diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c46be6d --- /dev/null +++ b/.gitignore @@ -0,0 +1,42 @@ +.env +*.log +*.retry +.vagrant +tests/*redhat-subscription +tests/Dockerfile +*.iso +*.box +packer_cache +delete* +ignore* +# VSCode +.vscode + +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# DS_Store +.DS_Store +._* + +# Linux Editors +*~ +\#*\# +/.emacs.desktop +/.emacs.desktop.lock +.elc +auto-save-list +tramp +.\#* +*.swp +*.swo +rh-creds.env +travis.env + +# Lockdown-specific +benchparse/ +*xccdf.xml +*.retry + diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst new file mode 100644 index 0000000..14a8ffe --- /dev/null +++ b/CONTRIBUTING.rst @@ -0,0 +1,53 @@ +Contributing to MindPoint Group Projects +======================================== + +Signing your contribution +------------------------- + +We've chosen to use the Developer's Certificate of Origin (DCO) method +that is employed by the Linux Kernel Project, which provides a simple +way to contribute to MindPoint Group projects. + +The process is to certify the below DCO 1.1 text +:: + + Developer's Certificate of Origin 1.1 + + By making a contribution to this project, I certify that: + + (a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + + (b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + + (c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + + (d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +:: + +Then, when it comes time to submit a contribution, include the +following text in your contribution commit message: + +:: + + Signed-off-by: Joan Doe + +:: + + +This message can be entered manually, or if you have configured git +with the correct `user.name` and `user.email`, you can use the `-s` +option to `git commit` to automatically include the signoff message. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..c3ae2c5 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2020 Mindpoint Group / Lockdown Enterprise + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..5b80abe --- /dev/null +++ b/README.md @@ -0,0 +1,11 @@ +Windows Server 2016 CIS +========= + +Configure a Windows Server 2016 system to be CIS compliant. + +This role is based on CIS Microsoft Windows Server 2016 RTM: [Version 1.1.0 Rel 1607 released on October 21, 2018] (https://workbench.cisecurity.org/benchmarks/835). + +Requirements +------------ + +Windows Server 2016 - Other versions are not supported. \ No newline at end of file diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..4c19e55 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,25 @@ +Vagrant.configure("2") do |config| + + config.vm.box = "mindpointgroup/windowsserver2016-winrm" + # config.vm.box = "mindpointgroup/windowsserver2016-DC" + config.vm.guest = :windows + config.winrm.retry_limit = 30 + config.winrm.retry_delay = 120 + config.vm.provider "virtualbox" do |vb| + vb.cpus = 2 + vb.memory = 8192 + end + + config.vm.communicator = "winrm" + config.vm.provision "ansible" do |ansible| + ansible.playbook = "site.yml" + # ansible.verbose = "vvvvv" + ansible.host_vars = { + "default" => { "ansible_winrm_scheme" => "http" } + } + ansible.raw_arguments = [ + "-e 'ansible_connection=winrm ansible_port=5985 ansible_winrm_server_cert_validation=ignore ansible_user=vagrant ansible_password=vagrant'" + ] + end + config.vm.boot_timeout = 500 +end diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..bf26961 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,439 @@ +--- +section01_patch: yes +section02_patch: yes +section17_patch: yes +section18_patch: yes +section19_patch: yes + +min_ansible_version: "2.6" + +# We've defined complexity-high to mean that we cannot automatically remediate +# the rule in question. In the future this might mean that the remediation +# may fail in some cases. +complexity_high: no + +# Show "changed" for complex items not remediated per complexity-high setting +# to make them stand out. "changed" items on a second run of the role would +# indicate items requiring manual review. +audit_complex: yes + +# We've defined disruption-high to indicate items that are likely to cause +# disruption in a normal workflow. These items can be remediated automatically +# but are disabled by default to avoid disruption. +disruption_high: no + +# Show "changed" for disruptive items not remediated per disruption-high +# setting to make them stand out. +audit_disruptive: yes + +skip_for_travis: false + +workaround_for_disa_benchmark: true +workaround_for_ssg_benchmark: true + +# tweak role to run in a non-privileged container +system_is_container: no + +#set to false to skip tasks that either have not been developed or cannot be automated +is_implemented: false + +#set to false to skip long running tasks +long_running: false + + +# These variables correspond with the STIG IDs defined in the STIG and allows you to enable/disable specific rules. +# PLEASE NOTE: These work in coordination with the cat1, cat2, cat3 group variables. You must enable an entire group +# in order for the variables below to take effect. + +# section01 +rule_1_1_1: true +rule_1_1_2: true +rule_1_1_3: true +rule_1_1_4: true +rule_1_1_5: true +rule_1_1_6: true +rule_1_2_1: true +rule_1_2_2: true +rule_1_2_3: true + +# section02 +rule_2_2_1: true +rule_2_2_2: true +rule_2_2_3: true +rule_2_2_4: true +rule_2_2_5: true +rule_2_2_6: true +rule_2_2_7: true +rule_2_2_8: true +rule_2_2_9: true +rule_2_2_10: true +rule_2_2_11: true +rule_2_2_12: true +rule_2_2_13: true +rule_2_2_14: true +rule_2_2_15: true +rule_2_2_16: true +rule_2_2_17: true +rule_2_2_18: true +rule_2_2_19: true +rule_2_2_20: true +rule_2_2_21: true +rule_2_2_22: true +rule_2_2_23: true +rule_2_2_24: true +rule_2_2_25: true +rule_2_2_26: true +rule_2_2_27: true +rule_2_2_28: true +rule_2_2_29: true +rule_2_2_30: true +rule_2_2_31: true +rule_2_2_32: true +rule_2_2_33: true +rule_2_2_34: true +rule_2_2_35: true +rule_2_2_36: true +rule_2_2_37: true +rule_2_2_38: true +rule_2_2_39: true +rule_2_2_40: true +rule_2_2_41: true +rule_2_2_42: true +rule_2_2_43: true +rule_2_2_44: true +rule_2_2_45: true +rule_2_2_46: true +rule_2_2_47: true +rule_2_2_48: true +rule_2_3_1_1: true +rule_2_3_1_2: true +rule_2_3_1_3: true +rule_2_3_1_4: true +rule_2_3_1_5: true +rule_2_3_1_6: true +rule_2_3_2_1: true +rule_2_3_2_2: true +rule_2_3_4_1: true +rule_2_3_4_2: true +rule_2_3_5_1: true +rule_2_3_5_2: true +rule_2_3_5_3: true +rule_2_3_6_1: true +rule_2_3_6_2: true +rule_2_3_6_3: true +rule_2_3_6_4: true +rule_2_3_6_5: true +rule_2_3_6_6: true +rule_2_3_7_1: true +rule_2_3_7_2: true +rule_2_3_7_3: true +rule_2_3_7_4: true +rule_2_3_7_5: true +rule_2_3_7_6: true +rule_2_3_7_7: true +rule_2_3_7_8: true +rule_2_3_7_9: true +rule_2_3_8_1: true +rule_2_3_8_2: true +rule_2_3_8_3: true +rule_2_3_9_1: true +rule_2_3_9_2: true +rule_2_3_9_3: true +rule_2_3_9_4: true +rule_2_3_9_5: true +rule_2_3_10_1: true +rule_2_3_10_2: true +rule_2_3_10_3: true +rule_2_3_10_4: true +rule_2_3_10_5: true +rule_2_3_10_6: true +rule_2_3_10_7: true +rule_2_3_10_8: true +rule_2_3_10_9: true +rule_2_3_10_10: true +rule_2_3_10_11: true +rule_2_3_10_12: true +rule_2_3_10_13: true +rule_2_3_11_1: true +rule_2_3_11_2: true +rule_2_3_11_3: true +rule_2_3_11_4: true +rule_2_3_11_5: true +rule_2_3_11_6: true +rule_2_3_11_7: true +rule_2_3_11_8: true +rule_2_3_11_9: true +rule_2_3_11_10: true +rule_2_3_13_1: true +rule_2_3_15_1: true +rule_2_3_15_2: true +rule_2_3_17_1: true +rule_2_3_17_2: true +rule_2_3_17_3: true +rule_2_3_17_4: true +rule_2_3_17_5: true +rule_2_3_17_6: true +rule_2_3_17_7: true +rule_2_3_17_8: true +rule_2_3_17_9: true + +# section17 +rule_17_1_1: true +rule_17_2_1: true +rule_17_2_2: true +rule_17_2_3: true +rule_17_2_4: true +rule_17_2_5: true +rule_17_2_6: true +rule_17_3_1: true +rule_17_3_2: true +rule_17_4_1: true +rule_17_4_2: true +rule_17_5_1: true +rule_17_5_2: true +rule_17_5_3: true +rule_17_5_4: true +rule_17_5_5: true +rule_17_5_6: true +rule_17_6_1: true +rule_17_6_2: true +rule_17_7_1: true +rule_17_7_2: true +rule_17_7_3: true +rule_17_8_1: true +rule_17_9_1: true +rule_17_9_2: true +rule_17_9_3: true +rule_17_9_4: true +rule_17_9_5: true + +# section18 +rule_18_1_1_1: true +rule_18_1_1_2: true +rule_18_1_2_2: true +rule_18_1_3: true +rule_18_2_1: true +rule_18_2_2: true +rule_18_2_3: true +rule_18_2_4: true +rule_18_2_5: true +rule_18_2_6: true +rule_18_3_1: true +rule_18_3_2: true +rule_18_3_3: true +rule_18_3_4: true +rule_18_3_5: true +rule_18_3_6: true +rule_18_4_1: true +rule_18_4_2: true +rule_18_4_3: true +rule_18_4_4: true +rule_18_4_5: true +rule_18_4_6: true +rule_18_4_7: true +rule_18_4_8: true +rule_18_4_9: true +rule_18_4_10: true +rule_18_4_11: true +rule_18_4_12: true +rule_18_5_4_1: true +rule_18_5_4_2: true +rule_18_5_5_1: true +rule_18_5_8_1: true +rule_18_5_9_1: true +rule_18_5_9_2: true +rule_18_5_10_2: true +rule_18_5_11_2: true +rule_18_5_11_3: true +rule_18_5_11_4: true +rule_18_5_14_1: true +rule_18_5_19_2_1: true +rule_18_5_20_1: true +rule_18_5_20_2: true +rule_18_5_21_1: true +rule_18_5_21_2: true +rule_18_8_3_1: true +rule_18_8_4_1: true +rule_18_8_5_1: true +rule_18_8_5_2: true +rule_18_8_5_3: true +rule_18_8_5_4: true +rule_18_8_5_5: true +rule_18_8_14_1: true +rule_18_8_21_2: true +rule_18_8_21_3: true +rule_18_8_21_4: true +rule_18_8_21_5: true +rule_18_8_22_1_1: true +rule_18_8_22_1_2: true +rule_18_8_22_1_3: true +rule_18_8_22_1_4: true +rule_18_8_22_1_5: true +rule_18_8_22_1_6: true +rule_18_8_22_1_7: true +rule_18_8_22_1_8: true +rule_18_8_22_1_9: true +rule_18_8_22_1_10: true +rule_18_8_22_1_11: true +rule_18_8_22_1_12: true +rule_18_8_22_1_13: true +rule_18_8_25_1: true +rule_18_8_26_1: true +rule_18_8_27_1: true +rule_18_8_27_2: true +rule_18_8_27_3: true +rule_18_8_27_4: true +rule_18_8_27_5: true +rule_18_8_27_6: true +rule_18_8_27_7: true +rule_18_8_28_1: true +rule_18_8_33_6_2: true +rule_18_8_33_6_3: true +rule_18_8_33_6_4: true +rule_18_8_35_1: true +rule_18_8_35_2: true +rule_18_8_36_1: true +rule_18_8_36_2: true +rule_18_8_44_5_1: true +rule_18_8_44_11_1: true +rule_18_8_46_1: true +rule_18_8_49_1_1: true +rule_18_8_49_1_2: true +rule_18_9_4_1: true +rule_18_9_6_1: true +rule_18_9_8_1: true +rule_18_9_8_2: true +rule_18_9_8_3: true +rule_18_9_10_1_1: true +rule_18_9_12_1: true +rule_18_9_13_1: true +rule_18_9_14_1: true +rule_18_9_15_1: true +rule_18_9_15_2: true +rule_18_9_16_1: true +rule_18_9_16_2: true +rule_18_9_16_3: true +rule_18_9_16_4: true +rule_18_9_16_5: true +rule_18_9_26_1_1: true +rule_18_9_26_1_2: true +rule_18_9_26_2_1: true +rule_18_9_26_2_2: true +rule_18_9_26_3_1: true +rule_18_9_26_3_2: true +rule_18_9_26_4_1: true +rule_18_9_26_4_2: true +rule_18_9_30_2: true +rule_18_9_30_3: true +rule_18_9_30_4: true +rule_18_9_39_2: true +rule_18_9_43_1: true +rule_18_9_44_1: true +rule_18_9_52_1: true +rule_18_9_58_2_2: true +rule_18_9_58_3_2_1: true +rule_18_9_58_3_3_1: true +rule_18_9_58_3_3_2: true +rule_18_9_58_3_3_3: true +rule_18_9_58_3_3_4: true +rule_18_9_58_3_9_1: true +rule_18_9_58_3_9_2: true +rule_18_9_58_3_9_3: true +rule_18_9_58_3_10_1: true +rule_18_9_58_3_10_2: true +rule_18_9_58_3_11_1: true +rule_18_9_58_3_11_2: true +rule_18_9_59_1: true +rule_18_9_60_2: true +rule_18_9_60_3: true +rule_18_9_65_1: true +rule_18_9_76_3_1: true +rule_18_9_76_3_2: true +rule_18_9_76_7_1: true +rule_18_9_76_9_1: true +rule_18_9_76_10_1: true +rule_18_9_76_10_2: true +rule_18_9_76_13_1_1: true +rule_18_9_76_13_1_2: true +rule_18_9_76_13_3_1: true +rule_18_9_76_14: true +rule_18_9_79_1_1: true +rule_18_9_80_1_1: true +rule_18_9_84_1: true +rule_18_9_84_2: true +rule_18_9_85_1: true +rule_18_9_85_2: true +rule_18_9_85_3: true +rule_18_9_86_1: true +rule_18_9_95_1: true +rule_18_9_95_2: true +rule_18_9_97_1_1: true +rule_18_9_97_1_2: true +rule_18_9_97_1_3: true +rule_18_9_97_2_1: true +rule_18_9_97_2_2: true +rule_18_9_97_2_3: true +rule_18_9_97_2_4: true +rule_18_9_98_1: true +rule_18_9_101_1_1: true +rule_18_9_101_1_2: true +rule_18_9_101_1_3: true +rule_18_9_101_2: true +rule_18_9_101_3: true +rule_18_9_101_4: true + +# section19 +rule_19_1_3_1: true +rule_19_1_3_2: true +rule_19_1_3_3: true +rule_19_1_3_4: true +rule_19_5_1_1: true +rule_19_6_5_1_1: true +rule_19_7_4_1: true +rule_19_7_4_2: true +rule_19_7_7_1: true +rule_19_7_7_2: true +rule_19_7_7_3: true +rule_19_7_7_4: true +rule_19_7_26_1: true +rule_19_7_40_1: true +rule_19_7_44_2_1: true + + +# This SID is the same for standalone, member, domain controller for 'Administrators' group +sedebugprivilege: "*S-1-5-32-544" + +pass_age: 60 + +lockoutduration: 15 +lockoutbadcount: 3 +resetlockoutcount: 15 +passwordhistorysize: 24 +maximumpasswordage: 60 +minimumpasswordage: 1 +minimumpasswordlength: 14 + +newadministratorname: renamedadmin +newguestname: renamedguest + +legalnoticetext: | + You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. + + By using this IS (which includes any device attached to this IS), you consent to the following conditions: + + -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. + + -At any time, the USG may inspect and seize data stored on this IS. + + -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. + + -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. + + -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. + +app_maxsize: 32768 +sec_maxsize: 196608 +sys_maxsize: 32768 + + +legalnoticecaption: "DoD Notice and Consent Banner" diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..6e8efd4 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: reboot_windows + win_reboot: + reboot_timeout: 3600 diff --git a/manifest.txt b/manifest.txt new file mode 100644 index 0000000..9d6e0e5 --- /dev/null +++ b/manifest.txt @@ -0,0 +1,567 @@ + +1.1 +1.1.1 - L1 Ensure Enforce password history is set to 24 or more passwords +1.1.2 - L1 Ensure Maximum password age is set to 60 or fewer days but not 0 +1.1.3 - L1 Ensure Minimum password age is set to 1 or more days +1.1.4 - L1 Ensure Minimum password length is set to 14 or more characters +1.1.5 - L1 Ensure Password must meet complexity requirements is set to Enabled +1.1.6 - L1 Ensure Store passwords using reversible encryption is set to Disabled + +1.2 +1.2.1 - L1 Ensure Account lockout duration is set to 15 or more minutes +1.2.2 - L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0 +1.2.3 - L1 Ensure Reset account lockout counter after is set to 15 or more minutes + +17.1 +17.1.1 - L1 Ensure Audit Credential Validation is set to Success and Failure + +17.2 +17.2.1 - L1 Ensure Audit Application Group Management is set to Success and Failure +17.2.2 - L1 Ensure Audit Computer Account Management is set to Success and Failure +17.2.3 - L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only +17.2.4 - L1 Ensure Audit Other Account Management Events is set to Success and Failure +17.2.5 - L1 Ensure Audit Security Group Management is set to Success and Failure +17.2.6 - L1 Ensure Audit User Account Management is set to Success and Failure + +17.3 +17.3.1 - L1 Ensure Audit PNP Activity is set to Success +17.3.2 - L1 Ensure Audit Process Creation is set to Success + +17.4 +17.4.1 - L1 Ensure Audit Directory Service Access is set to Success and Failure DC only +17.4.2 - L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only + +17.5 +17.5.1 - L1 Ensure Audit Account Lockout is set to Success and Failure +17.5.2 - L1 Ensure Audit Group Membership is set to Success +17.5.3 - L1 Ensure Audit Logoff is set to Success +17.5.4 - L1 Ensure Audit Logon is set to Success and Failure +17.5.5 - L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure +17.5.6 - L1 Ensure Audit Special Logon is set to Success + +17.6 +17.6.1 - L1 Ensure Audit Other Object Access Events is set to Success and Failure +17.6.2 - L1 Ensure Audit Removable Storage is set to Success and Failure + +17.7 +17.7.1 - L1 Ensure Audit Audit Policy Change is set to Success and Failure +17.7.2 - L1 Ensure Audit Authentication Policy Change is set to Success +17.7.3 - L1 Ensure Audit Authorization Policy Change is set to Success + +17.8 +17.8.1 - L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure + +17.9 +17.9.1 - L1 Ensure Audit IPsec Driver is set to Success and Failure +17.9.2 - L1 Ensure Audit Other System Events is set to Success and Failure +17.9.3 - L1 Ensure Audit Security State Change is set to Success +17.9.4 - L1 Ensure Audit Security System Extension is set to Success and Failure +17.9.5 - L1 Ensure Audit System Integrity is set to Success and Failure + +18.1 +18.1.3 - L2 Ensure Allow Online Tips is set to Disabled + +18.1.1 +18.1.1.1 - L1 Ensure Prevent enabling lock screen camera is set to Enabled +18.1.1.2 - L1 Ensure Prevent enabling lock screen slide show is set to Enabled + +18.1.2 +18.1.2.2 - L1 Ensure Allow input personalization is set to Disabled + +18.2 +18.2.1 - L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only +18.2.2 - L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only +18.2.3 - L1 Ensure Enable Local Admin Password Management is set to Enabled MS only +18.2.4 - L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only +18.2.5 - L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only +18.2.6 - L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only + +18.3 +18.3.1 - L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only +18.3.2 - L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver +18.3.3 - L1 Ensure Configure SMB v1 server is set to Disabled +18.3.4 - L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled +18.3.5 - L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled +18.3.6 - L1 Ensure WDigest Authentication is set to Disabled + +18.4 +18.4.1 - L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled +18.4.2 - L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled +18.4.3 - L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled +18.4.4 - L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled +18.4.5 - L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended +18.4.6 - L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled +18.4.7 - L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled +18.4.8 - L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled +18.4.9 - L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds +18.4.10 - L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3 +18.4.11 - L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3 +18.4.12 - L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less + +18.5.4 +18.5.4.1 - L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only +18.5.4.2 - L1 Ensure Turn off multicast name resolution is set to Enabled MS Only + +18.5.5 +18.5.5.1 - L2 Ensure Enable Font Providers is set to Disabled + +18.5.8 +18.5.8.1 - L1 Ensure Enable insecure guest logons is set to Disabled + +18.5.9 +18.5.9.1 - L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled +18.5.9.2 - L2 Ensure Turn on Responder RSPNDR driver is set to Disabled + +18.5.10 +18.5.10.2 - L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled + +18.5.11 +18.5.11.2 - L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled +18.5.11.3 - L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled +18.5.11.4 - L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled + +18.5.14 +18.5.14.1 - L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares + +18.5.19.2 +18.5.19.2.1 - L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255 + +18.5.20 +18.5.20.1 - L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled +18.5.20.2 - L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled + +18.5.21 +18.5.21.1 - L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled +18.5.21.2 - L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only + +18.8.3 +18.8.3.1 - L1 Ensure Include command line in process creation events is set to Disabled + +18.8.4 +18.8.4.1 - L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled + +18.8.5 +18.8.5.1 - NG Ensure Turn On Virtualization Based Security is set to Enabled MS Only +18.8.5.2 - NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection MS Only +18.8.5.3 - NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock MS Only +18.8.5.4 - NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked MS Only +18.8.5.5 - NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only + +18.8.14 +18.8.14.1 - L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical + +18.8.21 +18.8.21.2 - L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE +18.8.21.3 - L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE +18.8.21.4 - L1 Ensure Continue experiences on this device is set to Disabled +18.8.21.5 - L1 Ensure Turn off background refresh of Group Policy is set to Disabled + +18.8.22.1 +18.8.22.1.1 - L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled +18.8.22.1.2 - L2 Ensure Turn off handwriting personalization data sharing is set to Enabled +18.8.22.1.3 - L2 Ensure Turn off handwriting recognition error reporting is set to Enabled +18.8.22.1.4 - L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled +18.8.22.1.5 - L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled +18.8.22.1.6 - L1 Ensure Turn off printing over HTTP is set to Enabled +18.8.22.1.7 - L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled +18.8.22.1.8 - L2 Ensure Turn off Search Companion content file updates is set to Enabled +18.8.22.1.9 - L2 Ensure Turn off the Order Prints picture task is set to Enabled +18.8.22.1.10 - L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled +18.8.22.1.11 - L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled +18.8.22.1.12 - L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled +18.8.22.1.13 - L2 Ensure Turn off Windows Error Reporting is set to Enabled + +18.8.25 +18.8.25.1 - L2 Ensure Support device authentication using certificate is set to Enabled Automatic + +18.8.26 +18.8.26.1 - L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled + +18.8.27 +18.8.27.1 - L1 Ensure Block user from showing account details on sign-in is set to Enabled +18.8.27.2 - L1 Ensure Do not display network selection UI is set to Enabled +18.8.27.3 - L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled +18.8.27.4 - L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only +18.8.27.5 - L1 Ensure Turn off app notifications on the lock screen is set to Enabled +18.8.27.6 - L1 Ensure Turn off picture password sign-in is set to Enabled +18.8.27.7 - L1 Ensure Turn on convenience PIN sign-in is set to Disabled + +18.8.28 +18.8.28.1 - L1 Ensure Untrusted Font Blocking is set to Enabled Block untrusted fonts and log events + +18.8.33.6 +18.8.33.6.1 - L2 Ensure Allow network connectivity during connected-standby on battery is set to Disabled +18.8.33.6.2 - L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled +18.8.33.6.3 - L1 Ensure Require a password when a computer wakes on battery is set to Enabled +18.8.33.6.4 - L1 Ensure Require a password when a computer wakes plugged in is set to Enabled + +18.8.35 +18.8.35.1 - L1 Ensure Configure Offer Remote Assistance is set to Disabled +18.8.35.2 - L1 Ensure Configure Solicited Remote Assistance is set to Disabled + +18.8.36 +18.8.36.1 - L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only +18.8.36.2 - L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only + +18.8.44.5 +18.8.44.5.1 - L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled + +18.8.44.11 +18.8.44.11.1 - L2 Ensure EnableDisable PerfTrack is set to Disabled + +18.8.46 +18.8.46.1 - L2 Ensure Turn off the advertising ID is set to Enabled + +18.8.49.1 +18.8.49.1.1 - L2 Ensure Enable Windows NTP Client is set to Enabled +18.8.49.1.2 - L2 Ensure Enable Windows NTP Server is set to Disabled MS only + +18.9.4 +18.9.4.1 - L2 Ensure Allow a Windows app to share application data between users is set to Disabled + +18.9.6 +18.9.6.1 - L1 Ensure Allow Microsoft accounts to be optional is set to Enabled + +18.9.8 +18.9.8.1 - L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled +18.9.8.2 - L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands +18.9.8.3 - L1 Ensure Turn off Autoplay is set to Enabled All drives + +18.9.10.1 +18.9.10.1.1 - L1 Ensure Configure enhanced anti-spoofing is set to Enabled + +18.9.12 +18.9.12.1 - L2 Ensure Allow Use of Camera is set to Disabled + +18.9.13 +18.9.13.1 - L1 Ensure Turn off Microsoft consumer experiences is set to Enabled + +18.9.14 +18.9.14.1 - L1 Ensure Require pin for pairing is set to Enabled + +18.9.15 +18.9.15.1 - L1 Ensure Do not display the password reveal button is set to Enabled +18.9.15.2 - L1 Ensure Enumerate administrator accounts on elevation is set to Disabled + +18.9.16 +18.9.16.1 - L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic +18.9.16.2 - L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage +18.9.16.3 - L1 Ensure Disable pre-release features or settings is set to Disabled +18.9.16.4 - L1 Ensure Do not show feedback notifications is set to Enabled +18.9.16.5 - L1 Ensure Toggle user control over Insider builds is set to Disabled + +18.9.26.1 +18.9.26.1.1 - L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled +18.9.26.1.2 - L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater + +18.9.26.2 +18.9.26.2.1 - L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled +18.9.26.2.2 - L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater + +18.9.26.3 +18.9.26.3.1 - L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled +18.9.26.3.2 - L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater + +18.9.26.4 +18.9.26.4.1 - L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled +18.9.26.4.2 - L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater + +18.9.30 +18.9.30.2 - L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled +18.9.30.3 - L1 Ensure Turn off heap termination on corruption is set to Disabled +18.9.30.4 - L1 Ensure Turn off shell protocol protected mode is set to Disabled + +18.9.39 +18.9.39.2 - L2 Ensure Turn off location is set to Enabled + +18.9.43 +18.9.43.1 - L2 Ensure Allow Message Service Cloud Sync is set to Disabled + +18.9.44 +18.9.44.1 - L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled + +18.9.52 +18.9.52.1 - L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled + +18.9.58.2 +18.9.58.2.2 - L1 Ensure Do not allow passwords to be saved is set to Enabled + +18.9.58.3.2 +18.9.58.3.2.1 - L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled + +18.9.58.3.3 +18.9.58.3.3.1 - L2 Ensure Do not allow COM port redirection is set to Enabled +18.9.58.3.3.2 - L1 Ensure Do not allow drive redirection is set to Enabled +18.9.58.3.3.3 - L2 Ensure Do not allow LPT port redirection is set to Enabled +18.9.58.3.3.4 - L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled + +18.9.58.3.9 +18.9.58.3.9.1 - L1 Ensure Always prompt for password upon connection is set to Enabled +18.9.58.3.9.2 - L1 Ensure Require secure RPC communication is set to Enabled +18.9.58.3.9.3 - L1 Ensure Set client connection encryption level is set to Enabled High Level + +18.9.58.3.10 +18.9.58.3.10.1 - L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less +18.9.58.3.10.2 - L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute + +18.9.58.3.11 +18.9.58.3.11.1 - L1 Ensure Do not delete temp folders upon exit is set to Disabled +18.9.58.3.11.2 - L1 Ensure Do not use temporary folders per session is set to Disabled + +18.9.59 +18.9.59.1 - L1 Ensure Prevent downloading of enclosures is set to Enabled + +18.9.60 +18.9.60.2 - L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search +18.9.60.3 - L1 Ensure Allow indexing of encrypted files is set to Disabled + +18.9.65 +18.9.65.1 - L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled + +18.9.76 +18.9.76.14 - L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled + +18.9.76.3 +18.9.76.3.1 - L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled +18.9.76.3.2 - L2 Ensure Join Microsoft MAPS is set to Disabled + +18.9.76.7 +18.9.76.7.1 - L1 Ensure Turn on behavior monitoring is set to Enabled + +18.9.76.9 +18.9.76.9.1 - L2 Ensure Configure Watson events is set to Disabled + +18.9.76.10 +18.9.76.10.1 - L1 Ensure Scan removable drives is set to Enabled +18.9.76.10.2 - L1 Ensure Turn on e-mail scanning is set to Enabled + +18.9.76.13.1 +18.9.76.13.1.1 - L1 Ensure Configure Attack Surface Reduction rules is set to Enabled +18.9.76.13.1.2 - L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured + +18.9.76.13.3 +18.9.76.13.3.1 - L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block + +18.9.79.1 +18.9.79.1.1 - L1 Ensure Prevent users from modifying settings is set to Enabled + +18.9.80.1 +18.9.80.1.1 - L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass + +18.9.84 +18.9.84.1 - L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled +18.9.84.2 - L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On + +18.9.85 +18.9.85.1 - L1 Ensure Allow user control over installs is set to Disabled +18.9.85.2 - L1 Ensure Always install with elevated privileges is set to Disabled +18.9.85.3 - L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled + +18.9.86 +18.9.86.1 - L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled + +18.9.95 +18.9.95.1 - L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled +18.9.95.2 - L1 Ensure Turn on PowerShell Transcription is set to Disabled + +18.9.97.1 +18.9.97.1.1 - L1 Ensure Allow Basic authentication is set to Disabled +18.9.97.1.2 - L1 Ensure Allow unencrypted traffic is set to Disabled +18.9.97.1.3 - L1 Ensure Disallow Digest authentication is set to Enabled + +18.9.97.2 +18.9.97.2.1 - L1 Ensure Allow Basic authentication is set to Disabled +18.9.97.2.2 - L2 Ensure Allow remote server management through WinRM is set to Disabled +18.9.97.2.3 - L1 Ensure Allow unencrypted traffic is set to Disabled +18.9.97.2.4 - L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled + +18.9.98 +18.9.98.1 - L2 Ensure Allow Remote Shell Access is set to Disabled + +18.9.101 +18.9.101.2 - L1 Ensure Configure Automatic Updates is set to Enabled +18.9.101.3 - L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day +18.9.101.4 - L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled + +18.9.101.1 +18.9.101.1.1 - L1 Ensure Manage preview builds is set to Enabled Disable preview builds +18.9.101.1.2 - L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days +18.9.101.1.3 - L1 Ensure Select when Quality Updates are received is set to Enabled 0 days + +19.1.3 +19.1.3.1 - L1 Ensure Enable screen saver is set to Enabled +19.1.3.2 - L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr +19.1.3.3 - L1 Ensure Password protect the screen saver is set to Enabled +19.1.3.4 - L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0 + +19.5.1 +19.5.1.1 - L1 Ensure Turn off toast notifications on the lock screen is set to Enabled + +19.6.5.1 +19.6.5.1.1 - L2 Ensure Turn off Help Experience Improvement Program is set to Enabled + +19.7.4 +19.7.4.1 - L1 Ensure Do not preserve zone information in file attachments is set to Disabled +19.7.4.2 - L1 Ensure Notify antivirus programs when opening attachments is set to Enabled + +19.7.7 +19.7.7.1 - L1 Ensure Configure Windows spotlight on lock screen is set to Disabled +19.7.7.2 - L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled +19.7.7.3 - L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled +19.7.7.4 - L2 Ensure Turn off all Windows spotlight features is set to Enabled + +19.7.26 +19.7.26.1 - L1 Ensure Prevent users from sharing files within their profile. is set to Enabled + +19.7.40 +19.7.40.1 - L1 Ensure Always install with elevated privileges is set to Disabled + +19.7.44.2 +19.7.44.2.1 - L2 Ensure Prevent Codec Download is set to Enabled + +2.2 +2.2.1 - L1 Ensure Access Credential Manager as a trusted caller is set to No One +2.2.2 - L1 Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only +2.2.3 - L1 Ensure Access this computer from the network is set to Administrators Authenticated Users MS only +2.2.4 - L1 Ensure Act as part of the operating system is set to No One +2.2.5 - L1 Ensure Add workstations to domain is set to Administrators DC only +2.2.6 - L1 Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE +2.2.7 - L1 Ensure Allow log on locally is set to Administrators +2.2.8 - L1 Ensure Allow log on through Remote Desktop Services is set to Administrators DC only +2.2.9 - L1 Ensure Allow log on through Remote Desktop Services is set to Administrators Remote Desktop Users MS only +2.2.10 - L1 Ensure Back up files and directories is set to Administrators +2.2.11 - L1 Ensure Change the system time is set to Administrators LOCAL SERVICE +2.2.12 - L1 Ensure Change the time zone is set to Administrators LOCAL SERVICE +2.2.13 - L1 Ensure Create a pagefile is set to Administrators +2.2.14 - L1 Ensure Create a token object is set to No One +2.2.15 - L1 Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE +2.2.16 - L1 Ensure Create permanent shared objects is set to No One +2.2.17 - L1 Ensure Create symbolic links is set to Administrators DC only +2.2.18 - L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only +2.2.19 - L1 Ensure Debug programs is set to Administrators +2.2.20 - L1 Ensure Deny access to this computer from the network is set to Guests DC only +2.2.21 - L1 Ensure Deny access to this computer from the network is set to Guests Local account and member of Administrators group MS only +2.2.22 - L1 Ensure Deny log on as a batch job to include Guests +2.2.23 - L1 Ensure Deny log on as a service to include Guests +2.2.24 - L1 Ensure Deny log on locally to include Guests +2.2.25 - L1 Ensure Deny log on through Remote Desktop Services is set to Guests DC only +2.2.26 - L1 Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only +2.2.27 - L1 Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only +2.2.28 - L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only +2.2.29 - L1 Ensure Force shutdown from a remote system is set to Administrators +2.2.30 - L1 Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE +2.2.31 - L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only +2.2.32 - L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only +2.2.33 - L1 Ensure Increase scheduling priority is set to Administrators +2.2.34 - L1 Ensure Load and unload device drivers is set to Administrators +2.2.35 - L1 Ensure Lock pages in memory is set to No One +2.2.36 - L2 Ensure Log on as a batch job is set to Administrators DC Only +2.2.37 - L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only +2.2.38 - L1 Ensure Manage auditing and security log is set to Administrators MS only +2.2.39 - L1 Ensure Modify an object label is set to No One +2.2.40 - L1 Ensure Modify firmware environment values is set to Administrators +2.2.41 - L1 Ensure Perform volume maintenance tasks is set to Administrators +2.2.42 - L1 Ensure Profile single process is set to Administrators +2.2.43 - L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost +2.2.44 - L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE +2.2.45 - L1 Ensure Restore files and directories is set to Administrators +2.2.46 - L1 Ensure Shut down the system is set to Administrators +2.2.47 - L1 Ensure Synchronize directory service data is set to No One DC only +2.2.48 - L1 Ensure Take ownership of files or other objects is set to Administrators + +2.3.1 +2.3.1.1 - L1 Ensure Accounts Administrator account status is set to Disabled MS only +2.3.1.2 - L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts +2.3.1.3 - L1 Ensure Accounts Guest account status is set to Disabled MS only +2.3.1.4 - L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled +2.3.1.5 - L1 Configure Accounts Rename administrator account +2.3.1.6 - L1 Configure Accounts Rename guest account + +2.3.2 +2.3.2.1 - L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled +2.3.2.2 - L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled + +2.3.4 +2.3.4.1 - L1 Ensure Devices Allowed to format and eject removable media is set to Administrators +2.3.4.2 - L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled + +2.3.5 +2.3.5.1 - L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only +2.3.5.2 - L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only +2.3.5.3 - L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only + +2.3.6 +2.3.6.1 - L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled +2.3.6.2 - L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled +2.3.6.3 - L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled +2.3.6.4 - L1 Ensure Domain member Disable machine account password changes is set to Disabled +2.3.6.5 - L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0 +2.3.6.6 - L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled + +2.3.7 +2.3.7.1 - L1 Ensure Interactive logon Do not display last user name is set to Enabled +2.3.7.2 - L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled +2.3.7.3 - L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0 +2.3.7.4 - L1 Configure Interactive logon Message text for users attempting to log on +2.3.7.5 - L1 Configure Interactive logon Message title for users attempting to log on +2.3.7.6 - L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only +2.3.7.7 - L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days +2.3.7.8 - L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only +2.3.7.9 - L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher + +2.3.8 +2.3.8.1 - L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled +2.3.8.2 - L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled +2.3.8.3 - L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled + +2.3.9 +2.3.9.1 - L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes but not 0 +2.3.9.2 - L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled +2.3.9.3 - L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled +2.3.9.4 - L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled +2.3.9.5 - L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only + +2.3.10 +2.3.10.1 - L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled +2.3.10.2 - L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only +2.3.10.3 - L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only +2.3.10.4 - L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled +2.3.10.5 - L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled +2.3.10.6 - L1 Configure Network access Named Pipes that can be accessed anonymously DC only +2.3.10.7 - L1 Configure Network access Named Pipes that can be accessed anonymously MS only +2.3.10.8 - L1 Configure Network access Remotely accessible registry paths +2.3.10.9 - L1 Configure Network access Remotely accessible registry paths and sub-paths +2.3.10.10 - L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled +2.3.10.11 - L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only +2.3.10.12 - L1 Ensure Network access Shares that can be accessed anonymously is set to None +2.3.10.13 - L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves + +2.3.11 +2.3.11.1 - L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled +2.3.11.2 - L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled +2.3.11.3 - L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled +2.3.11.4 - L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types +2.3.11.5 - L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled +2.3.11.6 - L1 Ensure Network security Force logoff when logon hours expire is set to Enabled +2.3.11.7 - L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM +2.3.11.8 - L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher +2.3.11.9 - L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption +2.3.11.10 - L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption + +2.3.13 +2.3.13.1 - L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled + +2.3.15 +2.3.15.1 - L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled +2.3.15.2 - L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled + +2.3.17 +2.3.17.1 - L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled +2.3.17.2 - L1 Ensure User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop is set to Disabled +2.3.17.3 - L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop +2.3.17.4 - L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests +2.3.17.5 - L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled +2.3.17.6 - L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled +2.3.17.7 - L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled +2.3.17.8 - L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled +2.3.17.9 - L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled \ No newline at end of file diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..9fbec02 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,22 @@ +--- +galaxy_info: + author: "Ryan Speelman" + description: "Ansible role to apply Windows Server 2016 CIS Benchmark" + company: "MindPoint Group" + license: MIT + min_ansible_version: 2.6 + + platforms: + - name: Windows Server + versions: + - 2016 + + galaxy_tags: + - system + - security + - cis + - hardening + - microsoft + - windows + + dependencies: [] diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..644ad68 --- /dev/null +++ b/site.yml @@ -0,0 +1,8 @@ +--- +- hosts: all + vars: + is_container: false + + roles: + - role: "{{ playbook_dir }}" + system_is_container: "{{ is_container | default(false) }}" diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..15aa8fd --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,61 @@ +--- + +- name: Gather distribution info + setup: + gather_subset: distribution,!all,!min + when: + - ansible_distribution is not defined + tags: + - always + +- name: Check OS version and family + assert: + that: + - ansible_os_family == 'Windows' + - ansible_distribution | regex_search('(Microsoft Windows Server 2016)') + success_msg: "{{ ansible_distribution }} {{ ansible_distribution_major_version }} is the detected operating system." + fail_msg: "This role can only be run against Windows Server 2019 Editions. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." + tags: + - always + +- name: Check ansible version + assert: + that: ansible_version.full is version_compare(min_ansible_version, '>=') + msg: You must use Ansible {{ min_ansible_version }} or greater + tags: + - always + +# - name: Include the preliminary tasks +# include_tasks: prelim.yml +# tags: +# - prelim_tasks + +- name: Execute the section 1 tasks + import_tasks: section01.yml + when: section01_patch | bool + tags: + - section01 + +- name: Execute the section 2 tasks + import_tasks: section02.yml + when: section02_patch | bool + tags: + - section02 + +- name: Execute the section 17 tasks + import_tasks: section17.yml + when: section17_patch | bool + tags: + - section17 + +- name: Execute the section 18 tasks + import_tasks: section18.yml + when: section18_patch | bool + tags: + - section18 + +- name: Execute the section 19 tasks + import_tasks: section19.yml + when: section19_patch | bool + tags: + - section19 diff --git a/tasks/section01.yml b/tasks/section01.yml new file mode 100644 index 0000000..ea51705 --- /dev/null +++ b/tasks/section01.yml @@ -0,0 +1,195 @@ +--- +- name: "SCORED | 1.1.1 | AUDIT | L1 Ensure Enforce password history is set to 24 or more passwords" + assert: + that: passwordhistorysize | int is version('24', '>=') + fail_msg: "Password history must be configured to 24 passwords remembered and variable passwordhistorysize is set to {{ passwordhistorysize }}" + register: result + changed_when: no + ignore_errors: yes + when: rule_1_1_1 + tags: + - level1 + - level2 + - rule_1.1.1 + - audit + +- name: "SCORED | 1.1.1 | PATCH | L1 Ensure Enforce password history is set to 24 or more passwords" + win_security_policy: + section: System Access + key: PasswordHistorySize + value: "{{ passwordhistorysize }}" + when: rule_1_1_1 + tags: + - level1 + - level2 + - rule_1.1.1 + - patch + +- name: "SCORED | 1.1.2 | AUDIT | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" + assert: + that: maximumpasswordage | int is version('60', '<=') + fail_msg: "Maximum password age must be configured to 60 days or less and variable maximumpasswordage is set to {{ maximumpasswordage }}" + register: result + changed_when: no + ignore_errors: yes + when: rule_1_1_2 + tags: + - level1 + - level2 + - rule_1.1.2 + - audit + +- name: "SCORED | 1.1.2 | PATCH | L1 Ensure Maximum password age is set to 60 or fewer days but not 0" + win_security_policy: + section: System Access + key: MaximumPasswordAge + value: "{{ maximumpasswordage }}" + when: rule_1_1_2 + tags: + - level1 + - level2 + - rule_1.1.2 + - patch + +- name: "SCORED | 1.1.3 | AUDIT | L1 Ensure Minimum password age is set to 1 or more days" + assert: + that: minimumpasswordage is version('1', '>=') + fail_msg: "Minimum password age must be configured to at least one day and variable minimumpasswordage is set to {{ minimumpasswordage }}" + register: result + changed_when: no + ignore_errors: yes + when: rule_1_1_3 + tags: + - level1 + - level2 + - rule_1.1.3 + - audit + +- name: "SCORED | 1.1.3 | PATCH | L1 Ensure Minimum password age is set to 1 or more days" + win_security_policy: + section: System Access + key: MinimumPasswordAge + value: "{{ minimumpasswordage }}" + when: rule_1_1_3 + tags: + - level1 + - level2 + - rule_1.1.3 + - patch + +- name: "SCORED | 1.1.4 | AUDIT | L1 Ensure Minimum password length is set to 14 or more characters" + assert: + that: minimumpasswordlength is version('14', '>=') + fail_msg: "Minimum password length must be configured to 14 characters and variable minimumpasswordlength is set to {{ minimumpasswordlength }} characters" + register: result + changed_when: no + ignore_errors: yes + when: rule_1_1_4 + tags: + - level1 + - level2 + - rule_1.1.4 + - audit + +- name: "SCORED | 1.1.4 | PATCH | L1 Ensure Minimum password length is set to 14 or more characters" + win_security_policy: + section: System Access + key: MinimumPasswordLength + value: "{{ minimumpasswordlength }}" + when: rule_1_1_4 + tags: + - level1 + - level2 + - rule_1.1.4 + - patch + +- name: "SCORED | 1.1.5 | PATCH | L1 Ensure Password must meet complexity requirements is set to Enabled" + win_security_policy: + section: System Access + key: PasswordComplexity + value: 1 + when: rule_1_1_5 + tags: + - level1 + - level2 + - rule_1.1.5 + - patch + +- name: "SCORED | 1.1.6 | PATCH | L1 Ensure Store passwords using reversible encryption is set to Disabled" + win_security_policy: + section: System Access + key: ClearTextPassword + value: "0" + when: rule_1_1_6 + tags: + - level1 + - level2 + - rule_1.1.6 + - patch + +- name: "SCORED | 1.2.1 | AUDIT | L1 Ensure Account lockout duration is set to 15 or more minutes" + assert: + that: lockoutduration | int is version('15', '<=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable lockoutduration is set to {{ lockoutduration }}" + register: result + changed_when: no + ignore_errors: yes + when: rule_1_2_1 + tags: + - level1 + - level2 + - rule_1.2.1 + - audit + +- name: "SCORED | 1.2.1 | PATCH | L1 Ensure Account lockout duration is set to 15 or more minutes" + win_security_policy: + section: System Access + key: LockoutDuration + value: "{{ lockoutduration }}" + when: + - rule_1_2_1 + - is_implemented #Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp + tags: + - level1 + - level2 + - rule_1.2.1 + - patch + +#This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable +- name: "SCORED | 1.2.2 | PATCH | L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0" + win_security_policy: + section: System Access + key: LockoutBadCount + value: "{{ lockoutbadcount }}" + when: rule_1_2_2 + tags: + - level1 + - level2 + - rule_1.2.2 + - patch + +- name: "SCORED | 1.2.3 | AUDIT | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" + assert: + that: resetlockoutcount | int is version('15', '>=') + fail_msg: "Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater and variable resetlockoutcount is set to {{ resetlockoutcount }}" + register: result + changed_when: no + ignore_errors: yes + when: rule_1_2_3 + tags: + - level1 + - level2 + - rule_1.2.3 + - audit + +- name: "SCORED | 1.2.3 | PATCH | L1 Ensure Reset account lockout counter after is set to 15 or more minutes" + win_security_policy: + section: System Access + key: ResetLockoutCount + value: "{{ resetlockoutcount }}" + when: rule_1_2_3 + tags: + - level1 + - level2 + - rule_1.2.3 + - patch diff --git a/tasks/section02.yml b/tasks/section02.yml new file mode 100644 index 0000000..e605865 --- /dev/null +++ b/tasks/section02.yml @@ -0,0 +1,1551 @@ +--- +- name: "SCORED | 2.2.1 | PATCH | L1 Ensure Access Credential Manager as a trusted caller is set to No One" + win_user_right: + name: SeTrustedCredManAccessPrivilege + users: + action: set + when: rule_2_2_1 + tags: + - level1 + - level2 + - rule_2.2.1 + - patch + +- name: "SCORED | 2.2.2 & 2.2.3 | PATCH | L1 Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only" + win_user_right: + name: SeNetworkLogonRight + users: + - Administrators + - Authenticated Users + action: set + when: + - rule_2_2_2 or rule_2_2_3 + tags: + - rule_2.2.2 + - rule_2.2.3 + - patch + +- name: "SCORED | 2.2.4 | PATCH | L1 Ensure Act as part of the operating system is set to No One" + win_user_right: + name: SeTcbPrivilege + users: + action: set + when: rule_2_2_4 + tags: + - level1 + - level2 + - rule_2.2.4 + - patch + +- name: "SCORED | 2.2.5 | PATCH | L1 Ensure Add workstations to domain is set to Administrators DC only" + win_user_right: + name: SeMachineAccountPrivilege + users: Administrators + action: set + when: + - rule_2_2_5 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.2.5 + - patch + +- name: "SCORED | 2.2.6 | PATCH | L1 Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE" + win_user_right: + name: SeIncreaseQuotaPrivilege + users: + - Administrators + - Local Service + - Network Service + action: set + when: rule_2_2_6 + tags: + - level1 + - level2 + - rule_2.2.6 + - patch + +- name: "SCORED | 2.2.7 | PATCH | L1 Ensure Allow log on locally is set to Administrators" + win_user_right: + name: SeInteractiveLogonRight + users: + - Administrators + action: set + when: rule_2_2_7 + tags: + - level1 + - level2 + - rule_2.2.7 + - patch + +- name: "SCORED | 2.2.8 & 2.2.9 | PATCH | L1 Ensure Allow log on through Remote Desktop Services is set to Administrators DC only" + win_user_right: + name: SeRemoteInteractiveLogonRight + users: + - Administrators + - Remote Desktop Users + action: set + when: + - rule_2_2_8 or rule_2_2_9 + tags: + - rule_2.2.8 + - rule_2.2.9 + - patch + +- name: "SCORED | 2.2.10 | PATCH | L1 Ensure Back up files and directories is set to Administrators" + win_user_right: + name: SeBackupPrivilege + users: + - Administrators + action: set + when: rule_2_2_10 + tags: + - level1 + - level2 + - rule_2.2.10 + - patch + +- name: "SCORED | 2.2.11 | PATCH | L1 Ensure Change the system time is set to Administrators LOCAL SERVICE" + win_user_right: + name: SeSystemTimePrivilege + users: + - Administrators + - Local Service + action: set + when: rule_2_2_11 + tags: + - level1 + - level2 + - rule_2.2.11 + - patch + +- name: "SCORED | 2.2.12 | PATCH | L1 Ensure Change the time zone is set to Administrators LOCAL SERVICE" + win_user_right: + name: SeTimeZonePrivilege + users: + - Administrators + - Local Service + action: set + when: rule_2_2_12 + tags: + - level1 + - level2 + - rule_2.2.12 + - patch + +- name: "SCORED | 2.2.13 | PATCH | L1 Ensure Create a pagefile is set to Administrators" + win_user_right: + name: SeCreatePagefilePrivilege + users: + - Administrators + action: set + when: rule_2_2_13 + tags: + - level1 + - level2 + - rule_2.2.13 + - patch + +- name: "SCORED | 2.2.14 | PATCH | L1 Ensure Create a token object is set to No One" + win_user_right: + name: SeCreateTokenPrivilege + users: + action: set + when: rule_2_2_14 + tags: + - level1 + - level2 + - rule_2.2.14 + - patch + +- name: "SCORED | 2.2.15 | PATCH | L1 Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE" + win_user_right: + name: SeCreateGlobalPrivilege + users: + - Administrators + - Local Service + - Network Service + - Service + action: set + when: rule_2_2_15 + tags: + - level1 + - level2 + - rule_2.2.15 + - patch + +- name: "SCORED | 2.2.16 | PATCH | L1 Ensure Create permanent shared objects is set to No One" + win_user_right: + name: SeCreatePermanentPrivilege + users: + action: set + when: rule_2_2_16 + tags: + - level1 + - level2 + - rule_2.2.16 + - patch + +- name: "SCORED | 2.2.17 | PATCH | L1 Ensure Create symbolic links is set to Administrators DC only" + win_user_right: + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + action: set + when: + - rule_2_2_17 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.2.17 + - patch + +- name: "SCORED | 2.2.18 | PATCH | L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only" + win_user_right: + name: SeCreateSymbolicLinkPrivilege + users: + - Administrators + - NT VIRTUAL MACHINE\Virtual Machines + action: set + when: + - rule_2_2_18 + - ansible_windows_domain_role == "Member server" + tags: + - level1 + - level2 + - rule_2.2.18 + - patch + +- name: "SCORED | 2.2.19 | PATCH | L1 Ensure Debug programs is set to Administrators" + win_user_right: + name: SeDebugPrivilege + users: + - Administrators + action: set + when: rule_2_2_19 + tags: + - level1 + - level2 + - rule_2.2.19 + - patch + + #Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes +- name: "SCORED | 2.2.20 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests DC only" + win_user_right: + name: SeDenyNetworkLogonRight + users: + - Guests + action: set + when: + - rule_2_2_20 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.2.20 + - patch + +- name: "SCORED | 2.2.21 | PATCH | L1 Ensure Deny access to this computer from the network to include Guests Local account and member of Administrators group MS only" + win_user_right: + name: SeDenyNetworkLogonRight + users: + - Guests + #- Local Account + #- Administrators + action: set + when: + - rule_2_2_21 + - ansible_windows_domain_member + tags: + - level1 + - level2 + - rule_2.2.21 + - patch + +- name: "SCORED | 2.2.22 | PATCH | L1 Ensure Deny log on as a batch job to include Guests" + win_user_right: + name: SeDenyBatchLogonRight + users: + - Guests + action: set + when: rule_2_2_22 + tags: + - level1 + - level2 + - rule_2.2.22 + - patch + +- name: "SCORED | 2.2.23 | PATCH | L1 Ensure Deny log on as a service to include Guests" + win_user_right: + name: SeDenyServiceLogonRight + users: + - Guests + action: set + when: rule_2_2_23 + tags: + - level1 + - level2 + - rule_2.2.23 + - patch + +- name: "SCORED | 2.2.24 | PATCH | L1 Ensure Deny log on locally to include Guests" + win_user_right: + name: SeDenyInteractiveLogonRight + users: + - Guests + action: set + when: rule_2_2_24 + tags: + - level1 + - level2 + - rule_2.2.24 + - patch + +- name: "SCORED | 2.2.25 | PATCH | L1 Ensure Deny log on through Remote Desktop Services to include Guests DC only" + win_user_right: + name: SeDenyRemoteInteractiveLogonRight + users: + - Guests + #- Local Account + action: set + when: + - rule_2_2_25 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.2.25 + - patch + +- name: "SCORED | 2.2.26 | PATCH | L1 Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only" + win_user_right: + name: SeDenyRemoteInteractiveLogonRight + users: + - Guests + #- Local Account + action: set + when: + - rule_2_2_26 + - ansible_windows_domain_member + tags: + - level1 + - level2 + - rule_2.2.26 + - patch + +- name: "SCORED | 2.2.27 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only" + win_user_right: + name: SeEnableDelegationPrivilege + users: Administrators + action: set + when: + - rule_2_2_27 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.2.27 + - patch + +- name: "SCORED | 2.2.28 | PATCH | L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only" + win_user_right: + name: SeEnableDelegationPrivilege + users: + action: set + when: + - rule_2_2_28 + - ansible_windows_domain_member + tags: + - level1 + - level2 + - rule_2.2.28 + - patch + +- name: "SCORED | 2.2.29 | PATCH | L1 Ensure Force shutdown from a remote system is set to Administrators" + win_user_right: + name: SeRemoteShutdownPrivilege + users: + - Administrators + action: set + when: rule_2_2_29 + tags: + - level1 + - level2 + - rule_2.2.29 + - patch + +- name: "SCORED | 2.2.30 | PATCH | L1 Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE" + win_user_right: + name: SeAuditPrivilege + users: + - Local Service + - Network Service + action: set + when: rule_2_2_30 + tags: + - level1 + - level2 + - rule_2.2.30 + - patch + +- name: "SCORED | 2.2.31 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only" + win_user_right: + name: SeImpersonatePrivilege + users: + - Administrators + - Local Service + - Network Service + - Service + action: set + when: + - rule_2_2_31 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.2.31 + - patch + +- name: "SCORED | 2.2.32 | PATCH | L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only" + win_user_right: + name: SeImpersonatePrivilege + users: + - Administrators + - IIS_IUSRS + - Local Service + - Network Service + - Service + action: set + when: + - rule_2_2_32 + - ansible_windows_domain_member + tags: + - level1 + - level2 + - rule_2.2.32 + - patch + +- name: "SCORED | 2.2.33 | PATCH | L1 Ensure Increase scheduling priority is set to Administrators" + win_user_right: + name: SeIncreaseBasePriorityPrivilege + users: + - Administrators + action: set + when: rule_2_2_33 + tags: + - level1 + - level2 + - rule_2.2.33 + - patch + +- name: "SCORED | 2.2.34 | PATCH | L1 Ensure Load and unload device drivers is set to Administrators" + win_user_right: + name: SeLoadDriverPrivilege + users: + - Administrators + action: set + when: rule_2_2_34 + tags: + - level1 + - level2 + - rule_2.2.34 + - patch + +- name: "SCORED | 2.2.35 | PATCH | L1 Ensure Lock pages in memory is set to No One" + win_user_right: + name: SeLockMemoryPrivilege + users: + action: set + when: rule_2_2_35 + tags: + - level1 + - level2 + - rule_2.2.35 + - patch + +- name: "SCORED | 2.2.36 | PATCH | L2 Ensure Log on as a batch job is set to Administrators DC Only" + win_user_right: + name: SeBatchLogonRight + users: Administrators + action: set + when: + - rule_2_2_36 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.2.36 + - patch + +- name: "SCORED | 2.2.37 & 2.2.38 | PATCH | L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only" + win_user_right: + name: SeSecurityPrivilege + users: + - Administrators + action: set + when: + - rule_2_2_37 or rule_2_2_38 + tags: + - rule_2.2.37 + - rule_2.2.38 + - patch + +- name: "SCORED | 2.2.39 | PATCH | L1 Ensure Modify an object label is set to No One" + win_user_right: + name: SeReLabelPrivilege + users: + action: set + when: rule_2_2_39 + tags: + - level1 + - level2 + - rule_2.2.39 + - patch + +- name: "SCORED | 2.2.40 | PATCH | L1 Ensure Modify firmware environment values is set to Administrators" + win_user_right: + name: SeSystemEnvironmentPrivilege + users: + - Administrators + action: set + when: rule_2_2_40 + tags: + - level1 + - level2 + - rule_2.2.40 + - patch + +- name: "SCORED | 2.2.41 | PATCH | L1 Ensure Perform volume maintenance tasks is set to Administrators" + win_user_right: + name: SeManageVolumePrivilege + users: + - Administrators + action: set + when: rule_2_2_41 + tags: + - level1 + - level2 + - rule_2.2.41 + - patch + +- name: "SCORED | 2.2.42 | PATCH | L1 Ensure Profile single process is set to Administrators" + win_user_right: + name: SeProfileSingleProcessPrivilege + users: + - Administrators + action: set + when: rule_2_2_42 + tags: + - level1 + - level2 + - rule_2.2.42 + - patch + +- name: "SCORED | 2.2.43 | PATCH | L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost" + win_user_right: + name: SeSystemProfilePrivilege + users: + - Administrators + - NT SERVICE\WdiServiceHost + action: set + when: rule_2_2_43 + tags: + - level1 + - level2 + - rule_2.2.43 + - patch + +- name: "SCORED | 2.2.44 | PATCH | L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE" + win_user_right: + name: SeAssignPrimaryTokenPrivilege + users: + - LOCAL SERVICE + - NETWORK SERVICE + action: set + when: rule_2_2_44 + tags: + - level1 + - level2 + - rule_2.2.44 + - patch + +- name: "SCORED | 2.2.45 | PATCH | L1 Ensure Restore files and directories is set to Administrators" + win_user_right: + name: SeRestorePrivilege + users: + - Administrators + action: set + when: rule_2_2_45 + tags: + - level1 + - level2 + - rule_2.2.45 + - patch + +- name: "SCORED | 2.2.46 | PATCH | L1 Ensure Shut down the system is set to Administrators" + win_user_right: + name: SeShutdownPrivilege + users: + - Administrators + action: set + when: rule_2_2_46 + tags: + - level1 + - level2 + - rule_2.2.46 + - patch + +- name: "SCORED | 2.2.47 | PATCH | L1 Ensure Synchronize directory service data is set to No One DC only" + win_user_right: + name: SeSyncAgentPrivilege + users: + action: set + when: + - rule_2_2_47 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.2.47 + - patch + +- name: "SCORED | 2.2.48 | PATCH | L1 Ensure Take ownership of files or other objects is set to Administrators" + win_user_right: + name: SeTakeOwnershipPrivilege + users: + - Administrators + action: set + when: rule_2_2_48 + tags: + - level1 + - level2 + - rule_2.2.48 + - patch + +- name: "SCORED | 2.3.1.1 | PATCH | L1 Ensure Accounts Administrator account status is set to Disabled MS only" + win_security_policy: + section: System Access + key: EnableAdminAccount + value: 0 + when: + - rule_2_3_1_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.1.1 + - patch + +- name: "SCORED | 2.3.1.2 | PATCH | L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: NoConnectedUser + data: 3 + type: dword + when: rule_2_3_1_2 + tags: + - level1 + - level2 + - rule_2.3.1.2 + - patch + +- name: "SCORED | 2.3.1.3 | PATCH | L1 Ensure Accounts Guest account status is set to Disabled MS only" + win_security_policy: + section: System Access + key: EnableGuestAccount + value: 0 + when: rule_2_3_1_3 + tags: + - level1 + - level2 + - rule_2.3.1.3 + - patch + +- name: "SCORED | 2.3.1.4 | PATCH | L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: LimitBlankPasswordUse + data: 1 + type: dword + when: rule_2_3_1_4 + tags: + - level1 + - level2 + - rule_2.3.1.4 + - patch + +- name: "SCORED | 2.3.1.5 | PATCH | L1 Configure Accounts Rename administrator account" + win_security_policy: + section: System Access + key: newadministratorname + value: GeorgeSharp + when: rule_2_3_1_5 + tags: + - level1 + - level2 + - rule_2.3.1.5 + - patch + +- name: "SCORED | 2.3.1.6 | PATCH | L1 Configure Accounts Rename guest account" + win_security_policy: + section: System Access + key: NewGuestName + value: BobCooper + when: rule_2_3_1_6 + tags: + - level1 + - level2 + - rule_2.3.1.6 + - patch + +- name: "SCORED | 2.3.2.1 | PATCH | L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: SCENoApplyLegacyAuditPolicy + data: 1 + type: dword + when: rule_2_3_2_1 + tags: + - level1 + - level2 + - rule_2.3.2.1 + - patch + +- name: "SCORED | 2.3.2.2 | PATCH | L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: CrashOnAuditFail + data: 0 + type: dword + when: rule_2_3_2_2 + tags: + - level1 + - level2 + - rule_2.3.2.2 + - patch + +- name: "SCORED | 2.3.4.1 | PATCH | L1 Ensure Devices Allowed to format and eject removable media is set to Administrators" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: AllocateDASD + data: 0 + type: string + when: rule_2_3_4_1 + tags: + - level1 + - level2 + - rule_2.3.4.1 + - patch + +- name: "SCORED | 2.3.4.2 | PATCH | L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers + name: AddPrinterDrivers + data: 1 + type: dword + when: rule_2_3_4_2 + tags: + - level1 + - level2 + - rule_2.3.4.2 + - patch + +- name: "SCORED | 2.3.5.1 | PATCH | L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only" + win_regedit: + path: HKLM:\System\CurrentControlSet\Control\Lsa + name: SubmitControl + data: 0 + type: dword + when: + - rule_2_3_5_1 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.3.5.1 + - patch + +- name: "SCORED | 2.3.5.2 | PATCH | L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\NTDS\Parameters + name: LDAPServerIntegrity + data: 2 + type: dword + when: + - rule_2_3_5_2 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.3.5.2 + - patch + +- name: "SCORED | 2.3.5.3 | PATCH | L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters + name: RefusePasswordChange + data: 0 + type: dword + when: + - rule_2_3_5_3 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.3.5.3 + - patch + +- name: "SCORED | 2.3.6.1 | PATCH | L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: RequireSignOrSeal + data: 1 + type: dword + when: + - rule_2_3_6_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.6.1 + - patch + +- name: "SCORED | 2.3.6.2 | PATCH | L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: sealsecurechannel + data: 1 + type: dword + when: + - rule_2_3_6_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.6.2 + - patch + +- name: "SCORED | 2.3.6.3 | PATCH | L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: signsecurechannel + data: 1 + type: dword + when: + - rule_2_3_6_3 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.6.3 + - patch + +- name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: disablepasswordchange + data: 1 + type: dword + when: + - rule_2_3_6_4 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.6.4 + - patch + +- name: "SCORED | 2.3.6.5 | PATCH | L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: MaximumPasswordAge + data: 30 + type: dword + when: + - rule_2_3_6_5 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.6.5 + - patch + +- name: "SCORED | 2.3.6.6 | PATCH | L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters + name: RequireStrongKey + data: 1 + type: dword + when: + - rule_2_3_6_6 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_2.3.6.6 + - patch + +- name: "SCORED | 2.3.7.1 | PATCH | L1 Ensure Interactive logon Dont display last signed-in is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DontDisplayLastUserName + data: 1 + type: dword + when: rule_2_3_7_1 + tags: + - level1 + - level2 + - rule_2.3.7.1 + - patch + +- name: "SCORED | 2.3.7.2 | PATCH | L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableCAD + data: 0 + type: dword + when: rule_2_3_7_2 + tags: + - level1 + - level2 + - rule_2.3.7.2 + - patch + +- name: "SCORED | 2.3.7.3 | PATCH | L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: InactivityTimeoutSecs + data: 900 + type: dword + when: rule_2_3_7_3 + tags: + - level1 + - level2 + - rule_2.3.7.3 + - patch + +- name: "SCORED | 2.3.7.4 | PATCH | L1 Configure Interactive logon Message text for users attempting to log on" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LegalNoticeText + data: "{{ legalnoticetext }}" + type: string + when: rule_2_3_7_4 + tags: + - level1 + - level2 + - rule_2.3.7.4 + - patch + +- name: "SCORED | 2.3.7.5 | PATCH | L1 Configure Interactive logon Message title for users attempting to log on" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: LegalNoticeCaption + data: "{{ legalnoticecaption }}" + type: string + when: rule_2_3_7_5 + tags: + - level1 + - level2 + - rule_2.3.7.5 + - patch + +- name: "SCORED | 2.3.7.6 | PATCH | L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: cachedlogonscount + data: 1 + type: string + when: rule_2_3_7_6 + tags: + - level2 + - rule_2.3.7.6 + - patch + +- name: "SCORED | 2.3.7.7 | PATCH | L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: PasswordExpiryWarning + data: 14 + type: dword + when: rule_2_3_7_7 + tags: + - level1 + - level2 + - rule_2.3.7.7 + - patch + +- name: "SCORED | 2.3.7.8 | PATCH | L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ForceUnlockLogon + data: 1 + type: dword + when: + - rule_2_3_7_8 + - ansible_windows_domain_role == "Member server" + tags: + - level1 + - level2 + - rule_2.3.7.8 + - patch + +- name: "SCORED | 2.3.7.9 | PATCH | L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: scremoveoption + data: 1 + type: string + when: rule_2_3_7_9 + tags: + - level1 + - level2 + - rule_2.3.7.9 + - patch + +- name: "SCORED | 2.3.8.1 | PATCH | L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: RequireSecuritySignature + data: 1 + type: dword + when: rule_2_3_8_1 + tags: + - level1 + - level2 + - rule_2.3.8.1 + - patch + +- name: "SCORED | 2.3.8.2 | PATCH | L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: EnableSecuritySignature + data: 1 + type: dword + when: rule_2_3_8_2 + tags: + - level1 + - level2 + - rule_2.3.8.2 + - patch + +- name: "SCORED | 2.3.8.3 | PATCH | L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters + name: EnablePlainTextPassword + data: 0 + type: dword + when: rule_2_3_8_3 + tags: + - level1 + - level2 + - rule_2.3.8.3 + - patch + +- name: "SCORED | 2.3.9.1 | PATCH | L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: autodisconnect + data: 15 + type: dword + when: rule_2_3_9_1 + tags: + - level1 + - level2 + - rule_2.3.9.1 + - patch + +- name: "SCORED | 2.3.9.2 | PATCH | L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: requiresecuritysignature + data: 1 + type: dword + when: rule_2_3_9_2 + tags: + - level1 + - level2 + - rule_2.3.9.2 + - patch + +- name: "SCORED | 2.3.9.3 | PATCH | L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: enablesecuritysignature + data: 1 + type: dword + when: rule_2_3_9_3 + tags: + - level1 + - level2 + - rule_2.3.9.3 + - patch + +- name: "SCORED | 2.3.9.4 | PATCH | L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: enableforcedlogoff + data: 1 + type: dword + when: rule_2_3_9_4 + tags: + - level1 + - level2 + - rule_2.3.9.4 + - patch + +- name: "SCORED | 2.3.9.5 | PATCH | L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: SMBServerNameHardeningLevel + data: 1 + type: dword + when: + - rule_2_3_9_5 + - ansible_windows_domain_role == "Member server" + tags: + - level1 + - level2 + - rule_2.3.9.5 + - patch + +- name: "SCORED | 2.3.10.1 | PATCH | L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled" + win_security_policy: + section: System Access + key: LSAAnonymousNameLookup + value: 0 + when: rule_2_3_10_1 + tags: + - level1 + - level2 + - rule_2.3.10.1 + - patch + +- name: "SCORED | 2.3.10.2 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: RestrictAnonymousSAM + data: 1 + type: dword + when: + - rule_2_3_10_2 + - ansible_windows_domain_role == "Member server" + tags: + - level1 + - level2 + - rule_2.3.10.2 + - patch + +- name: "SCORED | 2.3.10.3 | PATCH | L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: RestrictAnonymous + data: 1 + type: dword + when: + - rule_2_3_10_3 + - ansible_windows_domain_role == "Member server" + tags: + - level1 + - level2 + - rule_2.3.10.3 + - patch + +- name: "SCORED | 2.3.10.4 | PATCH | L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: DisableDomainCreds + data: 1 + type: dword + when: rule_2_3_10_4 + tags: + - level2 + - rule_2.3.10.4 + - patch + +- name: "SCORED | 2.3.10.5 | PATCH | L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: EveryoneIncludesAnonymous + data: 0 + type: dword + when: rule_2_3_10_5 + tags: + - level1 + - level2 + - rule_2.3.10.5 + - patch + +- name: "SCORED | 2.3.10.6 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously DC only" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionPipes + data: "" + type: multistring + when: + - rule_2_3_10_6 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_2.3.10.6 + - patch + +- name: "SCORED | 2.3.10.7 | PATCH | L1 Configure Network access Named Pipes that can be accessed anonymously MS only" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionPipes + data: "" + type: multistring + when: + - rule_2_3_10_7 + - ansible_windows_domain_role == "Member server" + tags: + - level1 + - level2 + - rule_2.3.10.7 + - patch + +- name: "SCORED | 2.3.10.8 | PATCH | L1 Configure Network access Remotely accessible registry paths" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths + name: "Machine" + data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] + type: multistring + when: rule_2_3_10_8 + tags: + - level1 + - level2 + - rule_2.3.10.8 + - patch + +- name: "SCORED | 2.3.10.9 | PATCH | L1 Configure Network access Remotely accessible registry paths and sub-paths" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths + name: "Machine" + data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] + type: multistring + when: rule_2_3_10_9 + tags: + - level1 + - level2 + - rule_2.3.10.9 + - patch + +- name: "SCORED | 2.3.10.10 | PATCH | L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: RestrictNullSessAccess + data: 1 + type: dword + when: rule_2_3_10_10 + tags: + - level1 + - level2 + - rule_2.3.10.10 + - patch + +- name: "SCORED | 2.3.10.11 | PATCH | L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only" + win_regedit: + path: HKLM:\System\CurrentControlSet\Control\Lsa + name: RestrictRemoteSAM + data: "O:BAG:BAD:(A;;RC;;;BA)" + type: string + when: rule_2_3_10_11 + tags: + - level1 + - level2 + - rule_2.3.10.11 + - patch + +- name: "SCORED | 2.3.10.12 | PATCH | L1 Ensure Network access Shares that can be accessed anonymously is set to None" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters + name: NullSessionShares + data: "" + type: multistring + when: rule_2_3_10_12 + tags: + - level1 + - level2 + - rule_2.3.10.12 + - patch + +- name: "SCORED | 2.3.10.13 | PATCH | L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: ForceGuest + data: 0 + type: dword + when: rule_2_3_10_13 + tags: + - level1 + - level2 + - rule_2.3.10.13 + - patch + +- name: "SCORED | 2.3.11.1 | PATCH | L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: UseMachineId + data: 1 + type: dword + when: rule_2_3_11_1 + tags: + - level1 + - level2 + - rule_2.3.11.1 + - patch + +- name: "SCORED | 2.3.11.2 | PATCH | L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: allownullsessionfallback + data: 0 + type: dword + when: rule_2_3_11_2 + tags: + - level1 + - level2 + - rule_2.3.11.2 + - patch + +- name: "SCORED | 2.3.11.3 | PATCH | L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U + name: AllowOnlineID + data: 0 + type: dword + when: rule_2_3_11_3 + tags: + - level1 + - level2 + - rule_2.3.11.3 + - patch + +- name: "SCORED | 2.3.11.4 | PATCH | L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters + name: SupportedEncryptionTypes + data: 2147483644 + type: dword + when: rule_2_3_11_4 + tags: + - level1 + - level2 + - rule_2.3.11.4 + - patch + +- name: "SCORED | 2.3.11.5 | PATCH | L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: NoLMHash + data: 1 + type: dword + when: rule_2_3_11_5 + tags: + - level1 + - level2 + - rule_2.3.11.5 + - patch + +- name: "SCORED | 2.3.11.6 | PATCH | L1 Ensure Network security Force logoff when logon hours expire is set to Enabled" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters + name: EnableForcedLogOff + data: 1 + type: dword + when: rule_2_3_11_6 + tags: + - level1 + - level2 + - rule_2.3.11.6 + - patch + +- name: "SCORED | 2.3.11.7 | PATCH | L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa + name: LMCompatibilityLevel + data: 5 + type: dword + when: rule_2_3_11_7 + tags: + - level1 + - level2 + - rule_2.3.11.7 + - patch + +- name: "SCORED | 2.3.11.8 | PATCH | L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Ldap + name: LDAPClientIntegrity + data: 1 + type: dword + when: rule_2_3_11_8 + tags: + - level1 + - level2 + - rule_2.3.11.8 + - patch + +- name: "SCORED | 2.3.11.9 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: NTLMMinClientSec + data: 537395200 + type: dword + when: rule_2_3_11_9 + tags: + - level1 + - level2 + - rule_2.3.11.9 + - patch + +- name: "SCORED | 2.3.11.10 | PATCH | L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 + name: NTLMMinServerSec + data: 537395200 + type: dword + when: rule_2_3_11_10 + tags: + - level1 + - level2 + - rule_2.3.11.10 + - patch + +- name: "SCORED | 2.3.13.1 | PATCH | L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ShutdownWithoutLogon + data: 0 + type: dword + when: rule_2_3_13_1 + tags: + - level1 + - level2 + - rule_2.3.13.1 + - patch + +- name: "SCORED | 2.3.15.1 | PATCH | L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel + name: ObCaseInsensitive + data: 1 + type: dword + when: rule_2_3_15_1 + tags: + - level1 + - level2 + - rule_2.3.15.1 + - patch + +- name: "SCORED | 2.3.15.2 | PATCH | L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Session Manager + name: ProtectionMode + data: 1 + type: dword + when: rule_2_3_15_2 + tags: + - level1 + - level2 + - rule_2.3.15.2 + - patch + +- name: "SCORED | 2.3.17.1 | PATCH | L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: FilterAdministratorToken + data: 1 + type: dword + when: rule_2_3_17_1 + tags: + - level1 + - level2 + - rule_2.3.17.1 + - patch + +- name: "SCORED | 2.3.17.2 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableUIADesktopToggle + data: 0 + type: dword + when: rule_2_3_17_2 + tags: + - level1 + - level2 + - rule_2.3.17.2 + - patch + +- name: "SCORED | 2.3.17.3 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ConsentPromptBehaviorAdmin + data: 2 + type: dword + when: rule_2_3_17_3 + tags: + - level1 + - level2 + - rule_2.3.17.3 + - patch + +- name: "SCORED | 2.3.17.4 | PATCH | L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: ConsentPromptBehaviorUser + data: 0 + type: dword + when: rule_2_3_17_4 + tags: + - level1 + - level2 + - rule_2.3.17.4 + - patch + +- name: "SCORED | 2.3.17.5 | PATCH | L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableInstallerDetection + data: 1 + type: dword + when: rule_2_3_17_5 + tags: + - level1 + - level2 + - rule_2.3.17.5 + - patch + +- name: "SCORED | 2.3.17.6 | PATCH | L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableSecureUIAPaths + data: 1 + type: dword + when: rule_2_3_17_6 + tags: + - level1 + - level2 + - rule_2.3.17.6 + - patch + +- name: "SCORED | 2.3.17.7 | PATCH | L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableLUA + data: 1 + type: dword + when: rule_2_3_17_7 + tags: + - level1 + - level2 + - rule_2.3.17.7 + - patch + +- name: "SCORED | 2.3.17.8 | PATCH | L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: PromptOnSecureDesktop + data: 1 + type: dword + when: rule_2_3_17_8 + tags: + - level1 + - level2 + - rule_2.3.17.8 + - patch + +- name: "SCORED | 2.3.17.9 | PATCH | L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: EnableVirtualization + data: 1 + type: dword + when: rule_2_3_17_9 + tags: + - level1 + - level2 + - rule_2.3.17.9 + - patch + + diff --git a/tasks/section17.yml b/tasks/section17.yml new file mode 100644 index 0000000..ab2d25b --- /dev/null +++ b/tasks/section17.yml @@ -0,0 +1,765 @@ +--- +- name: "SCORED | 17.1.1 | AUDIT | L1 Ensure Audit Credential Validation is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_1_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_1_1 + tags: + - level1 + - level2 + - rule_17.1.1 + - audit + +- name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure" + block: + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable + when: "'Success' not in rule_17_1_1_audit.stdout" + changed_when: "'Success' not in rule_17_1_1_audit.stdout" + + - name: "SCORED | 17.1.1 | PATCH | L1 Ensure Audit Credential Validation is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable + when: "'Failure' not in rule_17_1_1_audit.stdout" + changed_when: "'Failure' not in rule_17_1_1_audit.stdout" + when: + - rule_17_1_1 + - rule_17_1_1_audit is defined + - ansible_windows_domain_role == "Primary domain controller" + - "'Success' not in rule_17_1_1_audit.stdout" + tags: + - level1 + - level2 + - rule_17.1.1 + - patch + +- name: "SCORED | 17.2.1 | AUDIT | L1 Ensure Audit Application Group Management is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_2_1 + tags: + - level1 + - level2 + - rule_17.2.1 + - audit + +- name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure" + block: + - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + when: "'Success' not in rule_17_2_1_audit.stdout" + changed_when: "'Success' not in rule_17_2_1_audit.stdout" + + - name: "SCORED | 17.2.1 | PATCH | L1 Ensure Audit Application Group Management is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Security Group Management" /failure:enable + when: "'Failure' not in rule_17_2_1_audit.stdout" + changed_when: "'Failure' not in rule_17_2_1_audit.stdout" + when: + - rule_17_2_1 + - rule_17_2_1_audit is defined + - ansible_windows_domain_role == "Primary domain controller" + - "'Success' not in rule_17_2_1_audit.stdout" + tags: + - level1 + - level2 + - rule_17.2.1 + - patch + +- name: "SCORED | 17.2.2 | AUDIT | L1 Ensure Audit Computer Account Management is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Computer Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_2_audit + changed_when: no + ignore_errors: yes + when: + - rule_17_2_2 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_17.2.2 + - audit + +- name: "SCORED | 17.2.2 | PATCH | L1 Ensure Audit Computer Account Management is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Computer Account Management" /success:enable + when: + - rule_17_2_2 + - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_2_audit is defined + - "'Success' not in rule_17_2_2_audit.stdout" + changed_when: "'Success' not in rule_17_2_2_audit.stdout" + tags: + - level1 + - level2 + - rule_17.2.2 + - patch + +- name: "SCORED | 17.2.3 | AUDIT | L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only" + win_shell: AuditPol /get /subcategory:"Distribution Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_3_audit + changed_when: no + ignore_errors: yes + when: + - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_3 + tags: + - rule_17.2.3 + - audit + +- name: "SCORED | 17.2.3 | PATCH | L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only" + win_shell: AuditPol /set /subcategory:"Distribution Group Management" /success:enable + when: + - ansible_windows_domain_role == "Primary domain controller" + - rule_17_2_3 + - rule_17_2_3_audit is defined + - "'Success' not in rule_17_2_3_audit.stdout" + changed_when: "'Success' not in rule_17_2_3_audit.stdout" + tags: + - rule_17.2.3 + - patch + +- name: "SCORED | 17.2.4 | AUDIT | L1 Ensure Audit Other Account Management Events is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Other Account Management Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_4_audit + changed_when: no + ignore_errors: yes + when: rule_17_2_4 + tags: + - level1 + - level2 + - rule_17.2.4 + - audit + +- name: "SCORED | 17.2.4 | PATCH | L1 Ensure Audit Other Account Management Events is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Other Account Management Events" /success:enable + when: + - rule_17_2_4 + - rule_17_2_4_audit is defined + - ansible_windows_domain_role == "Primary domain controller" + - "'Success' not in rule_17_2_4_audit.stdout" + changed_when: "'Success' not in rule_17_2_4_audit.stdout" + tags: + - level1 + - level2 + - rule_17.2.4 + - patch + +- name: "SCORED | 17.2.5 | AUDIT | L1 Ensure Audit Security Group Management is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_5_audit + changed_when: no + ignore_errors: yes + when: rule_17_2_5 + tags: + - level1 + - level2 + - rule_17.2.5 + - audit + +- name: "SCORED | 17.2.5 | PATCH | L1 Ensure Audit Security Group Management is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable + when: + - rule_17_2_5 + - rule_17_2_5_audit is defined + - "'Success' not in rule_17_2_5_audit.stdout" + tags: + - level1 + - level2 + - rule_17.2.5 + - patch + +- name: "SCORED | 17.2.6 | AUDIT | L1 Ensure Audit User Account Management is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_2_6_audit + changed_when: no + ignore_errors: yes + when: rule_17_2_6 + tags: + - level1 + - level2 + - rule_17.2.6 + - audit + +- name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure" + block: + - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable + when: "'Success' not in rule_17_2_6_audit.stdout" + changed_when: "'Success' not in rule_17_2_6_audit.stdout" + + - name: "SCORED | 17.2.6 | PATCH | L1 Ensure Audit User Account Management is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable + when: "'Failure' not in rule_17_2_6_audit.stdout" + changed_when: "'Failure' not in rule_17_2_6_audit.stdout" + when: + - rule_17_2_6 + - rule_17_2_6_audit is defined + tags: + - level1 + - level2 + - rule_17.2.6 + - patch + +- name: "SCORED | 17.3.1 | AUDIT | L1 Ensure Audit PNP Activity is set to Success" + win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_3_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_3_1 + tags: + - level1 + - level2 + - rule_17.3.1 + - audit + +- name: "SCORED | 17.3.1 | PATCH | L1 Ensure Audit PNP Activity is set to Success" + win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable + changed_when: "'Success' not in rule_17_3_1_audit.stdout" + when: + - rule_17_3_1 + - rule_17_3_1_audit is defined + - "'Success' not in rule_17_3_1_audit.stdout" + tags: + - level1 + - level2 + - rule_17.3.1 + - patch + +- name: "SCORED | 17.3.2 | AUDIT | L1 Ensure Audit Process Creation is set to Success" + win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_3_2_audit + changed_when: no + ignore_errors: yes + when: rule_17_3_2 + tags: + - level1 + - level2 + - rule_17.3.2 + - audit + +- name: "SCORED | 17.3.2 | PATCH | L1 Ensure Audit Process Creation is set to Success" + win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable + changed_when: "'Success' not in rule_17_3_2_audit.stdout" + when: + - rule_17_3_2 + - rule_17_3_2_audit is defined + - "'Success' not in rule_17_3_2_audit.stdout" + tags: + - level1 + - level2 + - rule_17.3.2 + - patch + +- name: "SCORED | 17.4.1 | AUDIT | L1 Ensure Audit Directory Service Access is set to Success and Failure DC only" + win_shell: AuditPol /get /subcategory:"Directory Service Access" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_4_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_4_1 + tags: + - rule_17.4.1 + - audit + +- name: "SCORED | 17.4.1 | PATCH | L1 Ensure Audit Directory Service Access is set to Success and Failure DC only" + win_shell: AuditPol /set /subcategory:"Directory Service Access" /success:enable + changed_when: "'Success' not in rule_17_4_1_audit.stdout" + when: + - rule_17_4_1 + - rule_17_4_1_audit is defined + - "'Success' not in rule_17_4_1_audit.stdout" + tags: + - rule_17.4.1 + - patch + +- name: "SCORED | 17.4.2 | AUDIT | L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only" + win_shell: AuditPol /get /subcategory:"Directory Service Changes" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_4_2_audit + changed_when: no + ignore_errors: yes + when: + - rule_17_4_2 + - ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_17.4.2 + - audit + +- name: "SCORED | 17.4.2 | PATCH | L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only" + win_shell: AuditPol /set /subcategory:"Directory Service Changes" /success:enable + changed_when: "'Success' not in rule_17_4_2_audit.stdout" + when: + - rule_17_4_2 + - ansible_windows_domain_role == "Primary domain controller" + - rule_17_4_2_audit is defined + - "'Success' not in rule_17_4_2_audit.stdout" + tags: + - rule_17.4.2 + - patch + +- name: "SCORED | 17.5.1 | AUDIT | L1 Ensure Audit Account Lockout is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_5_1 + tags: + - level1 + - level2 + - rule_17.5.1 + - audit + +- name: "SCORED | 17.5.1 | PATCH | L1 Ensure Audit Account Lockout is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Account Lockout" /success:enable + changed_when: "'Failure' not in rule_17_5_1_audit.stdout" + when: + - rule_17_5_1 + - rule_17_5_1_audit is defined + - "'Failure' not in rule_17_5_1_audit.stdout" + tags: + - level1 + - level2 + - rule_17.5.1 + - patch + +- name: "SCORED | 17.5.2 | AUDIT | L1 Ensure Audit Group Membership is set to Success" + win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_2_audit + changed_when: no + ignore_errors: yes + when: rule_17_5_2 + tags: + - level1 + - level2 + - rule_17.5.2 + - audit + +- name: "SCORED | 17.5.2 | PATCH | L1 Ensure Audit Group Membership is set to Success" + win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable + changed_when: "'Success' not in wn19_au_000170_audit.stdout" + when: + - rule_17_5_2 + - wn19_au_000170_audit is defined + - "'Success' not in wn19_au_000170_audit.stdout" + tags: + - level1 + - level2 + - rule_17.5.2 + - patch + +- name: "SCORED | 17.5.3 | AUDIT | L1 Ensure Audit Logoff is set to Success" + win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_3_audit + changed_when: no + ignore_errors: yes + when: rule_17_5_3 + tags: + - level1 + - level2 + - rule_17.5.3 + - audit + +- name: "SCORED | 17.5.3 | PATCH | L1 Ensure Audit Logoff is set to Success" + win_shell: AuditPol /set /subcategory:"Logoff" /success:enable + changed_when: "'Success' not in rule_17_5_3_audit.stdout" + when: + - rule_17_5_3 + - rule_17_5_3_audit is defined + - "'Success' not in rule_17_5_3_audit.stdout" + tags: + - level1 + - level2 + - rule_17.5.3 + - patch + +- name: "SCORED | 17.5.4 | AUDIT | L1 Ensure Audit Logon is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_4_audit + changed_when: no + ignore_errors: yes + when: rule_17_5_4 + tags: + - level1 + - level2 + - rule_17.5.4 + - audit + +- name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure" + block: + - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Logon" /success:enable + changed_when: "'Success' not in rule_17_5_4_audit.stdout" + when: + - rule_17_5_4_audit is defined + - "'Failure' not in rule_17_5_4_audit.stdout" + + - name: "SCORED | 17.5.4 | PATCH | L1 Ensure Audit Logon is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Logon" /failure:enable + changed_when: "'Failure' not in rule_17_5_4_audit.stdout" + when: + - rule_17_5_4_audit is defined + - "'Failure' not in rule_17_5_4_audit.stdout" + when: rule_17_5_4 + tags: + - level1 + - level2 + - rule_17.5.4 + - patch + +- name: "SCORED | 17.5.5 | AUDIT | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_5_audit + changed_when: no + ignore_errors: yes + when: + - rule_17_5_5 + tags: + - level1 + - level2 + - rule_17.5.5 + - audit + +- name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure" + block: + - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable + changed_when: "'Success' not in rule_17_5_5_audit.stdout" + when: + - rule_17_5_5_audit is defined + - "'Success' not in rule_17_5_5_audit.stdout" + + - name: "SCORED | 17.5.5 | PATCH | L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable + changed_when: "'Failure' not in rule_17_5_5_audit.stdout" + when: + - rule_17_5_5_audit is defined + - "'Failure' not in rule_17_5_5_audit.stdout" + when: + - rule_17_5_5 + tags: + - level1 + - level2 + - rule_17.5.5 + - patch + +- name: "SCORED | 17.5.6 | AUDIT | L1 Ensure Audit Special Logon is set to Success" + win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_5_6_audit + changed_when: no + ignore_errors: yes + when: rule_17_5_6 + tags: + - level1 + - level2 + - rule_17.5.6 + - audit + +- name: "SCORED | 17.5.6 | PATCH | L1 Ensure Audit Special Logon is set to Success" + win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable + changed_when: "'Success' not in rule_17_5_6_audit.stdout" + when: + - rule_17_5_6 + - rule_17_5_6_audit is defined + - "'Success' not in rule_17_5_6_audit.stdout" + tags: + - level1 + - level2 + - rule_17.5.6 + - patch + +- name: "SCORED | 17.6.1 | PATCH | L1 Ensure Audit Other Object Access Events is set to Success and Failure" + win_audit_policy_system: + subcategory: Other Object Access Events + audit_type: success, failure + when: rule_17_6_1 + tags: + - level1 + - level2 + - rule_17.6.1 + - patch + +- name: "SCORED | 17.6.2 | AUDIT | L1 Ensure Audit Removable Storage is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_6_2_audit + changed_when: no + ignore_errors: yes + when: rule_17_6_2 + tags: + - level1 + - level2 + - rule_17.6.2 + - audit + +- name: "SCORED | 17.6.2 | PATCH | L1 Ensure Audit Removable Storage is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable + changed_when: "'Success' not in rule_17_6_2_audit.stdout" + when: + - rule_17_6_2 + - rule_17_6_2_audit is defined + - "'Success' not in rule_17_6_2_audit.stdout" + tags: + - level1 + - level2 + - rule_17.6.2 + - patch + +- name: "SCORED | 17.7.1 | AUDIT | L1 Ensure Audit Audit Policy Change is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_7_1 + tags: + - level1 + - level2 + - rule_17.7.1 + - audit + +- name: "SCORED | 17.7.1 | PATCH | L1 Ensure Audit Audit Policy Change is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_1_audit.stdout" + when: + - rule_17_7_1 + - rule_17_7_1_audit is defined + - "'Success' not in rule_17_7_1_audit.stdout" + tags: + - level1 + - level2 + - rule_17.7.1 + - patch + +- name: "SCORED | 17.7.2 | AUDIT | L1 Ensure Audit Authentication Policy Change is set to Success" + win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_2_audit + changed_when: no + ignore_errors: yes + when: rule_17_7_2 + tags: + - level1 + - level2 + - rule_17.7.2 + - audit + +- name: "SCORED | 17.7.2 | PATCH | L1 Ensure Audit Authentication Policy Change is set to Success" + win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_2_audit.stdout" + when: + - rule_17_7_2 + - rule_17_7_2_audit is defined + - "'Success' not in rule_17_7_2_audit.stdout" + tags: + - level1 + - level2 + - rule_17.7.2 + - patch + +- name: "SCORED | 17.7.3 | AUDIT | L1 Ensure Audit Authorization Policy Change is set to Success" + win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_7_3_audit + changed_when: no + ignore_errors: yes + when: rule_17_7_3 + tags: + - level1 + - level2 + - rule_17.7.3 + - audit + +- name: "SCORED | 17.7.3 | PATCH | L1 Ensure Audit Authorization Policy Change is set to Success" + win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable + changed_when: "'Success' not in rule_17_7_3_audit.stdout" + when: + - rule_17_7_3 + - rule_17_7_3_audit is defined + - "'Success' not in rule_17_7_3_audit.stdout" + tags: + - level1 + - level2 + - rule_17.7.3 + - patch + +- name: "SCORED | 17.8.1 | AUDIT | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_8_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_8_1 + tags: + - level1 + - level2 + - rule_17.8.1 + - audit + +- name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure" + block: + - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable + changed_when: "'Success' not in rule_17_8_1_audit.stdout" + when: + - rule_17_8_1_audit is defined + - "'Success' not in rule_17_8_1_audit.stdout" + + - name: "SCORED | 17.8.1 | PATCH | L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable + changed_when: "'Failure' not in rule_17_8_1_audit.stdout" + when: + - rule_17_8_1_audit is defined + - "'Failure' not in rule_17_8_1_audit.stdout" + + when: rule_17_8_1 + tags: + - level1 + - level2 + - rule_17.8.1 + - patch + +- name: "SCORED | 17.9.1 | AUDIT | L1 Ensure Audit IPsec Driver is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_1_audit + changed_when: no + ignore_errors: yes + when: rule_17_9_1 + tags: + - level1 + - level2 + - rule_17.9.1 + - audit + +- name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure" + block: + - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable + changed_when: "'Success' not in rule_17_9_1_audit.stdout" + when: + - rule_17_9_1_audit is defined + - "'Success' not in rule_17_9_1_audit.stdout" + - name: "SCORED | 17.9.1 | PATCH | L1 Ensure Audit IPsec Driver is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable + changed_when: "'Failure' not in rule_17_9_1_audit.stdout" + when: + - rule_17_9_1_audit is defined + - "'Failure' not in rule_17_9_1_audit.stdout" + + when: rule_17_9_1 + tags: + - level1 + - level2 + - rule_17.9.1 + - patch + +- name: "SCORED | 17.9.2 | AUDIT | L1 Ensure Audit Other System Events is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_2_audit + changed_when: no + ignore_errors: yes + when: rule_17_9_2 + tags: + - level1 + - level2 + - rule_17.9.2 + - audit + +- name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure" + block: + - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable + changed_when: "'Success' not in rule_17_9_2_audit.stdout" + when: + - rule_17_9_2_audit is defined + - "'Success' not in rule_17_9_2_audit.stdout" + - name: "SCORED | 17.9.2 | PATCH | L1 Ensure Audit Other System Events is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable + changed_when: "'Failure' not in rule_17_9_2_audit.stdout" + when: + - rule_17_9_2_audit is defined + - "'Failure' not in rule_17_9_2_audit.stdout" + when: rule_17_9_2 + tags: + - level1 + - level2 + - rule_17.9.2 + - patch + +- name: "SCORED | 17.9.3 | AUDIT | L1 Ensure Audit Security State Change is set to Success" + win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_3_audit + changed_when: no + ignore_errors: yes + when: rule_17_9_3 + tags: + - level1 + - level2 + - rule_17.9.3 + - audit + +- name: "SCORED | 17.9.3 | PATCH | L1 Ensure Audit Security State Change is set to Success" + win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable + changed_when: "'Success' not in rule_17_9_3_audit.stdout" + when: + - rule_17_9_3 + - rule_17_9_3_audit is defined + - "'Success' not in rule_17_9_3_audit.stdout" + tags: + - level1 + - level2 + - rule_17.9.3 + - patch + +- name: "SCORED | 17.9.4 | AUDIT | L1 Ensure Audit Security System Extension is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_4_audit + changed_when: no + ignore_errors: yes + when: rule_17_9_4 + tags: + - level1 + - level2 + - rule_17.9.4 + - audit + +- name: "SCORED | 17.9.4 | PATCH | L1 Ensure Audit Security System Extension is set to Success and Failure" + win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable + changed_when: "'Success' not in rule_17_9_4_audit.stdout" + when: + - rule_17_9_4 + - rule_17_9_4_audit is defined + - "'Success' not in rule_17_9_4_audit.stdout" + tags: + - level1 + - level2 + - rule_17.9.4 + - patch + +- name: "SCORED | 17.9.5 | AUDIT | L1 Ensure Audit System Integrity is set to Success and Failure" + win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting" + register: rule_17_9_5_audit + changed_when: no + ignore_errors: yes + when: rule_17_9_5 + tags: + - level1 + - level2 + - rule_17.9.5 + - audit + +- name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure" + block: + - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Success" + win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable + changed_when: "'Success' not in rule_17_9_5_audit.stdout" + when: + - rule_17_9_5_audit is defined + - "'Success' not in rule_17_9_5_audit.stdout" + + - name: "SCORED | 17.9.5 | PATCH | L1 Ensure Audit System Integrity is set to Success and Failure | Failure" + win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable + changed_when: "'Failure' not in rule_17_9_5_audit.stdout" + when: + - rule_17_9_5_audit is defined + - "'Failure' not in rule_17_9_5_audit.stdout" + when: rule_17_9_5 + tags: + - level1 + - level2 + - rule_17.9.5 + - patch + diff --git a/tasks/section18.yml b/tasks/section18.yml new file mode 100644 index 0000000..98a58e8 --- /dev/null +++ b/tasks/section18.yml @@ -0,0 +1,2553 @@ +--- +#one of the settings in the file render the server unreachable from ansible with this message "the specified credentials were rejected by the server" +- name: "SCORED | 18.1.1.1 | PATCH | L1 Ensure Prevent enabling lock screen camera is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Personalization + name: NoLockScreenCamera + data: 1 + type: dword + when: rule_18_1_1_1 + tags: + - level1 + - level2 + - rule_18.1.1.1 + - patch + +- name: "SCORED | 18.1.1.2 | PATCH | L1 Ensure Prevent enabling lock screen slide show is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Personalization + name: NoLockScreenSlideshow + data: 1 + type: dword + when: rule_18_1_1_2 + tags: + - level1 + - level2 + - rule_18.1.1.2 + - patch + +- name: "SCORED | 18.1.2.2 | AUDIT | L1 Ensure Allow input personalization is set to Disabled" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_1_2_2 + tags: + - level1 + - level2 + - rule_18.1.2.2 + - audit + +- name: "SCORED | 18.1.2.2 | PATCH | L1 Ensure Allow input personalization is set to Disabled" + command: "echo true" + when: + - is_implemented + - rule_18_1_2_2 + tags: + - level1 + - level2 + - rule_18.1.2.2 + - patch + +- name: "SCORED | 18.1.3 | AUDIT | L2 Ensure Allow Online Tips is set to Disabled" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_1_3 + tags: + - level2 + - rule_18.1.3 + - audit + +- name: "SCORED | 18.1.3 | PATCH | L2 Ensure Allow Online Tips is set to Disabled" + command: "echo true" + when: + - is_implemented + - rule_18_1_3 + tags: + - level2 + - rule_18.1.3 + - patch + +- name: "SCORED | 18.2.1 | AUDIT | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_2_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.1 + - audit + +- name: "SCORED | 18.2.1 | PATCH | L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only" + command: "echo true" + when: + - is_implemented + - rule_18_2_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.1 + - patch + +- name: "SCORED | 18.2.2 | AUDIT | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_2_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.2 + - audit + +- name: "SCORED | 18.2.2 | PATCH | L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only" + command: "echo true" + when: + - is_implemented + - rule_18_2_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.2 + - patch + +- name: "SCORED | 18.2.3 | AUDIT | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_2_3 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.3 + - audit + +- name: "SCORED | 18.2.3 | PATCH | L1 Ensure Enable Local Admin Password Management is set to Enabled MS only" + command: "echo true" + when: + - is_implemented + - rule_18_2_3 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.3 + - patch + +- name: "SCORED | 18.2.4 | AUDIT | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_2_4 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.4 + - audit + +- name: "SCORED | 18.2.4 | PATCH | L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only" + command: "echo true" + when: + - is_implemented + - rule_18_2_4 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.4 + - patch + +- name: "SCORED | 18.2.5 | AUDIT | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_2_5 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.5 + - audit + +- name: "SCORED | 18.2.5 | PATCH | L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only" + command: "echo true" + when: + - is_implemented + - rule_18_2_5 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.5 + - patch + +- name: "SCORED | 18.2.6 | AUDIT | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_2_6 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.6 + - audit + +- name: "SCORED | 18.2.6 | PATCH | L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only" + command: "echo true" + when: + - is_implemented + - rule_18_2_6 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.2.6 + - patch + +- name: "SCORED | 18.3.1 | AUDIT | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_3_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.3.1 + - audit + +- name: "SCORED | 18.3.1 | PATCH | L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only" + command: "echo true" + when: + - is_implemented + - rule_18_3_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.3.1 + - patch + +- name: "SCORED | 18.3.2 | AUDIT | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_3_2 + tags: + - level1 + - level2 + - rule_18.3.2 + - audit + +- name: "SCORED | 18.3.2 | PATCH | L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver" + command: "echo true" + when: + - is_implemented + - rule_18_3_2 + tags: + - level1 + - level2 + - rule_18.3.2 + - patch + +- name: "SCORED | 18_3_3 | PATCH | L1 Ensure Configure SMB v1 server is set to Disabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters + name: SMB1 + data: 0 + type: dword + state: present + notify: reboot_windows + when: rule_18_3_3 + tags: + - level1 + - level2 + - rule_18.3.3 + - patch + +- name: "SCORED | 18_3_4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel + name: DisableExceptionChainValidation + data: 1 + type: dword + state: present + when: rule_18_3_4 + tags: + - level1 + - level2 + - rule_18.3.4 + - patch + +- name: "SCORED | 18.3.5 | AUDIT | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" + command: "echo true" + register: result + changed_when: no + ignore_errors: yes + when: + - is_implemented + - rule_18_3_5 + tags: + - level1 + - level2 + - rule_18.3.5 + - audit + +- name: "SCORED | 18.3.5 | PATCH | L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled" + command: "echo true" + when: + - is_implemented + - rule_18_3_5 + tags: + - level1 + - level2 + - rule_18.3.5 + - patch + +- name: "SCORED | 18.3.6 | PATCH | L1 Ensure WDigest Authentication is set to Disabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest + state: present + value: UseLogonCredential + data: 0 + datatype: dword + when: rule_18_3_6 + tags: + - level1 + - level2 + - rule_18.3.6 + - patch + +- name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled" + win_regedit: + path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon + state: present + value: AutoAdminLogon + data: 0 + datatype: dword + when: rule_18_4_1 + tags: + - level1 + - level2 + - rule_18.4.1 + - patch + +- name: "SCORED | 18.4.2 | PATCH | L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters + state: present + value: DisableIPSourceRouting + data: 2 + datatype: dword + when: rule_18_4_2 + tags: + - level1 + - level2 + - rule_18.4.2 + - patch + +- name: "SCORED | 18.4.3 | PATCH | L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: DisableIPSourceRouting + data: 2 + datatype: dword + when: rule_18_4_3 + tags: + - level1 + - level2 + - rule_18.4.3 + - patch + +- name: "SCORED | 18.4.4 | PATCH | L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: EnableICMPRedirect + data: 0 + datatype: dword + when: rule_18_4_4 + tags: + - level1 + - level2 + - rule_18.4.4 + - patch + +- name: "SCORED | 18.4.5 | PATCH | L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended" + win_regedit: + path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters + state: present + value: KeepAliveTime + data: 300000 + datatype: dword + when: rule_18_4_5 + tags: + - level2 + - rule_18.4.5 + - patch + +- name: "SCORED | 18.4.6 | PATCH | L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters + state: present + name: NoNameReleaseOnDemand + data: 1 + type: dword + when: rule_18_4_6 + tags: + - level1 + - level2 + - rule_18.4.6 + - patch + +- name: "SCORED | 18.4.7 | PATCH | L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + state: present + name: PerformRouterDiscovery + data: 0 + type: dword + when: rule_18_4_7 + tags: + - level2 + - rule_18.4.7 + - patch + +- name: "SCORED | 18.4.8 | PATCH | L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled" + win_regedit: + path: HKLM:\System\Currentcontrolset\Control\Session Manager + name: SafeDllSearchMode + data: 1 + type: dword + state: present + when: rule_18_4_8 + tags: + - level1 + - level2 + - rule_18.4.8 + - patch + +- name: "SCORED | 18.4.9 | PATCH | L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds" + win_regedit: + path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon + name: ScreenSaverGracePeriod + data: 5 + type: string + state: present + when: rule_18_4_9 + tags: + - level1 + - level2 + - rule_18.4.9 + - patch + +- name: "SCORED | 18.4.10 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters + name: TcpMaxDataRetransmissions + data: 3 + type: dword + when: rule_18_4_10 + tags: + - level2 + - rule_18.4.10 + - patch + +- name: "SCORED | 18.4.11 | PATCH | L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters + name: TcpMaxDataRetransmissions + data: 3 + type: dword + when: rule_18_4_11 + tags: + - level2 + - rule_18.4.11 + - patch + +- name: "SCORED | 18.4.12 | PATCH | L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less" + win_regedit: + path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security + name: WarningLevel + data: 90 + type: dword + when: rule_18_4_12 + tags: + - level1 + - level2 + - rule_18.4.12 + - patch + + +- name: "SCORED | 18.5.4.1 | PATCH | L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\NetBT\Parameters + name: NodeType + data: 2 + type: dword + when: + - rule_18_5_4_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.5.4.1 + - patch + +- name: "SCORED | 18.5.4.2 | PATCH | L1 Ensure Turn off multicast name resolution is set to Enabled MS Only" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient + name: EnableMulticast + data: 0 + type: dword + when: + - rule_18_5_4_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.5.4.2 + - patch + +- name: "SCORED | 18.5.5.1 | PATCH | L2 Ensure Enable Font Providers is set to Disabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: EnableFontProviders + data: 0 + type: dword + when: rule_18_5_5_1 + tags: + - level2 + - rule_18.5.5.1 + - patch + +- name: "SCORED | 18.5.8.1 | PATCH | L1 Ensure Enable insecure guest logons is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation + name: AllowInsecureGuestAuth + data: 0 + type: dword + when: rule_18_5_8_1 + tags: + - level1 + - level2 + - rule_18.5.8.1 + - patch + +- name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled" + block: + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowLLTDIOOndomain + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowLLTDIOOnPublicNet + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: EnableLLTDIO + data: 0 + type: dword + + - name: "SCORED | 18.5.9.1 | PATCH | L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: ProhibitLLTDIOOnPrivateNet + data: 0 + type: dword + when: rule_18_5_9_1 + tags: + - level2 + - rule_18.5.9.1 + - patch + +- name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled" + block: + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowRspndrOnDomain + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: AllowRspndrOnPublicNet + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: EnableRspndr + data: 0 + type: dword + + - name: "SCORED | 18.5.9.2 | PATCH | L2 Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Lltd + name: ProhibitRspndrOnPrivateNet + data: 0 + type: dword + when: rule_18_5_9_2 + tags: + - level2 + - rule_18.5.9.2 + - patch + +- name: "SCORED | 18.5.10.2 | PATCH | L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Peernet + name: Disabled + data: 1 + type: dword + when: rule_18_5_10_2 + tags: + - level2 + - rule_18.5.10.2 + - patch + +- name: "SCORED | 18.5.11.2 | PATCH | L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + name: NC_AllowNetBridge_NLA + data: 0 + type: dword + when: rule_18_5_11_2 + tags: + - level1 + - level2 + - rule_18.5.11.2 + - patch + +- name: "SCORED | 18.5.11.3 | PATCH | L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections + name: NC_ShowSharedAccessUI + data: 0 + type: dword + when: rule_18_5_11_3 + tags: + - level1 + - level2 + - rule_18.5.11.3 + - patch + +- name: "SCORED | 18.5.11.4 | PATCH | L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections + name: NC_StdDomainUserSetLocation + data: 1 + type: dword + when: rule_18_5_11_4 + tags: + - level1 + - level2 + - rule_18.5.11.4 + - patch + +- name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares" + block: + - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + name: "\\\\*\\NETLOGON" + data: "RequireMutualAuthentication=1, RequireIntegrity=1" + type: string + - name: "SCORED | 18.5.14.1 | PATCH | L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths + name: "\\\\*\\SYSVOL" + data: "RequireMutualAuthentication=1, RequireIntegrity=1" + type: string + when: rule_18_5_14_1 + tags: + - level1 + - level2 + - rule_18.5.14.1 + - patch + +- name: "SCORED | 18.5.19.2.1 | PATCH | L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255" + win_regedit: + path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters + name: DisabledComponents + data: 255 + type: dword + when: rule_18_5_19_2_1 + tags: + - level2 + - rule_18.5.19.2.1 + - patch + +- name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled" + block: + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: EnableRegistrars + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableUPnPRegistrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableInBand802DOT11Registrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableFlashConfigRegistrar + data: 0 + type: dword + + - name: "SCORED | 18.5.20.1 | PATCH | L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars + name: DisableWPDRegistrar + data: 0 + type: dword + when: rule_18_5_20_1 + tags: + - level2 + - rule_18.5.20.1 + - patch + +- name: "SCORED | 18.5.20.2 | PATCH | L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui + name: DisableWcnUi + data: 1 + type: dword + when: rule_18_5_20_2 + tags: + - level2 + - rule_18.5.20.2 + - patch + +- name: "SCORED | 18.5.21.1 | PATCH | L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + name: fMinimizeConnections + data: 1 + type: dword + when: rule_18_5_21_1 + tags: + - level1 + - level2 + - rule_18.5.21.1 + - patch + +- name: "SCORED | 18.5.21.2 | PATCH | L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy + name: fBlockNonDomain + data: 1 + type: dword + when: + - rule_18_5_21_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level2 + - rule_18.5.21.2 + - patch + +- name: "SCORED | 18.8.3.1 | PATCH | L1 Ensure Include command line in process creation events is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit + name: ProcessCreationIncludeCmdLine_Enabled + data: 0 + type: dword + when: rule_18_8_3_1 + tags: + - level1 + - level2 + - rule_18.8.3.1 + - patch + + +- name: "SCORED | 18.8.4.1 | PATCH | L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation + name: AllowProtectedCreds + data: 1 + type: dword + when: rule_18_8_4_1 + tags: + - level1 + - level2 + - rule_18.8.4.1 + - patch + +- name: "SCORED | 18.8.5.1 | PATCH | NG Ensure Turn On Virtualization Based Security is set to Enabled MS Only" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: EnableVirtualizationBasedSecurity + data: 1 + type: dword + when: + - rule_18_8_5_1 + - ansible_windows_domain_role == "Member server" + tags: + - rule_18.8.5.1 + - patch + +- name: "SCORED | 18.8.5.2 | PATCH | NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection MS Only" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: RequirePlatformSecurityFeatures + data: 3 + type: dword + when: + - rule_18_8_5_2 + - ansible_windows_domain_role == "Member server" + tags: + - rule_18.8.5.2 + - patch + +- name: "SCORED | 18.8.5.3 | PATCH | NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock MS Only" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: HypervisorEnforcedCodeIntegrity + data: 1 + type: dword + when: + - rule_18_8_5_3 + - ansible_windows_domain_role == "Member server" + tags: + - rule_18.8.5.3 + - patch + +- name: "SCORED | 18.8.5.4 | PATCH | NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked MS Only" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: HVCIMATRequired + data: 1 + type: dword + when: + - rule_18_8_5_4 + - ansible_windows_domain_role == "Member server" + tags: + - rule_18.8.5.4 + - patch + +- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: LsaCfgFlags + data: 1 + type: dword + when: + - rule_18_8_5_5 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - rule_18.8.5.5 + - patch + +- name: "SCORED | 18.8.5.5 | PATCH | NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard + name: LsaCfgFlags + data: 1 + type: dword + when: + - rule_18_8_5_5 + - ansible_windows_domain_role == "Member server" + tags: + - rule_18.8.5.5 + - patch + +- name: "SCORED | 18.8.14.1 | PATCH | L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical" + win_regedit: + path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch + name: DriverLoadPolicy + data: 3 + type: dword + when: rule_18_8_14_1 + tags: + - level1 + - level2 + - rule_18.8.14.1 + - patch + +- name: "SCORED | 18.8.21.2 | PATCH | L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + name: NoBackgroundPolicy + data: 0 + type: dword + when: rule_18_8_21_2 + tags: + - level1 + - level2 + - rule_18.8.21.2 + - patch + +- name: "SCORED | 18.8.21.3 | PATCH | L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} + name: NoGPOListChanges + data: 0 + type: dword + when: rule_18_8_21_3 + tags: + - level1 + - level2 + - rule_18.8.21.3 + - patch + +- name: "SCORED | 18.8.21.4 | PATCH | L1 Ensure Continue experiences on this device is set to Disabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System + name: EnableCdp + data: 0 + type: dword + when: rule_18_8_21_4 + tags: + - level1 + - level2 + - rule_18.8.21.4 + - patch + +- name: "SCORED | 18.8.21.5 | PATCH | L1 Ensure Turn off background refresh of Group Policy is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy + state: absent + delete_key: yes + when: rule_18_8_21_5 + tags: + - level1 + - level2 + - rule_18.8.21.5 + - patch + +- name: "SCORED | 18.8.22.1.1 | PATCH | L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + name: DisableWebPnPDownload + data: 1 + type: dword + when: rule_18_8_22_1_1 + tags: + - level1 + - level2 + - rule_18.8.22.1.1 + - patch + +- name: "SCORED | 18.8.22.1.2 | PATCH | L2 Ensure Turn off handwriting personalization data sharing is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc + name: PreventHandwritingDataSharing + data: 1 + type: dword + when: rule_18_8_22_1_2 + tags: + - level2 + - rule_18.8.22.1.2 + - patch + +- name: "SCORED | 18.8.22.1.3 | PATCH | L2 Ensure Turn off handwriting recognition error reporting is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports + name: PreventHandwritingErrorReports + data: 1 + type: dword + when: rule_18_8_22_1_3 + tags: + - level2 + - rule_18.8.22.1.3 + - patch + +- name: "SCORED | 18.8.22.1.4 | PATCH | L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard + name: ExitOnMSICW + data: 1 + type: dword + when: rule_18_8_22_1_4 + tags: + - level2 + - rule_18.8.22.1.4 + - patch + +- name: "SCORED | 18.8.22.1.5 | PATCH | L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoWebServices + data: 1 + type: dword + when: rule_18_8_22_1_5 + tags: + - level1 + - level2 + - rule_18.8.22.1.5 + - patch + +- name: "SCORED | 18.8.22.1.6 | PATCH | L2 Ensure Turn off printing over HTTP is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers + name: DisableHTTPPrinting + data: 1 + type: dword + when: rule_18_8_22_1_6 + tags: + - level1 + - level2 + - rule_18.8.22.1.6 + - patch + +- name: "SCORED | 18.8.22.1.7 | PATCH | L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control + name: NoRegistration + data: 1 + type: dword + when: rule_18_8_22_1_7 + tags: + - level2 + - rule_18.8.22.1.7 + - patch + +- name: "SCORED |18.8.22.1.8 | PATCH | L2 Ensure Turn off Search Companion content file updates is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Searchcompanion + name: DisableContentFileUpdates + data: 1 + type: dword + when: rule_18_8_22_1_8 + tags: + - level2 + - rule_18.8.22.1.8 + - patch + +- name: "SCORED | 18.8.22.1.9 | PATCH | L2 Ensure Turn off the Order Prints picture task is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoOnlinePrintsWizard + data: 1 + type: dword + when: rule_18_8_22_1_9 + tags: + - level2 + - rule_18.8.22.1.9 + - patch + +- name: "SCORED | 18.8.22.1.10 | PATCH | L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoPublishingWizard + data: 1 + type: dword + when: rule_18_8_22_1_10 + tags: + - level2 + - rule_18.8.22.1.10 + - patch + +- name: "SCORED | 18.8.22.1.11 | PATCH | L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Messenger\Client + name: CEIP + data: 2 + type: dword + when: rule_18_8_22_1_11 + tags: + - level2 + - rule_18.8.22.1.11 + - patch + +- name: "SCORED | 18.8.22.1.12 | PATCH | L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows + name: CEIPEnable + data: 0 + type: dword + when: rule_18_8_22_1_12 + tags: + - level2 + - rule_18.8.22.1.12 + - patch + +- name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled" + block: + - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | Windows Error Reporting" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting + name: Disabled + data: 1 + type: dword + - name: "SCORED | 18.8.22.1.13 | PATCH | L2 Ensure Turn off Windows Error Reporting is set to Enabled | ErrorReporting" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting + name: DoReport + data: 0 + type: dword + when: rule_18_8_22_1_13 + tags: + - level2 + - rule_18.8.22.1.13 + - patch + +- name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic" + block: + - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitBehavior" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + name: DevicePKInitBehavior + data: 0 + type: dword + - name: "SCORED | 18.8.25.1 | PATCH | L2 Ensure Support device authentication using certificate is set to Enabled Automatic | DevicePKInitEnabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters + name: DevicePKInitEnabled + data: 1 + type: dword + when: rule_18_8_25_1 + tags: + - level2 + - rule_18.8.25.1 + - patch + +- name: "SCORED | 18.8.26.1 | PATCH | L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Control Panel\International + name: BlockUserInputMethodsForSignIn + data: 1 + type: dword + when: rule_18_8_26_1 + tags: + - level2 + - rule_18.8.26.1 + - patch + +- name: "SCORED | 18.8.27.1 | PATCH | L1 Ensure Block user from showing account details on sign-in is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: BlockUserFromShowingAccountDetailsOnSignin + data: 1 + type: dword + when: rule_18_8_27_1 + tags: + - level1 + - level2 + - rule_18.8.27.1 + - patch + +- name: "SCORED | 18.8.27.2 | PATCH | L1 Ensure Do not display network selection UI is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DontDisplayNetworkSelectionUI + data: 1 + type: dword + when: rule_18_8_27_2 + tags: + - level1 + - level2 + - rule_18.8.27.2 + - patch + +- name: "SCORED | 18.8.27.3 | PATCH | L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DontEnumerateConnectedUsers + data: 1 + type: dword + when: rule_18_8_27_3 + tags: + - level1 + - level2 + - rule_18.8.27.3 + - patch + +- name: "SCORED | 18.8.27.4 | PATCH | L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: EnumerateLocalUsers + data: 0 + type: dword + when: rule_18_8_27_4 + tags: + - level1 + - level2 + - rule_18.8.27.4 + - patch + +- name: "SCORED | 18.8.27.5 | PATCH | L1 Ensure Turn off app notifications on the lock screen is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: DisableLockScreenAppNotifications + data: 1 + type: dword + when: rule_18_8_27_5 + tags: + - level1 + - level2 + - rule_18.8.27.5 + - patch + +- name: "SCORED | 18.8.27.6 | PATCH | L1 Ensure Turn off picture password sign-in is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: BlockDomainPicturePassword + data: 1 + type: dword + when: rule_18_8_27_6 + tags: + - level1 + - level2 + - rule_18.8.27.6 + - patch + +- name: "SCORED | 18.8.27.7 | PATCH | L1 Ensure Turn on convenience PIN sign-in is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: AllowDomainPINLogon + data: 0 + type: dword + when: rule_18_8_27_7 + tags: + - level1 + - level2 + - rule_18.8.27.7 + - patch + +- name: "SCORED | | PATCH | L1 Ensure Untrusted Font Blocking is set to Enabled Block untrusted fonts and log events" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\MitigationOptions + name: MitigationOptions_FontBocking + data: 0 + type: dword + when: rule_18_8_28_1 + tags: + - level1 + - level2 + - rule_18.8.28.1 + - patch + +- name: "SCORED | 18.8.33.6.2 | PATCH | L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9 + name: ACSettingIndex + data: 0 + type: dword + when: rule_18_8_33_6_2 + tags: + - level2 + - rule_18.8.33.6.2 + - patch + +- name: "SCORED | 18.8.33.6.3 | PATCH | L1 Ensure Require a password when a computer wakes on battery is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + name: DCSettingIndex + data: 1 + type: dword + when: rule_18_8_33_6_3 + tags: + - level1 + - level2 + - rule_18.8.33.6.3 + - patch + +- name: "SCORED | 18.8.33.6.4 | PATCH | L1 Ensure Require a password when a computer wakes plugged in is set to Enabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 + name: ACSettingIndex + data: 1 + type: dword + when: rule_18_8_33_6_4 + tags: + - level1 + - level2 + - rule_18.8.33.6.4 + - patch + +- name: "SCORED | 18.8.35.1 | PATCH | L1 Ensure Configure Offer Remote Assistance is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fAllowUnsolicited + data: 0 + type: dword + when: rule_18_8_35_1 + tags: + - level1 + - level2 + - rule_18.8.35.1 + - patch + +- name: "SCORED | 18.8.35.2 | PATCH | L1 Ensure Configure Solicited Remote Assistance is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fAllowToGetHelp + data: 0 + type: dword + when: rule_18_8_35_2 + tags: + - level1 + - level2 + - rule_18.8.35.2 + - patch + +- name: "SCORED | 18.8.36.1 | PATCH | L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + name: EnableAuthEpResolution + data: 1 + type: dword + when: + - rule_18_8_36_1 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level1 + - level2 + - rule_18.8.36.1 + - patch + +- name: "SCORED | 18.8.36.2 | PATCH | L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc + name: RestrictRemoteClients + data: 1 + type: dword + when: + - rule_18_8_36_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level2 + - rule_18.8.36.2 + - patch + +- name: "SCORED | 18.8.44.5.1 | PATCH | L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy + name: DisableQueryRemoteServer + data: 0 + type: dword + when: rule_18_8_44_5_1 + tags: + - level2 + - rule_18.8.44.5.1 + - patch + +- name: "SCORED | 18.8.44.11.1 | PATCH | L2 Ensure EnableDisable PerfTrack is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} + name: ScenarioExecutionEnabled + data: 0 + type: dword + when: rule_18_8_44_11_1 + tags: + - level2 + - rule_18.8.44.11.1 + - patch + +- name: "SCORED | 18.8.46.1 | PATCH | L2 Ensure Turn off the advertising ID is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo + name: DisabledByGroupPolicy + data: 1 + type: dword + when: rule_18_8_46_1 + tags: + - level2 + - rule_18.8.46.1 + - patch + +- name: "SCORED | 18.8.49.1.1 | PATCH | L2 Ensure Enable Windows NTP Client is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient + name: Enabled + data: 1 + type: dword + when: rule_18_8_49_1_1 + tags: + - level2 + - rule_18.8.49.1.1 + - patch + +- name: "SCORED | 18.8.49.1.2 | PATCH | L2 Ensure Enable Windows NTP Server is set to Disabled MS only" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver + name: Enabled + data: 1 + type: dword + when: + - rule_18_8_49_1_2 + - not ansible_windows_domain_role == "Primary domain controller" + tags: + - level2 + - rule_18.8.49.1.2 + - patch + +- name: "SCORED | 18.9.4.1 | PATCH | L2 Ensure Allow a Windows app to share application data between users is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager + name: AllowSharedLocalAppData + data: 0 + type: dword + when: rule_18_9_4_1 + tags: + - level2 + - rule_18.9.4.1 + - patch + +- name: "SCORED | 18.9.6.1 | PATCH | L1 Ensure Allow Microsoft accounts to be optional is set to Enabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: MSAOptional + data: 1 + type: dword + when: rule_18_9_6_1 + tags: + - level1 + - level2 + - rule_18.9.6.1 + - patch + +- name: "SCORED | 18.9.8.1 | PATCH | L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoAutoplayfornonVolume + data: 1 + type: dword + when: rule_18_9_8_1 + tags: + - level1 + - level2 + - rule_18.9.8.1 + - patch + +- name: "SCORED | 18.9.8.2 | PATCH | L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoAutorun + data: 1 + type: dword + when: rule_18_9_8_2 + tags: + - level1 + - level2 + - rule_18.9.8.2 + - patch + +- name: "SCORED | 18.9.8.3 | PATCH | L1 Ensure Turn off Autoplay is set to Enabled All drives" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoDriveTypeAutoRun + data: 255 + type: dword + when: rule_18_9_8_3 + tags: + - level1 + - level2 + - rule_18.9.8.3 + - patch + +- name: "SCORED | 18.9.10.1.1 | PATCH | L1 Ensure Configure enhanced anti-spoofing is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures + name: EnhancedAntiSpoofing + data: 1 + type: dword + when: rule_18_9_10_1_1 + tags: + - level1 + - level2 + - rule_18.9.10.1.1 + - patch + +- name: "SCORED | 18.9.12.1 | PATCH | L2 Ensure Allow Use of Camera is set to Disabled" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Camera + name: AllowCamera + data: 1 + type: dword + when: rule_18_9_12_1 + tags: + - level2 + - rule_18.9.12.1 + - patch + +- name: "SCORED | 18.9.13.1 | PATCH | L1 Ensure Turn off Microsoft consumer experiences is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent + name: DisableWindowsConsumerFeatures + data: 1 + type: dword + when: rule_18_9_13_1 + tags: + - level1 + - level2 + - rule_18.9.13.1 + - patch + +- name: "SCORED | 18.9.14.1 | PATCH | L1 Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect + name: RequirePinForPairing + data: 1 + type: dword + when: rule_18_9_14_1 + tags: + - level1 + - level2 + - rule_18.9.14.1 + - patch + +- name: "SCORED | 18.9.15.1 | PATCH | L1 Ensure Do not display the password reveal button is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Credui + name: DisablePasswordReveal + data: 1 + type: dword + when: rule_18_9_15_1 + tags: + - level1 + - level2 + - rule_18.9.15.1 + - patch + +- name: "SCORED | 18.9.15.2 | PATCH | L1 Ensure Enumerate administrator accounts on elevation is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui + name: EnumerateAdministrators + data: 0 + type: dword + when: rule_18_9_15_2 + tags: + - level1 + - level2 + - rule_18.9.15.2 + - patch + +- name: "SCORED | 18.9.16.1 | PATCH | L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: AllowTelemetry + data: 0 + type: dword + when: rule_18_9_16_1 + tags: + - level1 + - level2 + - rule_18.9.16.1 + - patch + +- name: "SCORED | 18.9.16.2 | PATCH | L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: DisableEnterpriseAuthProxy + data: 0 + type: dword + when: rule_18_9_16_2 + tags: + - level2 + - rule_18.9.16.2 + - patch + +- name: "SCORED | 18.9.16.3 | PATCH | L1 Ensure Disable pre-release features or settings is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\PreviewBuilds + name: EnableConfigFlighting + data: 01 + type: dword + when: rule_18_9_16_3 + tags: + - level1 + - level2 + - rule_18.9.16.3 + - patch + +- name: "SCORED | 18.9.16.4 | PATCH | L1 Ensure Do not show feedback notifications is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection + name: DoNotShowFeedbackNotifications + data: 1 + type: dword + when: rule_18_9_16_4 + tags: + - level1 + - level2 + - rule_18.9.16.4 + - patch + +- name: "SCORED | 18.9.16.5 | PATCH | L1 Ensure Toggle user control over Insider builds is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds + name: AllowBuildPreview + data: 0 + type: dword + when: rule_18_9_16_5 + tags: + - level1 + - level2 + - rule_18.9.16.5 + - patch + +- name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application + name: Retention + data: 0 + type: dword + when: rule_18_9_26_1_1 + tags: + - level1 + - level2 + - rule_18.9.26.1.1 + - patch + +- name: "SCORED | 18.9.26.1.2 | PATCH | L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application + name: MaxSize + data: 65538 + type: dword + when: rule_18_9_26_1_2 + tags: + - level1 + - level2 + - rule_18.9.26.1.2 + - patch + +- name: "SCORED | 18.9.26.2.1 | PATCH | L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: Retention + data: 0 + type: string + when: rule_18_9_26_2_1 + tags: + - level1 + - level2 + - rule_18.9.26.2.1 + - patch + +- name: "SCORED | 18.9.26.2.2 | PATCH | L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security + name: MaxSize + data: 196608 + type: dword + when: rule_18_9_26_2_2 + tags: + - level1 + - level2 + - rule_18.9.26.2.2 + - patch + +- name: "SCORED | 18.9.26.3.1 | PATCH | L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application + name: Retention + data: 0 + type: string + when: rule_18_9_26_3_1 + tags: + - level1 + - level2 + - rule_18.9.26.3.1 + - patch + +- name: "SCORED | 18.9.26.3.2 | PATCH | L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup + name: MaxSize + data: 32768 + type: dword + when: rule_18_9_26_3_2 + tags: + - level1 + - level2 + - rule_18.9.26.3.2 + - patch + +- name: "SCORED | 18.9.26.4.1 | PATCH | L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: Retention + data: 0 + type: string + when: rule_18_9_26_4_1 + tags: + - level1 + - level2 + - rule_18.9.26.4.1 + - patch + +- name: "SCORED | 18.9.26.4.2 | PATCH | L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System + name: MaxSize + data: 65538 + type: dword + when: rule_18_9_26_4_2 + tags: + - level1 + - level2 + - rule_18.9.26.4.2 + - patch + +- name: "SCORED | 18.9.30.2 | PATCH | L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoDataExecutionPrevention + data: 0 + type: dword + when: rule_18_9_30_2 + tags: + - level1 + - level2 + - rule_18.9.30.2 + - patch + +- name: "SCORED | 18.9.30.3 | PATCH | L1 Ensure Turn off heap termination on corruption is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Explorer + name: NoHeapTerminationOnCorruption + data: 0 + type: dword + when: rule_18_9_30_3 + tags: + - level1 + - level2 + - rule_18.9.30.3 + - patch + +- name: "SCORED | 18.9.30.4 | PATCH | L1 Ensure Turn off shell protocol protected mode is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: PreXPSP2ShellProtocolBehavior + data: 0 + type: dword + when: rule_18_9_30_4 + tags: + - level1 + - level2 + - rule_18.9.30.4 + - patch + +- name: "SCORED | 18.9.39.2 | PATCH | L2 Ensure Turn off location is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors + name: DisableLocation + data: 1 + type: dword + when: rule_18_9_39_2 + tags: + - level2 + - rule_18.9.39.2 + - patch + +- name: "SCORED | 18.9.43.1 | PATCH | L2 Ensure Allow Message Service Cloud Sync is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Messaging + name: AllowMessageSync + data: 0 + type: dword + when: rule_18_9_43_1 + tags: + - level2 + - rule_18.9.43.1 + - patch + +- name: "SCORED | 18.9.44.1 | PATCH | L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount + name: DisableUserAuth + data: 1 + type: dword + when: rule_18_9_44_1 + tags: + - level1 + - level2 + - rule_18.9.44.1 + - patch + +- name: "SCORED | 18.9.52.1 | PATCH | L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive + name: DisableFileSyncNGSC + data: 1 + type: dword + when: rule_18_9_52_1 + tags: + - level1 + - level2 + - rule_18.9.52.1 + - patch + +- name: "SCORED | 18.9.58.2.2 | PATCH | L1 Ensure Do not allow passwords to be saved is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DisablePasswordSaving + data: 1 + type: dword + when: rule_18_9_58_2_2 + tags: + - level1 + - level2 + - rule_18.9.58.2.2 + - patch + +- name: "SCORED | 18.9.58.3.2.1 | PATCH | L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fSingleSessionPerUser + data: 1 + type: dword + when: rule_18_9_58_3_2_1 + tags: + - level2 + - rule_18.9.58.3.2.1 + - patch + +- name: "SCORED | 18.9.58.3.3.1 | PATCH | L2 Ensure Do not allow COM port redirection is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableCcm + data: 1 + type: dword + when: rule_18_9_58_3_3_1 + tags: + - level2 + - rule_18.9.58.3.3.1 + - patch + +- name: "SCORED | 18.9.58.3.3.2 | PATCH | L1 Ensure Do not allow drive redirection is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableCdm + data: 1 + type: dword + when: rule_18_9_58_3_3_2 + tags: + - level1 + - level2 + - rule_18.9.58.3.3.2 + - patch + +- name: "SCORED | 18.9.58.3.3.3 | PATCH | L2 Ensure Do not allow LPT port redirection is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisableLPT + data: 1 + type: dword + when: rule_18_9_58_3_3_3 + tags: + - level2 + - rule_18.9.58.3.3.3 + - patch + +- name: "SCORED | 18.9.58.3.3.4 | PATCH | L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fDisablePNPRedir + data: 1 + type: dword + when: rule_18_9_58_3_3_4 + tags: + - level2 + - rule_18.9.58.3.3.4 + - patch + +- name: "SCORED | 18.9.58.3.9.1 | PATCH | L1 Ensure Always prompt for password upon connection is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fPromptForPassword + data: 1 + type: dword + when: rule_18_9_58_3_9_1 + tags: + - level1 + - level2 + - rule_18.9.58.3.9.1 + - patch + +- name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: fEncryptRPCTraffic + data: 1 + type: dword + when: rule_18_9_58_3_9_2 + tags: + - level1 + - level2 + - rule_18.9.58.3.9.2 + - audit + +- name: "SCORED | 18.9.58.3.9.2 | PATCH | L1 Ensure Require secure RPC communication is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services + name: fEncryptRPCTraffic + data: 1 + type: dword + when: rule_18_9_58_3_9_2 + tags: + - level1 + - level2 + - rule_18.9.58.3.9.2 + - patch + +- name: "SCORED | 18.9.58.3.9.3 | PATCH | L1 Ensure Set client connection encryption level is set to Enabled High Level" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MinEncryptionLevel + data: 3 + type: dword + when: rule_18_9_58_3_9_3 + tags: + - level1 + - level2 + - rule_18.9.58.3.9.3 + - patch + +- name: "SCORED | 18.9.58.3.10.1 | PATCH | L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxIdleTime + data: 3600000 + type: dword + when: rule_18_9_58_3_10_1 + tags: + - level2 + - rule_18.9.58.3.10.1 + - patch + +- name: "SCORED | 18.9.58.3.10.2 | PATCH | L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: MaxDisconnectionTime + data: 28800000 + type: dword + when: rule_18_9_58_3_10_2 + tags: + - level2 + - rule_18.9.58.3.10.2 + - patch + +- name: "SCORED | 18.9.58.3.11.1 | PATCH | L1 Ensure Do not delete temp folders upon exit is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: DeleteTempDirsOnExit + data: 1 + type: dword + when: rule_18_9_58_3_11_1 + tags: + - level1 + - level2 + - rule_18.9.58.3.11.1 + - patch + +- name: "SCORED | 18.9.58.3.11.2 | PATCH | L1 Ensure Do not use temporary folders per session is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services + name: PerSessionTempDir + data: 1 + type: dword + when: rule_18_9_58_3_11_2 + tags: + - level1 + - level2 + - rule_18.9.58.3.11.2 + - patch + +- name: "SCORED | 18.9.59.1 | PATCH | L1 Ensure Prevent downloading of enclosures is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds + name: DisableEnclosureDownload + data: 1 + type: dword + when: rule_18_9_59_1 + tags: + - level1 + - level2 + - rule_18.9.59.1 + - patch + +- name: "SCORED | 18.9.60.2 | PATCH | L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowCloudSearch + data: 0 + type: dword + when: rule_18_9_60_2 + tags: + - level2 + - rule_18.9.60.2 + - patch + +- name: "SCORED | 18.9.60.3 | PATCH | L1 Ensure Allow indexing of encrypted files is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search + name: AllowIndexingEncryptedStoresOrItems + data: 0 + type: dword + when: rule_18_9_60_3 + tags: + - level1 + - level2 + - rule_18.9.60.3 + - patch + +- name: "SCORED | 18.9.65.1 | PATCH | L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform + name: NoGenTicket + data: 1 + type: dword + when: rule_18_9_65_1 + tags: + - level2 + - rule_18.9.65.1 + - patch + +- name: "SCORED | 18.9.76.3.1 | PATCH | L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: LocalSettingOverrideSpynetReporting + data: 0 + type: dword + when: rule_18_9_76_3_1 + tags: + - level1 + - level2 + - rule_18.9.76.3.1 + - patch + +- name: "SCORED | 18.9.76.3.2 | PATCH | L2 Ensure Join Microsoft MAPS is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet + name: SpynetReporting + data: 0 + type: dword + when: rule_18_9_76_3_2 + tags: + - level2 + - rule_18.9.76.3.2 + - patch + +- name: "SCORED | 18.9.76.7.1 | PATCH | L1 Ensure Turn on behavior monitoring is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection + name: DisableBehaviorMonitoring + data: 0 + type: dword + when: rule_18_9_76_7_1 + tags: + - level1 + - level2 + - rule_18.9.76.7.1 + - patch + +- name: "SCORED | 18.9.76.9.1 | PATCH | L2 Ensure Configure Watson events is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting + name: DisableGenericRePorts + data: 1 + type: dword + when: rule_18_9_76_9_1 + tags: + - level2 + - rule_18.9.76.9.1 + - patch + +- name: "SCORED | 18.9.76.10.1 | PATCH | L1 Ensure Scan removable drives is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableRemovableDriveScanning + data: 0 + type: dword + when: rule_18_9_76_10_1 + tags: + - level1 + - level2 + - rule_18.9.76.10.1 + - patch + +- name: "SCORED | 18.9.76.10.2 | PATCH | L1 Ensure Turn on e-mail scanning is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan + name: DisableEmailScanning + data: 0 + type: dword + when: rule_18_9_76_10_2 + tags: + - level1 + - level2 + - rule_18.9.76.10.2 + - patch + +- name: "SCORED | 18.9.76.13.1.1 | PATCH | L1 Ensure Configure Attack Surface Reduction rules is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR + name: ExploitGuard_ASR_Rules + data: 1 + type: dword + when: rule_18_9_76_13_1_1 + tags: + - level1 + - level2 + - rule_18.9.76.13.1.1 + - patch + +- name: "SCORED | 18.9.76.13.1.2 | PATCH | L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules + name: "{{ item }}" + data: 1 + type: string # aka REG_SZ + loop: + - 26190899-1602-49e8-8b27-eb1d0a1ce869 + - 3b576869-a4ec-4529-8536-b80a7769e899 + - 5beb7efe-fd9a-4556-801d-275e5ffc04cc + - 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 + - 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c + - 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b + - 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 + - b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 + - be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 + - d3e037e1-3eb8-44c8-a917-57927947596d + - d4f940ab-401b-4efc-aadc-ad5f3c50688a + when: rule_18_9_76_13_1_2 + tags: + - level1 + - level2 + - rule_18.9.76.13.1.2 + - patch + +- name: "SCORED | 18.9.76.13.3.1 | PATCH | L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection + name: ExploitGuard_ASR_Rules + data: 1 + type: dword + when: rule_18_9_76_13_3_1 + tags: + - level1 + - level2 + - rule_18.9.76.13.3.1 + - patch + +- name: "SCORED | 18.9.76.14 | PATCH | L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender + name: DisableAntiSpyware + data: 0 + type: dword + when: rule_18_9_76_14 + tags: + - level1 + - level2 + - rule_18.9.76.14 + - patch + +- name: "SCORED | 18.9.79.1.1 | PATCH | L1 Ensure Prevent users from modifying settings is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection + name: DisallowExploitProtectionOverride + data: 1 + type: dword + when: rule_18_9_79_1_1 + tags: + - level1 + - level2 + - rule_18.9.79.1.1 + - patch + +- name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass" + block: + - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: EnableSmartScreen + data: 1 + type: dword + - name: "SCORED | 18.9.80.1.1 | PATCH | L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\System + name: ShellSmartScreenLevel + data: Block + type: string + when: rule_18_9_80_1_1 + tags: + - level1 + - level2 + - rule_18.9.80.1.1 + - patch + +- name: "SCORED | 18.9.84.1 | PATCH | L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace + name: AllowSuggestedAppsInWindowsInkWorkspace + data: 0 + type: dword + when: rule_18_9_84_1 + tags: + - level2 + - rule_18.9.84.1 + - patch + +- name: "SCORED | 18.9.84.2 | PATCH | L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace + name: AllowWindowsInkWorkspace + data: 1 + type: dword + when: rule_18_9_84_2 + tags: + - level1 + - level2 + - rule_18.9.84.2 + - patch + +- name: "SCORED | 18.9.85.1 | PATCH | L1 Ensure Allow user control over installs is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: EnableUserControl + data: 0 + type: dword + when: rule_18_9_85_1 + tags: + - level1 + - level2 + - rule_18.9.85.1 + - patch + +- name: "SCORED | 18.9.85.2 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + when: rule_18_9_85_2 + tags: + - level1 + - level2 + - rule_18.9.85.2 + - patch + +- name: "SCORED | 18.9.85.3 | PATCH | L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Installer + name: SafeForScripting + data: 0 + type: dword + when: rule_18_9_85_3 + tags: + - level2 + - rule_18.9.85.3 + - patch + +- name: "SCORED | 18.9.86.1 | PATCH | L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled" + win_regedit: + path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System + name: DisableAutomaticRestartSignOn + data: 1 + type: dword + when: rule_18_9_86_1 + tags: + - level1 + - level2 + - rule_18.9.86.1 + - patch + +- name: "SCORED | 18.9.95.1 | PATCH | L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging + name: EnableScriptBlockLogging + data: 1 + type: dword + when: rule_18_9_95_1 + tags: + - level1 + - level2 + - rule_18.9.95.1 + - patch + +- name: "SCORED | 18.9.95.2 | PATCH | L1 Ensure Turn on PowerShell Transcription is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription + name: EnableTranscripting + data: 1 + type: dword + when: rule_18_9_95_2 + tags: + - level1 + - level2 + - rule_18.9.95.2 + - patch + +- name: "SCORED | 18.9.97.1.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowBasic + data: 0 + type: dword + when: rule_18_9_97_1_1 + tags: + - level1 + - level2 + - rule_18.9.97.1.1 + - patch + +- name: "SCORED | 18.9.97.1.2 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowUnencryptedTraffic + data: 0 + type: dword + when: rule_18_9_97_1_2 + tags: + - level1 + - level2 + - rule_18.9.97.1.2 + - patch + +- name: "SCORED | 18.9.97.1.3 | PATCH | L1 Ensure Disallow Digest authentication is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client + name: AllowDigest + data: 0 + type: dword + when: rule_18_9_97_1_3 + tags: + - level1 + - level2 + - rule_18.9.97.1.3 + - patch + +- name: "SCORED | 18.9.97.2.1 | PATCH | L1 Ensure Allow Basic authentication is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowBasic + data: 0 + type: dword + when: rule_18_9_97_2_1 + tags: + - level1 + - level2 + - rule_18.9.97.2.1 + - patch + +#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +- name: "SCORED | 18.9.97.2.2 | PATCH | L2 Ensure Allow remote server management through WinRM is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowAutoConfig + data: 1 + type: dword + when: + - rule_18_9_97_2_2 + - is_implemented + tags: + - level2 + - rule_18.9.97.2.2 + - patch + +- name: "SCORED | 18.9.97.2.3 | PATCH | L1 Ensure Allow unencrypted traffic is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: AllowUnencryptedTraffic + data: 0 + type: dword + when: rule_18_9_97_2_3 + tags: + - level1 + - level2 + - rule_18.9.97.2.3 + - patch + +- name: "SCORED | 18.9.97.2.4 | PATCH | L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service + name: DisableRunAs + data: 1 + type: dword + when: rule_18_9_97_2_4 + tags: + - level1 + - level2 + - rule_18.9.97.2.4 + - patch + +#This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart +- name: "SCORED | 18.9.98.1 | PATCH | L2 Ensure Allow Remote Shell Access is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs + name: AllowRemoteShellAccess + data: 1 + type: dword + when: + - rule_18_9_98_1 + - is_implemented + tags: + - level2 + - rule_18.9.98.1 + - patch + +- name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds" + block: + - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuilds + data: 1 + type: dword + - name: "SCORED | 18.9.101.1.1 | PATCH | L1 Ensure Manage preview builds is set to Enabled Disable preview builds | ManagePreviewBuilds" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: ManagePreviewBuildsPolicyValue + data: 0 + type: dword + when: rule_18_9_101_1_1 + tags: + - level1 + - level2 + - rule_18.9.101.1.1 + - patch + +- name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days" + block: + - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdates" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: DeferFeatureUpdates + data: 1 + type: dword + - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | DeferFeatureUpdatesPeriodInDays" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: DeferFeatureUpdatesPeriodInDays + data: 180 + type: dword + - name: "SCORED | 18.9.101.1.2 | PATCH | L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days | BranchReadinessLevel" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate + name: BranchReadinessLevel + data: 16 + type: dword + when: rule_18_9_101_1_2 + tags: + - level1 + - level2 + - rule_18.9.101.1.2 + - patch + +- name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days" + block: + - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + name: DeferQualityUpdates + data: 1 + type: dword + - name: "SCORED | 18.9.101.1.3 | PATCH | L1 Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays" + win_regedit: + path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate + name: DeferQualityUpdatesPeriodInDays + data: 0 + type: dword + when: rule_18_9_101_1_3 + tags: + - level1 + - level2 + - rule_18.9.101.1.3 + - patch + +- name: "SCORED | 18.9.101.2 | PATCH | L1 Ensure Configure Automatic Updates is set to Enabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoUpdate + data: 0 + type: dword + when: rule_18_9_101_2 + tags: + - level1 + - level2 + - rule_18.9.101.2 + - patch + +- name: "SCORED | 18.9.101.3 | PATCH | L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: ScheduledInstallDay + data: 0 + type: dword + when: rule_18_9_101_3 + tags: + - level1 + - level2 + - rule_18.9.101.3 + - patch + +- name: "SCORED | 18.9.101.4 | PATCH | L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled" + win_regedit: + path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au + name: NoAutoRebootWithLoggedOnUsers + data: 0 + type: dword + when: rule_18_9_101_4 + tags: + - level1 + - level2 + - rule_18.9.101.4 + - patch + diff --git a/tasks/section19.yml b/tasks/section19.yml new file mode 100644 index 0000000..198b3fb --- /dev/null +++ b/tasks/section19.yml @@ -0,0 +1,312 @@ +--- +- name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + block: + - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveActive + data: 1 + type: string + - name: "SCORED | 19.1.3.1 | PATCH | L1 Ensure Enable screen saver is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveActive + data: 1 + type: string + when: rule_19_1_3_1 + tags: + - level1 + - level2 + - rule_19.1.3.1 + - patch + +- name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + block: + - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: SCRNSAVE.EXE + data: scrnsave.scr + type: string + - name: "SCORED | 19.1.3.2 | PATCH | L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: SCRNSAVE.EXE + data: scrnsave.scr + type: string + when: rule_19_1_3_2 + tags: + - level1 + - level2 + - rule_19.1.3.2 + - patch + +- name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + block: + - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaverIsSecure + data: 1 + type: string + - name: "SCORED | 19.1.3.3 | PATCH | L1 Ensure Password protect the screen saver is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaverIsSecure + data: 1 + type: string + when: rule_19_1_3_3 + tags: + - level1 + - level2 + - rule_19.1.3.3 + - patch + +- name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + block: + - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveTimeOut + data: 900 + type: string + - name: "SCORED | 19.1.3.4 | PATCH | L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop + name: ScreenSaveTimeOut + data: 900 + type: string + when: rule_19_1_3_4 + tags: + - level1 + - level2 + - rule_19.1.3.4 + - patch + +- name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + block: + - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + name: NoToastApplicationNotificationOnLockScreen + data: 1 + type: dword + - name: "SCORED | 19.5.1.1 | PATCH | L1 Ensure Turn off toast notifications on the lock screen is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications + name: NoToastApplicationNotificationOnLockScreen + data: 1 + type: dword + when: rule_19_5_1_1 + tags: + - level1 + - level2 + - rule_19.5.1.1 + - patch + +- name: "SCORED | 19.6.5.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + block: + - name: "SCORED | 19.6.5.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 + name: NoImplicitFeedback + data: 1 + type: dword + - name: "SCORED | 19.6.5.1.1 | PATCH | L2 Ensure Turn off Help Experience Improvement Program is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 + name: NoImplicitFeedback + data: 1 + type: dword + when: rule_19_6_5_1_1 + tags: + - level2 + - rule_19.6.5.1.1 + - patch + +- name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + block: + - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + name: SaveZoneInformation + data: 3 + type: dword + - name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled" + win_regedit: + path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments + name: SaveZoneInformation + data: 3 + type: dword + when: rule_19_7_4_1 + tags: + - level1 + - level2 + - rule_19.7.4.1 + - patch + +- name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + block: + - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments + name: ScanWithAntiVirus + data: 3 + type: dword + - name: "SCORED | 19.7.4.2 | PATCH | L1 Ensure Notify antivirus programs when opening attachments is set to Enabled" + win_regedit: + path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments + name: ScanWithAntiVirus + data: 3 + type: dword + when: rule_19_7_4_2 + tags: + - level1 + - level2 + - rule_19.7.4.2 + - patch + +- name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + block: + - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: ConfigureWindowsSpotlight + data: 2 + type: dword + - name: "SCORED | 19.7.7.1 | PATCH | L1 Ensure Configure Windows spotlight on lock screen is set to Disabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: ConfigureWindowsSpotlight + data: 2 + type: dword + when: rule_19_7_7_1 + tags: + - level1 + - level2 + - rule_19.7.7.1 + - patch + +- name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + block: + - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableThirdPartySuggestions + data: 1 + type: dword + - name: "SCORED | 19.7.7.2 | PATCH | L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableThirdPartySuggestions + data: 1 + type: dword + when: rule_19_7_7_2 + tags: + - level1 + - level2 + - rule_19.7.7.2 + - patch + +- name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + block: + - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableTailoredExperiencesWithDiagnosticData + data: 1 + type: dword + - name: "SCORED | 19.7.7.3 | PATCH | L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableTailoredExperiencesWithDiagnosticData + data: 1 + type: dword + when: rule_19_7_7_3 + tags: + - level2 + - rule_19.7.7.3 + - patch + +- name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + block: + - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent + name: DisableWindowsSpotlightFeatures + data: 1 + type: dword + - name: "SCORED | 19.7.7.4 | PATCH | L2 Ensure Turn off all Windows spotlight features is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent + name: DisableWindowsSpotlightFeatures + data: 1 + type: dword + when: rule_19_7_7_4 + tags: + - level2 + - rule_19.7.7.4 + - patch + +- name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + block: + - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoInplaceSharing + data: 1 + type: dword + - name: "SCORED | 19.7.26.1 | PATCH | L1 Ensure Prevent users from sharing files within their profile. is set to Enabled" + win_regedit: + path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer + name: NoInplaceSharing + data: 1 + type: dword + when: rule_19_7_26_1 + tags: + - level1 + - level2 + - rule_19.7.26.1 + - patch + +- name: "SCORED | 19.7.40.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + block: + - name: "SCORED | 19.7.40.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + - name: "SCORED | 19.7.40.1 | PATCH | L1 Ensure Always install with elevated privileges is set to Disabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windows\Installer + name: AlwaysInstallElevated + data: 0 + type: dword + when: rule_19_7_40_1 + tags: + - level1 + - level2 + - rule_19.7.40.1 + - patch + +- name: "SCORED | 19.7.44.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + block: + - name: "SCORED | 19.7.44.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + win_regedit: + path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer + name: PreventCodecDownload + data: 1 + type: dword + - name: "SCORED | 19.7.44.2.1 | PATCH | L2 Ensure Prevent Codec Download is set to Enabled" + win_regedit: + path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer + name: PreventCodecDownload + data: 1 + type: dword + when: rule_19_7_44_2_1 + tags: + - level2 + - rule_19.7.44.2.1 + - patch +