -- name: "SCORED | 18.9.76.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection - name: ExploitGuard_ASR_Rules - data: 1 - type: dword - when: rule_18_9_76_13_3_1 - tags: - - level1 - - level2 - - rule_18.9.76.13.3.1 - - patch - -- name: "SCORED | 18.9.76.14 | PATCH | L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender - name: DisableAntiSpyware - data: 0 - type: dword - when: rule_18_9_76_14 - tags: - - level1 - - level2 - - rule_18.9.76.14 - - patch - -- name: "SCORED | 18.9.79.1.1 | PATCH | L1 Ensure Prevent users from modifying settings is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection - name: DisallowExploitProtectionOverride - data: 1 - type: dword - when: rule_18_9_79_1_1 - tags: - - level1 - - level2 - - rule_18.9.79.1.1 - - patch - -- name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" - block: - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: EnableSmartScreen - data: 1 - type: dword - - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\System - name: ShellSmartScreenLevel - data: Block - type: string - when: rule_18_9_80_1_1 - tags: - - level1 - - level2 - - rule_18.9.80.1.1 - - patch - -- name: "SCORED | 18.9.84.1 | PATCH | L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace - name: AllowSuggestedAppsInWindowsInkWorkspace - data: 0 - type: dword - when: rule_18_9_84_1 - tags: - - level2 - - rule_18.9.84.1 - - patch - -- name: "SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace - name: AllowWindowsInkWorkspace - data: 1 - type: dword - when: rule_18_9_84_2 - tags: - - level1 - - level2 - - rule_18.9.84.2 - - patch - -- name: "SCORED | 18.9.85.1 | PATCH | L1 Ensure Allow user control over installs is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: EnableUserControl - data: 0 - type: dword - when: rule_18_9_85_1 - tags: - - level1 - - level2 - - rule_18.9.85.1 - - patch - -- name: "SCORED | 18.9.85.2 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: AlwaysInstallElevated - data: 0 - type: dword - when: rule_18_9_85_2 - tags: - - level1 - - level2 - - rule_18.9.85.2 - - patch - -- name: "SCORED | 18.9.85.3 | PATCH | L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Installer - name: SafeForScripting - data: 0 - type: dword - when: rule_18_9_85_3 - tags: - - level2 - - rule_18.9.85.3 - - patch - -- name: "SCORED | 18.9.86.1 | PATCH | L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" - win_regedit: - path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System - name: DisableAutomaticRestartSignOn - data: 1 - type: dword - when: rule_18_9_86_1 - tags: - - level1 - - level2 - - rule_18.9.86.1 - - patch - -- name: "SCORED | 18.9.95.1 | PATCH | L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging - name: EnableScriptBlockLogging - data: 1 - type: dword - when: rule_18_9_95_1 - tags: - - level1 - - level2 - - rule_18.9.95.1 - - patch - -- name: "SCORED | 18.9.95.2 | PATCH | L1 Ensure Turn on PowerShell Transcription is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription - name: EnableTranscripting - data: 1 - type: dword - when: rule_18_9_95_2 - tags: - - level1 - - level2 - - rule_18.9.95.2 - - patch - -- name: "SCORED | 18.9.97.1.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowBasic - data: 0 - type: dword - when: rule_18_9_97_1_1 - tags: - - level1 - - level2 - - rule_18.9.97.1.1 - - patch - -- name: "SCORED | 18.9.97.1.2 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowUnencryptedTraffic - data: 0 - type: dword - when: rule_18_9_97_1_2 - tags: - - level1 - - level2 - - rule_18.9.97.1.2 - - patch - -- name: "SCORED | 18.9.97.1.3 | PATCH | L1 Ensure Disallow Digest authentication is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client - name: AllowDigest - data: 0 - type: dword - when: rule_18_9_97_1_3 - tags: - - level1 - - level2 - - rule_18.9.97.1.3 - - patch - -- name: "SCORED | 18.9.97.2.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowBasic - data: 0 - type: dword - when: rule_18_9_97_2_1 - tags: - - level1 - - level2 - - rule_18.9.97.2.1 - - patch - -#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "SCORED | 18.9.97.2.2 | PATCH | L2 Ensure Allow remote server management through WinRM is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowAutoConfig - data: 1 - type: dword - when: - - rule_18_9_97_2_2 - - is_implemented - tags: - - level2 - - rule_18.9.97.2.2 - - patch - -- name: "SCORED | 18.9.97.2.3 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: AllowUnencryptedTraffic - data: 0 - type: dword - when: rule_18_9_97_2_3 - tags: - - level1 - - level2 - - rule_18.9.97.2.3 - - patch - -- name: "SCORED | 18.9.97.2.4 | PATCH | L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service - name: DisableRunAs - data: 1 - type: dword - when: rule_18_9_97_2_4 - tags: - - level1 - - level2 - - rule_18.9.97.2.4 - - patch - -#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart -- name: "SCORED | 18.9.98.1 | PATCH | L2 Ensure Allow Remote Shell Access is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs - name: AllowRemoteShellAccess - data: 1 - type: dword - when: - - rule_18_9_98_1 - - is_implemented - tags: - - level2 - - rule_18.9.98.1 - - patch - -- name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds" - block: - - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuilds - data: 1 - type: dword - - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: ManagePreviewBuildsPolicyValue - data: 0 - type: dword - when: rule_18_9_101_1_1 - tags: - - level1 - - level2 - - rule_18.9.101.1.1 - - patch - -- name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" - block: - - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdates - data: 1 - type: dword - - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: DeferFeatureUpdatesPeriodInDays - data: 180 - type: dword - - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate - name: BranchReadinessLevel - data: 16 - type: dword - when: rule_18_9_101_1_2 - tags: - - level1 - - level2 - - rule_18.9.101.1.2 - - patch - -- name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days" - block: - - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - name: DeferQualityUpdates - data: 1 - type: dword - - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" - win_regedit: - path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate - name: DeferQualityUpdatesPeriodInDays - data: 0 - type: dword - when: rule_18_9_101_1_3 - tags: - - level1 - - level2 - - rule_18.9.101.1.3 - - patch - -- name: "SCORED | 18.9.101.2 | PATCH | L1 Ensure Configure Automatic Updates is set to Enabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoUpdate - data: 0 - type: dword - when: rule_18_9_101_2 - tags: - - level1 - - level2 - - rule_18.9.101.2 - - patch - -- name: "SCORED | 18.9.101.3 | PATCH | L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: ScheduledInstallDay - data: 0 - type: dword - when: rule_18_9_101_3 - tags: - - level1 - - level2 - - rule_18.9.101.3 - - patch - -- name: "SCORED | 18.9.101.4 | PATCH | L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" - win_regedit: - path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au - name: NoAutoRebootWithLoggedOnUsers - data: 0 - type: dword - when: rule_18_9_101_4 - tags: - - level1 - - level2 - - rule_18.9.101.4 - - patch -