swissmakers_gmbh/Windows-11-CIS
12
0
Fork 0
mirror of https://github.com/ansible-lockdown/Windows-11-CIS.git synced 2026-05-09 04:19:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

v3.0.0 Release

Browse Source 
Signed-off-by: Stephen Williams <stephenw@mindpointgroup.com>
This commit is contained in:
Stephen Williams
2025-02-19 11:21:59 -05:00
parent 75f5f35530
commit 8cb854ccc2
293 changed files with 4854 additions and 17620 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/devel_pipeline_validation.yml
+129 -121
View File
@@ -2,142 +2,150 @@
# This is a basic workflow to help you get started with Actions
name: Devel Pipeline Validation
name: Ansible Remediate Devel Pipeline Validation
# Controls when the action will run.
# Triggers the workflow on push or pull request
# events but only for the devel branch
on: # yamllint disable-line rule:truthy
pull_request_target:
types: [opened, reopened, synchronize]
branches:
- devel
paths:
- '**.yml'
- '**.sh'
- '**.j2'
- '**.ps1'
- '**.cfg'
pull_request_target:
types: [opened, reopened, synchronize]
branches:
- devel
paths:
- '**.yml'
- '**.sh'
- '**.j2'
- '**.ps1'
- '**.cfg'
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
# This section contains all the jobs below that are running in the workflow.
jobs:
# This will create messages for the first time contributors and direct them to the Discord server
welcome:
# The type of runner that the job will run on.
runs-on: ubuntu-latest
steps:
- uses: actions/first-interaction@main
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
# This will create messages for the first time contributors and direct them to the Discord server
welcome:
# The type of runner that the job will run on.
runs-on: ubuntu-latest
steps:
- uses: actions/first-interaction@main
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
pr-message: |-
Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the [Discord Server](https://www.lockdownenterprise.com/discord) as well.
# This workflow will run Terraform to load an instance in Azure to test the playbook against a live cloud-based instance.
playbook-test:
# The type of runner that the job will run on.
runs-on: ubuntu-latest
build-azure-windows:
# Use the AWS self-hosted runner
runs-on: self-hosted
env:
# Imported as a variable by OpenTofu.
ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
TF_VAR_repository: ${{ github.event.repository.name }}
ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
defaults:
run:
shell: bash
working-directory: .github/workflows/github_windows_IaC
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: If a variable for IAC_BRANCH is set use that branch
working-directory: .github/workflows
run: |
if [ ${{ vars.IAC_BRANCH }} != '' ]; then
echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
else
echo IAC_BRANCH=main >> $GITHUB_ENV
fi
# Pull In OpenTofu Code For Windows Azure
- name: Clone IaC Repository
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_windows_IaC
path: .github/workflows/github_windows_IaC
ref: ${{ env.IAC_BRANCH }}
# Sensitive Data Stored And Passed To OpenTofu
# Default Working Dir Defined In Defaults Above.
- name: Save Sensitive Info
run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json
# Show the Os Var and Benchmark Type And Load
- name: DEBUG - Show IaC files
if: env.ENABLE_DEBUG == 'true'
run: |
echo "OSVAR = $OSVAR"
echo "benchmark_type = $benchmark_type"
pwd
ls
env:
ENABLE_DEBUG: false
# Imported as a variable by terraform.
TF_VAR_repository: ${{ github.event.repository.name }}
ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
defaults:
run:
shell: bash
working-directory: .github/workflows/github_windows_IaC
# Initialize The OpenTofu Working Directory
- name: Tofu init
id: init
run: tofu init
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Steps represent a sequence of tasks that will be executed as part of the job.
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
# Validate The Syntax Of OpenTofu Files
- name: Tofu validate
id: validate
run: tofu validate
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Pull In Terraform Code For Windows Azure
- name: Clone github IaC plan
uses: actions/checkout@v3
with:
repository: ansible-lockdown/github_windows_IaC
path: .github/workflows/github_windows_IaC
# Execute The Actions And Build Azure Server
- name: Tofo Apply
id: apply
env:
# Imported from github variables this is used to load the relevant OS.tfvars file
WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
# Sensitive Data Stored And Passed To Terraform
# Default Working Dir Defined In Defaults Above.
- name: user details
run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json
# Debug Section
- name: DEBUG - Show Ansible Hostfile
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml
# Show the Os Var and Benchmark Type And Load
- name: DEBUG - Show IaC files
if: env.ENABLE_DEBUG == 'true'
run: |
echo "OSVAR = $OSVAR"
echo "benchmark_type = $benchmark_type"
pwd
ls
env:
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Run the Ansible Playbook
- name: Run_Ansible_Playbook
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
run: |
/opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml ../../../site.yml
# Initialize The Terraform Working Directory
- name: Terraform_Init
id: init
run: terraform init
env:
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Validate The Syntax Of Terraform Files
- name: Terraform_Validate
id: validate
run: terraform validate
env:
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Execute The Actions And Build Azure Server
- name: Terraform_Apply
id: apply
env:
# Imported from github variables this is used to load the relevant OS.tfvars file
WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform apply -var-file "${OSVAR}.tfvars" --auto-approve
# Debug Section
- name: DEBUG - Show Ansible Hostfile
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml
# Run the Ansible Playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
playbook: site.yml
inventory: .github/workflows/github_windows_IaC/hosts.yml
galaxy_file: collections/requirements.yml
# verbose: 3
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
# Destroy The Azure Test System
- name: Terraform_Destroy
if: always() && env.ENABLE_DEBUG == 'false'
env:
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform destroy -var-file "${OSVAR}.tfvars" --auto-approve
# Destroy The Azure Test System
- name: Tofu Destroy
if: always() && env.ENABLE_DEBUG == 'false'
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve
.github/workflows/main_pipeline_validation.yml
+119 -110
View File
@@ -2,130 +2,139 @@
# This is a basic workflow to help you get started with Actions
name: Main Pipeline Validation
name: Ansible Remediate Main Pipeline Validation
# Controls when the action will run.
# Triggers the workflow on push or pull request
# events but only for the devel branch
on: # yamllint disable-line rule:truthy
pull_request_target:
types: [opened, reopened, synchronize]
branches:
- main
paths:
- '**.yml'
- '**.sh'
- '**.j2'
- '**.ps1'
- '**.cfg'
pull_request_target:
types: [opened, reopened, synchronize]
branches:
- main
paths:
- '**.yml'
- '**.sh'
- '**.j2'
- '**.ps1'
- '**.cfg'
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
# This section contains all the jobs below that are running in the workflow.
jobs:
# This workflow will run Terraform to load an instance in Azure to test the playbook against a live cloud-based instance.
playbook-test:
# The type of runner that the job will run on.
runs-on: ubuntu-latest
# This workflow will run OpenTofu to load an instance in Azure to test the playbook against a live cloud-based instance.
build-azure-windows:
# Use the AWS self-hosted runner
runs-on: self-hosted
env:
# Imported as a variable by OpenTofu.
ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
TF_VAR_repository: ${{ github.event.repository.name }}
ANSIBLE_VERSION: ${{ vars.ANSIBLE_RUNNER_VERSION }}
ENABLE_DEBUG: ${{ vars.ENABLE_DEBUG }}
defaults:
run:
shell: bash
working-directory: .github/workflows/github_windows_IaC
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: If a variable for IAC_BRANCH is set use that branch
working-directory: .github/workflows
run: |
if [ ${{ vars.IAC_BRANCH }} != '' ]; then
echo "IAC_BRANCH=${{ vars.IAC_BRANCH }}" >> $GITHUB_ENV
echo "Pipeline using the following IAC branch ${{ vars.IAC_BRANCH }}"
else
echo IAC_BRANCH=main >> $GITHUB_ENV
fi
# Pull In OpenTofu Code For Windows Azure
- name: Clone IaC Repository
uses: actions/checkout@v4
with:
repository: ansible-lockdown/github_windows_IaC
path: .github/workflows/github_windows_IaC
ref: ${{ env.IAC_BRANCH }}
# Sensitive Data Stored And Passed To OpenTofu
# Default Working Dir Defined In Defaults Above.
- name: Save Sensitive Info
run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json
# Show the Os Var and Benchmark Type And Load
- name: DEBUG - Show IaC files
if: env.ENABLE_DEBUG == 'true'
run: |
echo "OSVAR = $OSVAR"
echo "benchmark_type = $benchmark_type"
pwd
ls
env:
ENABLE_DEBUG: false
# Imported as a variable by terraform.
TF_VAR_repository: ${{ github.event.repository.name }}
ARM_CLIENT_ID: ${{ secrets.AZURE_AD_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_AD_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_AD_TENANT_ID }}
WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
defaults:
run:
shell: bash
working-directory: .github/workflows/github_windows_IaC
# Initialize The OpenTofu Working Directory
- name: Tofu init
id: init
run: tofu init
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Steps represent a sequence of tasks that will be executed as part of the job.
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it.
- name: Clone ${{ github.event.repository.name }}
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
# Validate The Syntax Of OpenTofu Files
- name: Tofu validate
id: validate
run: tofu validate
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Pull In Terraform Code For Windows Azure
- name: Clone github IaC plan
uses: actions/checkout@v3
with:
repository: ansible-lockdown/github_windows_IaC
path: .github/workflows/github_windows_IaC
# Execute The Actions And Build Azure Server
- name: Tofo Apply
id: apply
env:
# Imported from github variables this is used to load the relevant OS.tfvars file
WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: tofu apply -var-file "${OSVAR}.tfvars" --auto-approve -input=false
# Sensitive Data Stored And Passed To Terraform
# Default Working Dir Defined In Defaults Above.
- name: user details
run: echo "{\"username\":\"${WIN_USERNAME}\",\"password\":\"${WIN_PASSWORD}\"}" >> sensitive_info.json
# Debug Section
- name: DEBUG - Show Ansible Hostfile
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml
# Show the Os Var and Benchmark Type And Load
- name: DEBUG - Show IaC files
if: env.ENABLE_DEBUG == 'true'
run: |
echo "OSVAR = $OSVAR"
echo "benchmark_type = $benchmark_type"
pwd
ls
env:
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Run the Ansible Playbook
- name: Run_Ansible_Playbook
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
run: |
/opt/ansible_${{ env.ANSIBLE_VERSION }}_venv/bin/ansible-playbook -i hosts.yml ../../../site.yml
# Initialize The Terraform Working Directory
- name: Terraform_Init
id: init
run: terraform init
env:
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Validate The Syntax Of Terraform Files
- name: Terraform_Validate
id: validate
run: terraform validate
env:
# Imported from github variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
# Execute The Actions And Build Azure Server
- name: Terraform_Apply
id: apply
env:
# Imported from github variables this is used to load the relevant OS.tfvars file
WIN_USERNAME: ${{ secrets.WIN_USERNAME }}
WIN_PASSWORD: ${{ secrets.WIN_PASSWORD }}
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform apply -var-file "${OSVAR}.tfvars" --auto-approve
# Debug Section
- name: DEBUG - Show Ansible Hostfile
if: env.ENABLE_DEBUG == 'true'
run: cat hosts.yml
# Run the Ansible Playbook
- name: Run_Ansible_Playbook
uses: arillso/action.playbook@master
with:
playbook: site.yml
inventory: .github/workflows/github_windows_IaC/hosts.yml
galaxy_file: collections/requirements.yml
# verbose: 3
env:
ANSIBLE_HOST_KEY_CHECKING: "false"
ANSIBLE_DEPRECATION_WARNINGS: "false"
# Destroy The Azure Test System
- name: Terraform_Destroy
if: always() && env.ENABLE_DEBUG == 'false'
env:
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: terraform destroy -var-file "${OSVAR}.tfvars" --auto-approve
# Destroy The Azure Test System
- name: Tofu Destroy
if: always() && env.ENABLE_DEBUG == 'false'
env:
# Imported from GitHub variables this is used to load the relevant OS.tfvars file
OSVAR: ${{ vars.OSVAR }}
TF_VAR_benchmark_type: ${{ vars.BENCHMARK_TYPE }}
run: tofu destroy -var-file "${OSVAR}.tfvars" --auto-approve
.github/workflows/update_galaxy.yml
+15 -14
View File
@@ -5,20 +5,21 @@ name: Update Galaxy
# Controls when the action will run.
# Triggers the workflow on push or pull request
# events but only for the devel branch
on: # yamllint disable-line rule:truthy
push:
branches:
- main
on:
push:
branches:
- main
jobs:
update_role:
runs-on: ubuntu-latest
steps:
- name: Checkout V3
uses: actions/checkout@v3
update_role:
runs-on: ubuntu-latest
- name: Update Galaxy
uses: robertdebock/galaxy-action@master
with:
galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
git_branch: main
steps:
- name: Checkout V4
uses: actions/checkout@v4
- name: Update Galaxy
uses: ansible-actions/ansible-galaxy-action@main
with:
galaxy_api_key: ${{ secrets.GALAXY_API_KEY }}
git_branch: main
.gitignore
+2
View File
@@ -43,3 +43,5 @@ benchparse/
# GitHub Action/Workflow files
.github/
.github/.ansible/.lock
.ansible/
ChangeLog.md
+163 -2
View File
@@ -1,8 +1,167 @@
# Changelog
## Release 3.0.0
#### Janurary 2025
General Updates
- hku_loaded_list renamed to discovered_hku_loaded_list
- General findings fixed when comparing win10 to win11
- Added additional when statements for domain joined systems. - Thanks @mfortin
Controls Changed
- Updated Control 2.2.29 with proper variable.
- Control 5.9 Tag updated.
- Control 17.2.1 added tag (- rule_17.2.1)
- Control 18.9.5.2 Title Update
- Control 18.9.25.5 Fixed Variable In It.
Things To Do
- Move to 2 spacing
- Update formatting
- Add NIST
## Release 2.0.0
#### July 2024
General Updates
- Benchmark 3.0.0 Update
- Added Tag "always" to Hyper-V Prelim Task
- Tags: All tags contain underscores except for Level Tags (use dashes). (Need to finish)
- Enhanced/Reordered Tags
Controls Changed
- Control 1.2.3: Changed from Audit to Patch in Tags
- Control 2.2.14: Updated when statement to stdout
- Control 2.3.4.1: Removed "Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'"
- Control 2.3.4.2: Renamed to 2.3.4.1
- Control 2.3.10.8: Added "Is Configured" to the Title
- Control 2.3.11.11: Added
- Control 2.3.11.12: Added with variable in default main (Fix setting to 1 - Audit All, not 2 - Deny All)
- Control 2.3.14.1: Changed to "level2-high-security-sensitive-data-environment"
- Control 5.3: Updated name to "Not Installed"
- Control 5.8: ICS Sharing Removed
- Control 5.8 v3.0.0: Changed to "level2-high-security-sensitive-data-environment"
- Control 5.9 v3.0.0: Updated name to include "LxssManager"
- Control 5.11 v3.0.0: Changed to "level2-high-security-sensitive-data-environment"
- Control 5.27 v3.0.0: Changed to "level1-corporate-enterprise-environment"
- All Controls from 5.9 v2.0.0: Moved one control number lower in v3.0.0
- Control 9.1.3 v2.0.0: Removed in v3.0.0
- All subsequent controls moved one number lower
- Control 9.2.3 v2.0.0: Removed in v3.0.0
- All subsequent controls moved one number lower
- Control 9.3.3 v2.0.0: Removed in v3.0.0
- All subsequent controls moved one number lower
- Control 17.6.3: Added tags
- Control 18.4.5 v2.0.0: Moved to 19.4.6 in v3.0.0, all subsequent controls moved down one number
- Control 18.4.5: New benchmark in v3.0.0
- Control 18.5.2: Updated title
- Control 18.5.3: Updated title
- Control 18.5.8: Updated title
- Control 18.6.4.1: Fixed when statement to "or" instead of "and"
- Control 18.6.4.2: Fixed when statement to "or" instead of "and"
- Control 18.6.14.1: Added RequirePrivacy=1 to the settings per v3.0.0
- Control 18.6.21.1: Updated title
- Control 18.6.21.2: Updated title
- Control 18.7.6: Fixed when statement to "or" instead of "and"
- Control 18.8.1.1: Changed to "level2-high-security-sensitive-data-environment"
- Control 18.9.5.2: Fixed when statement to "or" instead of "and"
- Control 18.9.19.4: Added new control in v3.0.0
- Control 18.9.19.5: Added new control in v3.0.0
- Controls 18.9.19.4 - 5 in v2.0.0 now moved to 18.9.19.6 - 7 in v3.0.0
- Control 18.9.51.1.1: Changed to "level1-corporate-enterprise-environment"
- Control 18.9.51.2.1: Changed to "level1-corporate-enterprise-environment," title updated
- Control 18.10.5.2: Fixed title name
- Control 18.10.9.1.1: Fixed value from none to []
- Control 18.10.9.1.4: Added new variable
- Control 18.10.9.1.11: Updated title name to match v3.0.0
- Control 18.10.9.2.11: Fixed title name
- Control 18.10.9.2.12: Fixed title name
- Control 18.10.9.3.1: Fixed value from none to []
- Control 18.10.9.3.4: Updated name from RDVManageDRA to RDVRecoveryPassword
- Control 18.10.9.3.13: Fixed title name
- Control 18.10.13.1: Fixed when statement to "or" instead of "and"
- Control 18.10.15.1: Fixed when statement to "or" instead of "and"
- Control 18.10.16.1: Fixed when statement lines
- Control 18.10.75.1.1: New control, all existing controls moved down one
- Control 18.10.75.2.1: Updated title
- Control 18.10.76.3.1 - 2: Removed in v3.0.0
- Control 18.10.79.2: Updated title
- Control 18.10.86.1: Changed to "level2-high-security-sensitive-data-environment"
- Control 18.10.86.2: Changed to "level2-high-security-sensitive-data-environment"
- Control 18.10.90.2: Updated title
- Control 18.10.92.2.1: Fixed when statement
- Control 18.10.92.2.3: New, causing all others to move down one
- Adjusted Registry to remove PP in Policies
- Control 18.10.92.4.1: Data value changed to 1
- Control 19.6.6.1: Renamed to 19.6.6.1.1 - Typo Fix
- Control 19.7.38.1: Added in v3.0.0
- Section 18.10.26.x in v2.0.0: Moved to 18.10.25.x in v3.0.0, all controls updated, all variables adjusted, all Default/main toggles updated
- Section 18.10.29.x in v2.0.0: Moved to 18.10.28.x in v3.0.0, all controls updated, all variables adjusted, all Default/main toggles updated
- Section 18.10.37.x in v2.0.0: Moved to 18.10.36.x in v3.0.0, all controls updated, all variables adjusted, all Default/main toggles updated
- Section 18.10.43.x in v2.0.0: Moved to 18.10.42.x in v3.0.0, all controls updated, all variables adjusted, all Default/main toggles updated
Section Moves
- Section 18.3.x v2.0.0: Removed in v3.0.0, all variables removed in defaults/main
- Section 18.9.25 in v2.0.0: Moved to 18.9.26 in v3.0.0
- Section 18.9.26 in v2.0.0: Moved to 18.9.27 in v3.0.0
- Section 18.9.30 in v2.0.0: Moved to 18.9.31 in v3.0.0
- Section 18.9.32 in v2.0.0: Moved to 18.9.33 in v3.0.0
- Section 18.9.34 in v2.0.0: Moved to 18.9.35 in v3.0.0
- Section 18.9.35 in v2.0.0: Moved to 18.9.36 in v3.0.0
- Section 18.9.37 in v2.0.0: Moved to 18.9.28 in v3.0.0
- Section 18.9.46 in v2.0.0: Moved to 18.9.47 in v3.0.0
- Section 18.9.48 in v2.0.0: Moved to 18.9.49 in v3.0.0
- Section 18.9.50 in v2.0.0: Moved to 18.9.51 in v3.0.0
- Section 18.10.33: Moved to 10.10.32, removed all controls in v3.0.0
- Section 18.10.41.x in v2.0.0: Moved to 18.10.40.x in v3.0.0
- Section 18.10.42.x in v2.0.0: Moved to 18.10.41.x in v3.0.0
- Section 18.10.44.x in v2.0.0: Moved to 18.10.43.x in v3.0.0
- Section 18.10.50.x in v2.0.0: Moved to 18.10.49.x in v3.0.0
- Section 18.10.51.x in v2.0.0: Moved to 18.10.50.x in v3.0.0
- Section 18.10.56.x in v2.0.0: Moved to 18.10.55.x in v3.0.0
- Section 18.10.57.x in v2.0.0: Moved to 18.10.56.x in v3.0.0
- Section 18.10.58.x in v2.0.0: Moved to 18.10.57.x in v3.0.0
- Section 18.10.59.x in v2.0.0: Moved to 18.10.58.x in v3.0.0
- Section 18.10.63.x in v2.0.0: Moved to 18.10.62.x in v3.0.0
- Section 18.10.66.x in v2.0.0: Moved to 18.10.65.x in v3.0.0
- Section 18.10.72.x in v2.0.0: Moved to 18.10.71.x in v3.0.0
- Section 18.10.76.x in v2.0.0: Moved to 18.10.75.x in v3.0.0
- Section 18.10.78.x in v2.0.0: Moved to 18.10.77.x in v3.0.0
- Section 18.10.79.x in v2.0.0: Moved to 18.10.78.x in v3.0.0
- Section 18.10.80.x in v2.0.0: Moved to 18.10.79.x in v3.0.0
- Section 18.10.81.x in v2.0.0: Moved to 18.10.80.x in v3.0.0
- Section 18.10.82.x in v2.0.0: Moved to 18.10.81.x in v3.0.0
- Section 18.10.87.x in v2.0.0: Moved to 18.10.86.x in v3.0.0
- Section 18.10.89.x in v2.0.0: Moved to 18.10.88.x in v3.0.0
- Section 18.10.90.x in v2.0.0: Moved to 18.10.89.x in v3.0.0
- Section 18.10.91.x in v2.0.0: Moved to 18.10.90.x in v3.0.0
- Section 18.10.92.x in v2.0.0: Moved to 18.10.91.x in v3.0.0
- Section 18.10.93.x in v2.0.0: Moved to 18.10.92.x in v3.0.0
- Section 19.1.3.x v2.0.0: Removed in v3.0.0
- Section 19.7.7.x in v2.0.0: Renumbered to 19.7.8.x in v3.0.0, all controls updated
- Section 19.7.25.x in v2.0.0: Renumbered to 19.7.26.x in v3.0.0
- Section 19.7.25.1 in v2.0.0: Moved to 19.7.26.1 in v3.0.0
- Control 19.7.40.1 in v2.0.0: Moved to 19.7.42.1 in v3.0.0
- Control 19.7.47.2.1 in v2.0.0: Moved to 19.7.44.2.1 in v3.0.0
#### June 2024
- Updated 18.9.19.5 To 0 "Disabled" - Thanks @dennisharder-alight
- Updated 18.10.43.10.2 To 0 "Disabled"
- Updated 18.5.1 Value to name. - Thanks @mfortin
- Updated 18.5.1 path missing \ between Software and Microsoft.
- Updated 2.2.11 To allow variables to be input if site requires it.
- Updated PRELIM | Set Fact If Cloud Based System to include ansible_system_vendor. - Thanks @mfortin
- Updated Pipelines - Thanks @mfortin
- Added discovered to Prelim reistered names.
- Added discovered_controlid to controls that register values.
- Verified 1.1.6 RelaxMinimumPasswordLengthLimits is using registry style entry not win_security_policy.
- Verified 18.10.93.4.1 ManagePreviewBuildsPolicyValue is set to 0 value.
- Control 17.9.5 updated changed_when.
- Removed all win_regedit state: present: (Default) value for the module.
## Release 1.0.0
March 2024
#### March 2024
- Updated Section 19 To Take Into Account All HKU Accounts And Windows Default Template.
- Fixed A Number Of Typos
- Updated Readme
@@ -12,5 +171,7 @@ March 2024
- 18.10.89.2.3
- Removed When Checks For Domain, Member Server, And Standalone
September 2023
#### September 2023
- Initial Release For Benchmark 2.0.0 Released 03.07.2023
LICENSE
+1 -1
View File
@@ -1,6 +1,6 @@
MIT License
Copyright (c) 2023 MindPoint Group / Lockdown Enterprise
Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
README.md
+37 -28
View File
@@ -2,7 +2,7 @@
## Configure a Windows 11 Enterprise system to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant
### Based on [ Microsoft Windows 11 Enterprise Benchmark v2.0.0 - 03-07-2023 ](https://www.cisecurity.org/cis-benchmarks/)
### Based on [ Microsoft Windows 11 Enterprise Benchmark v3.0.0 - 02-22-2024 ](https://www.cisecurity.org/cis-benchmarks/)
---
@@ -32,23 +32,23 @@
---
## Looking for support?
## Looking For Support? 🤝
[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_WINDOWS_11_cis)
[Ansible Support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_11_cis)
### Community
### Community 💬
On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
---
## Caution(s)
## 🚨 Caution(s) 🚨
This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution.
Check Mode is not supported! 🚫 The role will complete in check mode without errors, but it is not supported and should be used with caution.
This role was developed against a clean install of the Windows 11 Enterprise 22H2 Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.
@@ -56,17 +56,13 @@ To use release version please point to main branch and relevant release for the
---
## Matching a security Level for CIS
## Matching A Security Level For CIS 🔐
It is possible to only run level 1 or level 2 controls for CIS as well as a variety of other tags that are available for this role.
This is managed using tags:
- level1-corporate-enterprise-environment
- level2-high-security-sensitive-data-environment
- level1-next-generation-windows-security
- level1-bitlocker-next-generation-windows-security
- level2-next-generation-windows-security
- level2-bitlocker-next-generation-windows-security
- next-generation-windows-security
- level1-bitlocker
- level2-bitlocker
@@ -74,18 +70,18 @@ This is managed using tags:
The controls found in defaults/main also need to reflect those control numbers due to aligning every control to the audit component.
## Coming from a previous release
## Coming From A Previous Release
CIS releases always contain changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release.
This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly.
Further details can be seen in the [Changelog](./ChangeLog.md)
## Auditing (new)
## Auditing (new) 🔍
Currently this release does not have a auditing tool that is up to date.
## Documentation
## Documentation 📖
- [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/)
- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_WINDOWS_11_cis)
@@ -93,7 +89,7 @@ Currently this release does not have a auditing tool that is up to date.
- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_WINDOWS_11_cis)
- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_WINDOWS_11_cis)
## Requirements
## Requirements
**General:**
@@ -106,7 +102,7 @@ Currently this release does not have a auditing tool that is up to date.
- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file.
**Technical Dependencies:**
**Technical Dependencies:** ⚙️
- Windows 11 Enterprise 22H2 - Other versions are not supported
- Running Ansible/Tower setup (this role is tested against Ansible version 2.10.1 and newer)
@@ -119,27 +115,28 @@ Currently this release does not have a auditing tool that is up to date.
Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible.
## Role Variables
## Role Variables 📋
This role is designed so that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc.
## Tags
## Tags 🏷️
There are many tags available for added control precision. Each control has it's own set of tags noting what level, if its automated or manual check, if it's a patch or audit, and the rule number.
Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag rpc, this task will be skipped. The opposite can also happen where you run only controls tagged with smb.
Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag manage_updates_offered_from_windows_update, this task will be skipped. The opposite can also happen where you run only controls tagged with manage_updates_offered_from_windows_update.
```sh
tags:
- level1-corporate-enterprise-environment
- rule_18.4.2
- automated
- patch
- rpc
- automated
- rule_18.10.92.4.3
- manage_updates_offered_from_windows_update
- updates
```
Tags for entire sections can be run using the tags that are in the main.yml files for each section. In this particular case this is the following example and how it breaks down for sections.
Section 18 - administrative-templates-computer <br>
Section 18 - administrative_templates_computer <br>
Section 18.10 - windows-components <br>
Section 18.10.3 - app-package-deployment
@@ -148,12 +145,12 @@ Section 18.10.3 - app-package-deployment
ansible.builtin.import_tasks:
file: cis_18.10.3.x.yml
tags:
- administrative-templates-computer
- windows-components
- app-package-deployment
- administrative_templates_computer
- windows_components
- app_package_deployment
```
## Community Contribution
## Community Contribution 🧑‍🤝‍🧑
We encourage you (the community) to contribute to this role. Please read the rules below.
@@ -162,11 +159,23 @@ We encourage you (the community) to contribute to this role. Please read the rul
- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
## Pipeline Testing
## Pipeline Testing 🔄
uses:
- ansible-core 2.12
- ansible-core 2.16.x
- ansible collections - pulls in the latest version based on requirements file
- runs the audit using the devel branch
- This is an automated test that occurs on pull requests into devel
- self-hosted runners using OpenTofu
## Local Testing 💻
- Ansible
- ansible-core 2.15.0 - python 3.11
## Credits and Thanks 🙏
Massive thanks to the fantastic community and all its members.
This includes a huge thanks and credit to the original authors and maintainers.
defaults/main.yml
+365 -197
View File
@@ -10,7 +10,7 @@ win11cis_section19: true
# Global Variables
win11cis_min_ansible_version: "2.10.1"
win11cis_min_ansible_version: "2.14"
# win_skip_for_test is the setting that will skip tasks that may cause changes that will affect the system.
# These controls are primarily around RDP and WinRM
@@ -18,16 +18,16 @@ win11cis_min_ansible_version: "2.10.1"
# Controls that will be skipped:
# 2.2.16 - Breaks Local Admin Connection
# 2.2.20 - Breaks Local Admin Connection
# 5.22 - Disables Remote Desktop Service Disabled
# 5.40 - Disables WinRm Service
# 5.21 - Disables Remote Desktop Service Disabled
# 5.39 - Disables WinRm Service
# 9.3.5 - Enables Firewall Public Rules *Breaks Reboot*
# 18.10.57.3.2.1 - Disables Remote Desktop Connections
# 18.10.89.1.1 - Disables WinRM Allow Client Basic Auth
# 18.10.89.1.2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control.
# 18.10.89.2.1 - Disables WinRM Allow Service Basic Auth
# 18.10.89.2.2 - Disables Remote Server Management through WinRM
# 18.10.89.2.3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control.
# 18.10.90.1 - Disables Remote Shell Access
# 18.10.56.3.2.1 - Disables Remote Desktop Connections
# 18.10.88.1.1 - Disables WinRM Allow Client Basic Auth
# 18.10.88.1.2 - Disables Client Ensure Allow unencrypted traffic is set to Disabled Control.
# 18.10.88.2.1 - Disables WinRM Allow Service Basic Auth
# 18.10.88.2.2 - Disables Remote Server Management through WinRM
# 18.10.88.2.3 - Disables Service Ensure Allow unencrypted traffic is set to Disabled Control.
# 18.10.89.1 - Disables Remote Shell Access
win_skip_for_test: false
# Changes will be made that will require a system reboot.
@@ -99,7 +99,6 @@ win11cis_rule_2_3_1_5: true
win11cis_rule_2_3_2_1: true
win11cis_rule_2_3_2_2: true
win11cis_rule_2_3_4_1: true
win11cis_rule_2_3_4_2: true
win11cis_rule_2_3_6_1: true
win11cis_rule_2_3_6_2: true
win11cis_rule_2_3_6_3: true
@@ -145,6 +144,8 @@ win11cis_rule_2_3_11_7: true
win11cis_rule_2_3_11_8: true
win11cis_rule_2_3_11_9: true
win11cis_rule_2_3_11_10: true
win11cis_rule_2_3_11_11: true
win11cis_rule_2_3_11_12: true
win11cis_rule_2_3_14_1: true
win11cis_rule_2_3_15_1: true
win11cis_rule_2_3_15_2: true
@@ -186,8 +187,8 @@ win11cis_rule_5_22: true
win11cis_rule_5_23: true
win11cis_rule_5_24: true
win11cis_rule_5_25: true
# 5.26 Causes warnings with SID Retrieval in Ansible
win11cis_rule_5_26: true
# 5.27 Causes warnings with SID Retrieval in Ansible
win11cis_rule_5_27: true
win11cis_rule_5_28: true
win11cis_rule_5_29: true
@@ -206,7 +207,6 @@ win11cis_rule_5_41: true
win11cis_rule_5_42: true
win11cis_rule_5_43: true
win11cis_rule_5_44: true
win11cis_rule_5_45: true
# Section 9
win11cis_rule_9_1_1: true
@@ -216,7 +216,6 @@ win11cis_rule_9_1_4: true
win11cis_rule_9_1_5: true
win11cis_rule_9_1_6: true
win11cis_rule_9_1_7: true
win11cis_rule_9_1_8: true
win11cis_rule_9_2_1: true
win11cis_rule_9_2_2: true
win11cis_rule_9_2_3: true
@@ -224,7 +223,6 @@ win11cis_rule_9_2_4: true
win11cis_rule_9_2_5: true
win11cis_rule_9_2_6: true
win11cis_rule_9_2_7: true
win11cis_rule_9_2_8: true
win11cis_rule_9_3_1: true
win11cis_rule_9_3_2: true
win11cis_rule_9_3_3: true
@@ -234,7 +232,6 @@ win11cis_rule_9_3_6: true
win11cis_rule_9_3_7: true
win11cis_rule_9_3_8: true
win11cis_rule_9_3_9: true
win11cis_rule_9_3_10: true
# Section 17
win11cis_rule_17_1_1: true
@@ -270,12 +267,6 @@ win11cis_rule_18_1_1_1: true
win11cis_rule_18_1_1_2: true
win11cis_rule_18_1_2_2: true
win11cis_rule_18_1_3: true
win11cis_rule_18_3_1: true
win11cis_rule_18_3_2: true
win11cis_rule_18_3_3: true
win11cis_rule_18_3_4: true
win11cis_rule_18_3_5: true
win11cis_rule_18_3_6: true
win11cis_rule_18_4_1: true
win11cis_rule_18_4_2: true
win11cis_rule_18_4_3: true
@@ -283,6 +274,7 @@ win11cis_rule_18_4_4: true
win11cis_rule_18_4_5: true
win11cis_rule_18_4_6: true
win11cis_rule_18_4_7: true
win11cis_rule_18_4_8: true
win11cis_rule_18_5_1: true
win11cis_rule_18_5_2: true
win11cis_rule_18_5_3: true
@@ -348,6 +340,8 @@ win11cis_rule_18_9_19_2: true
win11cis_rule_18_9_19_3: true
win11cis_rule_18_9_19_4: true
win11cis_rule_18_9_19_5: true
win11cis_rule_18_9_19_6: true
win11cis_rule_18_9_19_7: true
win11cis_rule_18_9_20_1_1: true
win11cis_rule_18_9_20_1_2: true
win11cis_rule_18_9_20_1_3: true
@@ -366,31 +360,39 @@ win11cis_rule_18_9_23_1: true
win11cis_rule_18_9_24_1: true
win11cis_rule_18_9_25_1: true
win11cis_rule_18_9_25_2: true
win11cis_rule_18_9_25_3: true
win11cis_rule_18_9_25_4: true
win11cis_rule_18_9_25_5: true
win11cis_rule_18_9_25_6: true
win11cis_rule_18_9_25_7: true
win11cis_rule_18_9_25_8: true
win11cis_rule_18_9_26_1: true
win11cis_rule_18_9_26_2: true
win11cis_rule_18_9_27_1: true
win11cis_rule_18_9_27_2: true
win11cis_rule_18_9_27_3: true
win11cis_rule_18_9_27_4: true
win11cis_rule_18_9_27_5: true
win11cis_rule_18_9_27_6: true
win11cis_rule_18_9_27_7: true
win11cis_rule_18_9_30_1: true
win11cis_rule_18_9_30_2: true
win11cis_rule_18_9_32_6_1: true
win11cis_rule_18_9_32_6_2: true
win11cis_rule_18_9_32_6_3: true
win11cis_rule_18_9_32_6_4: true
win11cis_rule_18_9_32_6_5: true
win11cis_rule_18_9_32_6_6: true
win11cis_rule_18_9_34_1: true
win11cis_rule_18_9_34_2: true
win11cis_rule_18_9_28_1: true
win11cis_rule_18_9_28_2: true
win11cis_rule_18_9_28_3: true
win11cis_rule_18_9_28_4: true
win11cis_rule_18_9_28_5: true
win11cis_rule_18_9_28_6: true
win11cis_rule_18_9_28_7: true
win11cis_rule_18_9_31_1: true
win11cis_rule_18_9_31_2: true
win11cis_rule_18_9_33_6_1: true
win11cis_rule_18_9_33_6_2: true
win11cis_rule_18_9_33_6_3: true
win11cis_rule_18_9_33_6_4: true
win11cis_rule_18_9_33_6_5: true
win11cis_rule_18_9_33_6_6: true
win11cis_rule_18_9_35_1: true
win11cis_rule_18_9_35_2: true
win11cis_rule_18_9_46_5_1: true
win11cis_rule_18_9_46_11_1: true
win11cis_rule_18_9_48_1: true
win11cis_rule_18_9_50_1_1: true
win11cis_rule_18_9_50_1_2: true
win11cis_rule_18_9_36_1: true
win11cis_rule_18_9_36_2: true
win11cis_rule_18_9_47_5_1: true
win11cis_rule_18_9_47_11_1: true
win11cis_rule_18_9_49_1: true
win11cis_rule_18_9_51_1_1: true
win11cis_rule_18_9_51_1_2: true
win11cis_rule_18_10_3_1: true
win11cis_rule_18_10_3_2: true
win11cis_rule_18_10_4_1: true
@@ -427,6 +429,10 @@ win11cis_rule_18_10_9_2_11: true
win11cis_rule_18_10_9_2_12: true
win11cis_rule_18_10_9_2_13: true
win11cis_rule_18_10_9_2_14: true
win11cis_rule_18_10_9_2_15: true
win11cis_rule_18_10_9_2_16: true
win11cis_rule_18_10_9_2_17: true
win11cis_rule_18_10_9_2_18: true
win11cis_rule_18_10_9_3_1: true
win11cis_rule_18_10_9_3_2: true
win11cis_rule_18_10_9_3_3: true
@@ -464,131 +470,130 @@ win11cis_rule_18_10_17_1: true
win11cis_rule_18_10_17_2: true
win11cis_rule_18_10_17_3: true
win11cis_rule_18_10_17_4: true
win11cis_rule_18_10_26_1_1: true
win11cis_rule_18_10_26_1_2: true
win11cis_rule_18_10_26_2_1: true
win11cis_rule_18_10_26_2_2: true
win11cis_rule_18_10_26_3_1: true
win11cis_rule_18_10_26_3_2: true
win11cis_rule_18_10_26_4_1: true
win11cis_rule_18_10_26_4_2: true
win11cis_rule_18_10_29_2: true
win11cis_rule_18_10_29_3: true
win11cis_rule_18_10_29_4: true
win11cis_rule_18_10_29_5: true
win11cis_rule_18_10_33_1: true
win11cis_rule_18_10_37_2: true
win11cis_rule_18_10_25_1_1: true
win11cis_rule_18_10_25_1_2: true
win11cis_rule_18_10_25_2_1: true
win11cis_rule_18_10_25_2_2: true
win11cis_rule_18_10_25_3_1: true
win11cis_rule_18_10_25_3_2: true
win11cis_rule_18_10_25_4_1: true
win11cis_rule_18_10_25_4_2: true
win11cis_rule_18_10_28_2: true
win11cis_rule_18_10_28_3: true
win11cis_rule_18_10_28_4: true
win11cis_rule_18_10_28_5: true
win11cis_rule_18_10_36_1: true
win11cis_rule_18_10_40_1: true
win11cis_rule_18_10_41_1: true
win11cis_rule_18_10_42_1: true
win11cis_rule_18_10_43_5_1: true
win11cis_rule_18_10_43_5_2: true
win11cis_rule_18_10_43_6_1_1: true
win11cis_rule_18_10_43_6_1_2: true
win11cis_rule_18_10_43_6_3_1: true
win11cis_rule_18_10_43_7_1: true
win11cis_rule_18_10_43_10_1: true
win11cis_rule_18_10_43_10_2: true
win11cis_rule_18_10_43_10_3: true
win11cis_rule_18_10_43_10_4: true
win11cis_rule_18_10_43_12_1: true
win11cis_rule_18_10_43_13_1: true
win11cis_rule_18_10_43_13_2: true
win11cis_rule_18_10_43_16: true
win11cis_rule_18_10_43_17: true
win11cis_rule_18_10_44_1: true
win11cis_rule_18_10_44_2: true
win11cis_rule_18_10_44_3: true
win11cis_rule_18_10_44_4: true
win11cis_rule_18_10_44_5: true
win11cis_rule_18_10_44_6: true
win11cis_rule_18_10_42_5_1: true
win11cis_rule_18_10_42_5_2: true
win11cis_rule_18_10_42_6_1_1: true
win11cis_rule_18_10_42_6_1_2: true
win11cis_rule_18_10_42_6_3_1: true
win11cis_rule_18_10_42_7_1: true
win11cis_rule_18_10_42_10_1: true
win11cis_rule_18_10_42_10_2: true
win11cis_rule_18_10_42_10_3: true
win11cis_rule_18_10_42_10_4: true
win11cis_rule_18_10_42_12_1: true
win11cis_rule_18_10_42_13_1: true
win11cis_rule_18_10_42_13_2: true
win11cis_rule_18_10_42_13_3: true
win11cis_rule_18_10_42_16: true
win11cis_rule_18_10_42_17: true
win11cis_rule_18_10_43_1: true
win11cis_rule_18_10_43_2: true
win11cis_rule_18_10_43_3: true
win11cis_rule_18_10_43_4: true
win11cis_rule_18_10_43_5: true
win11cis_rule_18_10_43_6: true
win11cis_rule_18_10_49_1: true
win11cis_rule_18_10_50_1: true
win11cis_rule_18_10_51_1: true
win11cis_rule_18_10_56_1: true
win11cis_rule_18_10_57_2_2: true
win11cis_rule_18_10_57_2_3: true
win11cis_rule_18_10_57_3_2_1: true
win11cis_rule_18_10_57_3_3_1: true
win11cis_rule_18_10_57_3_3_2: true
win11cis_rule_18_10_57_3_3_3: true
win11cis_rule_18_10_57_3_3_4: true
win11cis_rule_18_10_57_3_3_5: true
win11cis_rule_18_10_57_3_3_6: true
win11cis_rule_18_10_57_3_3_7: true
win11cis_rule_18_10_57_3_9_1: true
win11cis_rule_18_10_57_3_9_2: true
win11cis_rule_18_10_57_3_9_3: true
win11cis_rule_18_10_57_3_9_4: true
win11cis_rule_18_10_57_3_9_5: true
win11cis_rule_18_10_57_3_10_1: true
win11cis_rule_18_10_57_3_10_2: true
win11cis_rule_18_10_57_3_11_1: true
win11cis_rule_18_10_58_1: true
win11cis_rule_18_10_59_2: true
win11cis_rule_18_10_59_3: true
win11cis_rule_18_10_59_4: true
win11cis_rule_18_10_59_5: true
win11cis_rule_18_10_59_6: true
win11cis_rule_18_10_59_7: true
win11cis_rule_18_10_63_1: true
win11cis_rule_18_10_66_1: true
win11cis_rule_18_10_66_2: true
win11cis_rule_18_10_66_3: true
win11cis_rule_18_10_66_4: true
win11cis_rule_18_10_66_5: true
win11cis_rule_18_10_55_1: true
win11cis_rule_18_10_56_2_2: true
win11cis_rule_18_10_56_2_3: true
win11cis_rule_18_10_56_3_2_1: true
win11cis_rule_18_10_56_3_3_1: true
win11cis_rule_18_10_56_3_3_2: true
win11cis_rule_18_10_56_3_3_3: true
win11cis_rule_18_10_56_3_3_4: true
win11cis_rule_18_10_56_3_3_5: true
win11cis_rule_18_10_56_3_3_6: true
win11cis_rule_18_10_56_3_3_7: true
win11cis_rule_18_10_56_3_9_1: true
win11cis_rule_18_10_56_3_9_2: true
win11cis_rule_18_10_56_3_9_3: true
win11cis_rule_18_10_56_3_9_4: true
win11cis_rule_18_10_56_3_9_5: true
win11cis_rule_18_10_56_3_10_1: true
win11cis_rule_18_10_56_3_10_2: true
win11cis_rule_18_10_56_3_11_1: true
win11cis_rule_18_10_57_1: true
win11cis_rule_18_10_58_2: true
win11cis_rule_18_10_58_3: true
win11cis_rule_18_10_58_4: true
win11cis_rule_18_10_58_5: true
win11cis_rule_18_10_58_6: true
win11cis_rule_18_10_58_7: true
win11cis_rule_18_10_62_1: true
win11cis_rule_18_10_65_1: true
win11cis_rule_18_10_65_2: true
win11cis_rule_18_10_65_3: true
win11cis_rule_18_10_65_4: true
win11cis_rule_18_10_65_5: true
win11cis_rule_18_10_71_1: true
win11cis_rule_18_10_72_1: true
win11cis_rule_18_10_76_1_1: true
win11cis_rule_18_10_76_1_2: true
win11cis_rule_18_10_76_1_3: true
win11cis_rule_18_10_76_1_4: true
win11cis_rule_18_10_76_2_1: true
win11cis_rule_18_10_76_3_1: true
win11cis_rule_18_10_76_3_2: true
win11cis_rule_18_10_75_1_1: true
win11cis_rule_18_10_75_1_2: true
win11cis_rule_18_10_75_1_3: true
win11cis_rule_18_10_75_1_4: true
win11cis_rule_18_10_75_1_5: true
win11cis_rule_18_10_75_2_1: true
win11cis_rule_18_10_77_1: true
win11cis_rule_18_10_78_1: true
win11cis_rule_18_10_79_1: true
win11cis_rule_18_10_79_2: true
win11cis_rule_18_10_80_1: true
win11cis_rule_18_10_80_2: true
win11cis_rule_18_10_80_3: true
win11cis_rule_18_10_81_1: true
win11cis_rule_18_10_81_2: true
win11cis_rule_18_10_81_3: true
win11cis_rule_18_10_82_1: true
win11cis_rule_18_10_82_2: true
win11cis_rule_18_10_87_1: true
win11cis_rule_18_10_87_2: true
win11cis_rule_18_10_89_1_1: true
win11cis_rule_18_10_89_1_2: true
win11cis_rule_18_10_89_1_3: true
win11cis_rule_18_10_89_2_1: true
win11cis_rule_18_10_89_2_2: true
win11cis_rule_18_10_89_2_3: true
win11cis_rule_18_10_89_2_4: true
win11cis_rule_18_1_90_1: true
win11cis_rule_18_1_91_1: true
win11cis_rule_18_1_91_2: true
win11cis_rule_18_10_86_1: true
win11cis_rule_18_10_86_2: true
win11cis_rule_18_10_88_1_1: true
win11cis_rule_18_10_88_1_2: true
win11cis_rule_18_10_88_1_3: true
win11cis_rule_18_10_88_2_1: true
win11cis_rule_18_10_88_2_2: true
win11cis_rule_18_10_88_2_3: true
win11cis_rule_18_10_88_2_4: true
win11cis_rule_18_10_89_1: true
win11cis_rule_18_10_90_1: true
win11cis_rule_18_10_90_2: true
win11cis_rule_18_10_91_2_1: true
win11cis_rule_18_10_92_1_1: true
win11cis_rule_18_10_92_2_1: true
win11cis_rule_18_10_93_1_1: true
win11cis_rule_18_10_93_2_1: true
win11cis_rule_18_10_93_2_2: true
win11cis_rule_18_10_93_2_3: true
win11cis_rule_18_10_93_4_1: true
win11cis_rule_18_10_93_4_2: true
win11cis_rule_18_10_93_4_3: true
win11cis_rule_18_10_92_2_2: true
win11cis_rule_18_10_92_2_3: true
win11cis_rule_18_10_92_2_4: true
win11cis_rule_18_10_92_4_1: true
win11cis_rule_18_10_92_4_2: true
win11cis_rule_18_10_92_4_3: true
# Section 19
win11cis_rule_19_1_3_1: true
win11cis_rule_19_1_3_2: true
win11cis_rule_19_1_3_3: true
win11cis_rule_19_5_1_1: true
win11cis_rule_19_6_6_1_1: true
win11cis_rule_19_7_4_1: true
win11cis_rule_19_7_4_2: true
win11cis_rule_19_7_7_1: true
win11cis_rule_19_7_7_2: true
win11cis_rule_19_7_7_3: true
win11cis_rule_19_7_7_4: true
win11cis_rule_19_7_7_5: true
win11cis_rule_19_7_25_1: true
win11cis_rule_19_7_40_1: true
win11cis_rule_19_7_47_2_1: true
win11cis_rule_19_7_5_1: true
win11cis_rule_19_7_5_2: true
win11cis_rule_19_7_8_1: true
win11cis_rule_19_7_8_2: true
win11cis_rule_19_7_8_3: true
win11cis_rule_19_7_8_4: true
win11cis_rule_19_7_8_5: true
win11cis_rule_19_7_26_1: true
win11cis_rule_19_7_38_1: true
win11cis_rule_19_7_42_1: true
win11cis_rule_19_7_44_2_1: true
# Section 1 Variables
@@ -644,6 +649,15 @@ win11cis_account_lockout_counter_reset: 15
# Section 2 Variables
# 2.2.11
# Windows 11 Create a token object user right must not be assigned to any groups or accounts.
# If any SIDs other than the following are granted the "SeCreateTokenPrivilege" user right, this is a finding.
# If an application requires this user right, this would not be a finding. Vendor documentation must support the
# requirement for having the user right. The requirement must be documented with the ISSO.
# NOTE: Improper Accounts Or Groups listed here will FAIL task.
# Default: []
wn11cis_secreatetokenprivilege: []
# 2.2.28
# This policy setting allows accounts to log on using the task scheduler service.
# If you install optional components such as ASP.NET or IIS, you might need to assign this user right to
@@ -659,13 +673,17 @@ win11cis_sebatchlogonright: Administrators
# Log on as a service user right to additional accounts that are required by those components. IIS requires that
# this user right be explicitly granted to the ASPNET user account. On Windows Workstations with the Hyper-V
# feature installed, this user right should also be granted to the special group NT VIRTUAL MACHINE\Virtual Machines.
# When using Windows Defender Application Guard, such as in the Next Generation Windows Security profile) WDAGUtilityAccount
# Auto Set By Ansible
# [] - No Accounts Put In.
# Hyper V Discovered Enabled - NT VIRTUAL MACHINE\Virtual Machines
# WDAG Discovered Enabled - WDAGUtilityAccount
# Hyper V & WDAG Discovered Enabled - WDAGUtilityAccount,NT VIRTUAL MACHINE\Virtual Machines
# Settings Note:
# When Hyper-V not installed no one will be set. If Hyper-V is set in win11cis_hyperv_installed to true
# the control will automatically add the proper setting.
# If you defining your own input list them in win11cis_seservicelogonright by commas and no spacing between them.
# NOTE: Improper Accounts Or Groups listed here will FAIL task.
# Default: ""
win11cis_seservicelogonright: ""
# If you defining your own input list them in win10cis_seservicelogonright by commas and no spacing between them.
# NOTE: Improper Accounts Or Groups listed here will FAIL task. When adding place items in ""
# Default: []
win11cis_seservicelogonright: []
# 2.3.1.4
# The built-in local administrator account is a well-known account name that attackers will target. It is
@@ -780,6 +798,20 @@ win11cis_legacy_rc4_hmac_md5_support: false
# Default: 1
win11cis_ldap_client_integrity: 1
# 2.3.11.12
# win11cis_restrict_sending_ntlm_traffic is This policy setting allows the auditing of outgoing NTLM traffic. Events for this setting
# are recorded in the operational event log (e.g. Applications and Services Log\Microsoft\Windows\NTLM).
# The recommended state for this setting is: Audit all. Configuring this setting to Deny All also conforms to the benchmark.
# Note: Configuring this setting to Deny All is more secure, however it could have a negative impact
# on applications that still require NTLM. Test carefully before implementing the Deny All value. 7.26.24 - CIS documentation is
# incorrect stating that audit all is 2. CIS has a fix in the works and that is already applied here.
# Note: Possible Valid Settings
# Default: 1
# 1 - Audit All
# 2 - Deny All
# Default: 1
win11cis_restrict_sending_ntlm_traffic: 1
# 2.3.14.1
# win11cis_force_key_protection is the policy setting determines whether users' private keys (such as their S-MIME keys) require
# a password to be used. Configuring this setting to User must enter a password each time they use a key also conforms to the benchmark.
@@ -800,55 +832,137 @@ win11cis_force_key_protection: 1
# Default: 2
win11cis_consent_prompt_behavior_admin: 2
# Section 5 Variables
# The variables below have been added to take into account the option added to CIS to uninstall the services.
# NOTE: By default the services will be disabled and stopped as per the CIS standard listed first.
# Not all the services are setup in CIS to be uninstalled and we have documetned them below in single vars.
# 5.3
# This Maintains an updated list of computers on the network and supplies this list to computers
# designated as browsers.
# Default: false
win11cis_uninstall_computer_browser_service: false
# 5.6
# This service is not installed by default. It is supplied with Windows, but is installed
# by enabling an optional Windows feature (Internet Information Services).
# Default: false
win11cis_uninstall_iis_admin_service: false
# 5.7
# Irmon Service Detects other Infrared devices that are in range and launches the file transfer application.
# Default: false
win11cis_uninstall_irmon_service: false
# 5.9
# The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure
# necessary for ELF binaries to run on Windows.
# This service is not installed by default. It is supplied with Windows, but is installed
# by enabling an optional Windows feature (Windows Subsystem for Linux).
# Note: If your organization has made an exception to this recommendation and is using Windows Subsystem for Linux (WSL),
# the Internet Connection Sharing (ICS) (SharedAccess) service will need to be Enabled for WSL to function.
# Default: false
win11cis_uninstall_lxssmanager_service: false
# 5.10
# ftpsvc service is not installed by default. It is supplied with Windows, but is installed by
# enabling an optional Windows feature (Internet Information Services - FTP Server).
# Default: false
win11cis_uninstall_ftpsvc_service: false
# 5.11
# msiscsi Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices.
# Default: false
win11cis_uninstall_msiscsi_service: false
# 5.12
# service sshd uses SSH protocol based service to provide secure encrypted communications between
# two untrusted hosts over an insecure network.
# Note: This service is not installed by default. It is supplied with Windows, but it is
# installed by enabling an optional Windows feature (OpenSSH Server).
# Default: false
win11cis_uninstall_sshd_service: false
# 5.27
# simptcp supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day.
# Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling
# an optional Windows feature (Simple TCPIP services (i.e. echo, daytime etc)).
# Default: false
win11cis_uninstall_simptcp_service: false
# 5.28
# snmp enables Simple Network Management Protocol (SNMP) requests to be processed by this computer.
# Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional
# Windows feature (Simple Network Management Protocol (SNMP)).
# Default: false
win11cis_uninstall_snmp_service: false
# 5.29
# sacsvr service allows administrators to remotely access a command prompt using Emergency Management Services.
# Note: This service is not installed by default. It is supplied with Windows, but it is installed by enabling an optional
# Windows capability (Windows Emergency Management Services and Serial Console).
# Default: false
win11cis_uninstall_sacsvr_service: false
# 5.32
# wmsvc enables remote and delegated management capabilities for administrators to manage for the Web server,
# sites and applications present on the machine.
# Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an
# optional Windows feature (Internet Information Services - Web Management Tools - IIS Management Service).
# Default: false
win11cis_uninstall_wmsvc_service: false
# 5.35
# wmpnetworksvc shares Windows Media Player libraries to other networked players and media devices using
# Universal Plug and Play.
# Default: false
win11cis_uninstall_wmpnetworksvc_service: false
# 5.40
# w3svc provides Web connectivity and administration through the Internet Information Services Manager.
# Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling
# an optional Windows feature (Internet Information Services - World Wide Web Services).
# Default: false
win11cis_uninstall_w3svc_service: false
# Section 9 Variables
# 9.1.5
# 9.1.4
# win11cis_domain_firewall_log_path is the path to the domain firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\domainfw.log
# This is a variable to give some leeway on where to store these log files.
# Default: '%SystemRoot%\System32\logfiles\firewall\domainfw.log'
win11cis_domain_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\domainfw.log'
# 9.1.6
# 9.1.5
# win11cis_domain_firewall_log_size is the size of the log file generated
# To conform to CIS standards the value should be 16,384 or greater. Value is in KB
# Default: 16384
win11cis_domain_firewall_log_size: 16384
# 9.2.5
# 9.2.4
# win11cis_private_firewall_log_path is the path to the private firewall log files. The control suggests %SystemRoot%\System32\logfiles\firewall\privatefw.log
# This is a variable to give some leeway on where to store these log files
win11cis_private_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\privatefw.log'
# 9.2.6
# 9.2.5
# win11cis_private_firewall_log_size is the size of the log file
# To conform to CIS standards the value should be 16,384 or greater. Value is in KB
win11cis_private_firewall_log_size: 16384
# 9.3.7
# 9.3.6
# win11cis_public_firewall_log_path is the path to the public firewall log file. The control suggests %SystemRoot%\System32\logfiles\firewall\publicfw.log
# This is a variable to give some leeway on where to store these log files
win11cis_public_firewall_log_path: '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
# 9.3.8
# 9.3.7
# win11cis_public_firewall_log_size is the size of the log file
# To conform to CIS standards the value should be 16,384 or greater. Value is in KB
win11cis_public_firewall_log_size: 16384
# Section 18 Variables
# Control 18.3.5
# win11cis_laps_password_length is the LAPS tool password length.
# The recommended state for this setting is: Enabled: 15 or more.
# Default: 15
win11cis_laps_password_length: 15
# Control 18.3.6
# win11cis_laps_password_age_days is the LAPS tool password age in days.
# The recommended state for this setting is: Enabled: 30 or fewer.
# Default: 30
win11cis_laps_password_age_days: 30
# 18.4.6
# 18.4.7
# win11cis_netbt_nodetype is the node type value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters:NodeType
# Options are B-node value of 1, P-node value of 2, M-node value of 4, H-node value of 8. P-node is the recommended setting from CIS
# Default: 2
@@ -905,6 +1019,67 @@ win11cis_force_kerberos_for_rpc: 0
# Default: 1
win11cis_enable_virtualization_based_security: 1
# 18.9.25.1
# win11cis_laps_backup_directory is the policy setting configures which directory Windows LAPS will use to back up the
# local admin account password.
# The recommended state for this setting is: Enabled: Active Directory or Enabled: Azure Active Directory.
# 1 - Enabled: Active Directory
# 2 - Enabled: Azure Active Directory
# Default: 1
win11cis_laps_backup_directory: 1
# 18.9.25.5
# win11cis_laps_password_length is the policy setting configures the Windows LAPS Password Settings policy for password length.
# The recommended state for this setting is: Enabled: 15 or more.
# Default: 15
win11cis_laps_password_length: 15
# 18.9.25.6
# win11cis_laps_password_age is the policy setting configures the Windows LAPS Password Settings policy for password length.
# The recommended state for this setting is: Enabled: 30 or fewer.
# Default: 30
win11cis_laps_password_age: 30
# 18.9.25.7
# win11cis_laps_post_auth_actions_grace_period is the olicy settings configures post-authentication actions which will be
# executed after detecting an authentication by the Windows LAPS managed account. The Grace period refers to the amount of
# time (hours) to wait after an authentication before executing the specified post-authentication actions.
# The recommended state for this setting is: Enabled: 8 or fewer hours, but not 0.
# Default: 8
win11cis_laps_post_auth_actions_grace_period: 8
# 18.9.25.8
# win11cis_laps_post_auth_actions_reset_password is the policy settings configures post-authentication actions which
# will be executed after detecting an authentication by the LAPS managed account. The Action refers to actions to take
# upon expiry of the grace period before executing the specified post- authentication actions.
# The recommended state for this setting is: Enabled: Reset the password and logoff the managed account or higher.
# 3 - Enabled: Reset the password and logoff the managed account
# 5 - Enabled: Reset the password and reboot.
# Default: 3
win11cis_laps_post_auth_actions_reset_password: 3
# 18.10.9.1.4
# win11cis_48_digit_recovery_password_setting is the policy setting allows you to control how BitLocker-protected fixed data
# drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.
# In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to
# generate a 48-digit recovery password or a 256-bit recovery key.
# The recommended state for this setting is: Enabled: Allow 48-digit recovery password or Enabled: Require 48-digit recovery password.
# 1 - Enabled: Require 48-digit recovery password
# 2 - Enabled: Allow 48-digit recovery password
# Default: 2
win11cis_48_digit_recovery_password_setting: 2
# 18.10.9.1.5
# win11cis_256bit_recovery_key_setting is theThis policy setting allows you to control how BitLocker-protected fixed data drives
# are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.
# In "Configure user storage of BitLocker recovery information" select whether users are allowed, required, or not allowed to
# generate a 48-digit recovery password or a 256-bit recovery key.
# The recommended state for this setting is: Enabled: Allow 256-bit recovery key or Enabled: Require 256-bit recovery key.
# 1 - Enabled: Require 256-bit recovery key
# 2 - Enabled: Allow 256-bit recovery key
# Default: 2
win11cis_256bit_recovery_key_setting: 2
# 18.10.13.1
# win11cis_require_pin_for_pairing is the policy setting controls whether or not a PIN is required for pairing to a wireless display device.
# The recommended state for this setting is: Enabled: First Time OR Enabled: Always.
@@ -934,56 +1109,56 @@ win11cis_allow_telemetry: 1
# Default: 1
win11cis_do_download_mode: 1
# 18.10.26.1.2
# 18.10.25.1.2
# win11cis_application_max_log_file_size is the setting that specifies the maximum size of the log file in kilobytes. The maximum log file size can be
# configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments.
# The recommended state for this setting is: Enabled: 32,768 or greater
win11cis_application_max_log_file_size: 32768
# 18.10.26.2.2
# 18.10.25.2.2
# win11cis_security_max_log_file_size is the setting that specifies the maximum size of the log file in kilobytes. The maximum log file size can
# be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments.
# The recommended state for this setting is: Enabled: 196,608 or greater.
win11cis_security_max_log_file_size: 196608
# 18.10.26.3.2
# 18.10.25.3.2
# win11cis_setup_max_log_file_size is the setting specifies the maximum size of the log file in kilobytes. The maximum log file size can be
# configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments.#
# The recommended state for this setting is: Enabled: 32,768 or greater.
win11cis_setup_max_log_file_size: 32768
# 18.10.26.4.2
# win19cis_system_max_log_file_size is the setting that specifies the maximum size of the log file in kilobytes. The maximum log file size
# 18.10.25.4.2
# win11cis_system_max_log_file_size is the setting that specifies the maximum size of the log file in kilobytes. The maximum log file size
# can be configured between 1 megabyte (1,024 kilobytes) and 4 terabytes (4,194,240 kilobytes) in kilobyte increments.
# The recommended state for this setting is: Enabled: 32,768 or greater.
win11cis_system_max_log_file_size: 32768
# 18.10.57.3.10.1
# 18.10.56.3.10.1
# win11cis_idle_rdp_session_disconnect_time is the setting allows you to specify the maximum amount of time that an active Remote Desktop
# Services session can be idle (without user input) before it is automatically disconnected.
# The recommended state for this setting is: Enabled: 15 minutes or less, but not Never (0).
# Default: 900000
win11cis_idle_rdp_session_disconnect_time: 900000
# 18.10.80.2
# 18.10.79.2
# win11cis_allow_windows_ink_workspace is the policy setting determines whether Windows Ink items are allowed above the lock screen.
# The recommended state for this setting is: Enabled: On, but disallow access above lock OR Enabled: Disabled.
# 0 - Enabled: Disabled
# 1 - Enabled: On, but disallow access above lock
win11cis_allow_windows_ink_workspace: 1
# 18.10.87.2
# 18.10.86.2
# win11cis_powershell_transcription_dir is the customized folder settings for storing of powershell transcription files.
# If you opt to not specify an output directory, the PowerShell transcripts will be saved to the users Documents folder.
# Example: C:\PS_Transcription_Location_Ansible
# Default: Default - This will save it to the default location
win11cis_powershell_transcription_dir: Default
# 18.10.93.2.1
# 18.10.92.2.1
# win11cis_au_options is policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS.
# The recommended state for this setting is: Enabled.
# If feasible we suggest using a value of 4 - Auto download and schedule the install
# If 4 is not selected control 18.10.93.2.2 will be skipped.
# If 4 is not selected control 18.10.92.2.2 will be skipped.
# 2 - Notify for download and auto install (Notify before downloading any updates)
# 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting)
# 4 - Auto download and schedule the install (Automatically download updates an install them on the schedule specified below.))
@@ -991,15 +1166,8 @@ win11cis_powershell_transcription_dir: Default
# Default: 4
win11cis_au_options: 4
# 18.10.93.4.2
# 18.10.92.4.2
# win11cis_defer_feature_updates_period_in_days is the policy setting determines when Preview Build or Feature Updates are received.
# Recommended setting: Enabled: 180 or more days
# Default: 180
win11cis_defer_feature_updates_period_in_days: 180
# Section 19 Variables
# 19.1.3.3
# win11cis_screen_saver_timeout is the setting that specifies how much user idle time must elapse before the screen saver is launched.
# The recommended state for this setting is: Enabled: 900 seconds or fewer, but not 0.
win11cis_screen_saver_timeout: 900
meta/main.yml
+7 -7
View File
@@ -1,12 +1,12 @@
---
galaxy_info:
author: "Stephen Williams"
author: "MindPoint Group"
description: "Ansible Role to Apply The Windows 11 Enterprise CIS Benchmark"
company: "MindPoint Group"
license: MIT
role_name: windows_11_cis
namespace: mindpointgroup
min_ansible_version: 2.10.1
min_ansible_version: 2.14
galaxy_tags:
- system
@@ -19,9 +19,9 @@ galaxy_info:
- complianceascode
- compliance
collections:
- ansible.windows
- community.windows
- community.general
collections:
- ansible.windows
- community.windows
- community.general
dependencies: []
dependencies: []
tasks/main.yml
+14 -14
View File
@@ -1,12 +1,12 @@
---
- name: Display Banner
- name: "Main | Display Banner"
ansible.builtin.debug:
msg: "{{ lockdown_banner.split('\n') }}"
tags:
- always
- name: Gather distribution info
- name: "Main | Gather distribution info"
ansible.builtin.setup:
gather_subset: distribution,!all,!min
when:
@@ -14,7 +14,7 @@
tags:
- always
- name: Check OS Version & Family
- name: "Main | Check OS Version & Family"
ansible.builtin.assert:
that:
- ansible_os_family == 'Windows'
@@ -24,76 +24,76 @@
tags:
- always
- name: Check Ansible Version
- name: "Main | Check Ansible Version"
ansible.builtin.assert:
that: ansible_version.full is version_compare(win11cis_min_ansible_version, '>=')
msg: You must use Ansible {{ win11cis_min_ansible_version }} or greater.
tags:
- always
- name: Include The Preliminary Tasks
- name: "Main | Include The Preliminary Tasks"
ansible.builtin.include_tasks:
file: prelim.yml
tags:
- always
- prelim_tasks
- name: Include Section 1 Patches
- name: "Main | Include Section 1 Patches"
ansible.builtin.import_tasks:
file: section_1/main.yml
when: win11cis_section1
tags:
- section1
- name: Include Section 2 Patches
- name: "Main | Include Section 2 Patches"
ansible.builtin.import_tasks:
file: section_2/main.yml
when: win11cis_section2
tags:
- section2
- name: Include Section 5 Patches
- name: "Main | Include Section 5 Patches"
ansible.builtin.import_tasks:
file: section_5/main.yml
when: win11cis_section5
tags:
- section5
- name: Include Section 9 Patches
- name: "Main | Include Section 9 Patches"
ansible.builtin.import_tasks:
file: section_9/main.yml
when: win11cis_section9
tags:
- section9
- name: Include Section 17 Patches
- name: "Main | Include Section 17 Patches"
ansible.builtin.import_tasks:
file: section_17/main.yml
when: win11cis_section17
tags:
- section17
- name: Include Section 18 Patches
- name: "Main | Include Section 18 Patches"
ansible.builtin.import_tasks:
file: section_18/main.yml
when: win11cis_section18
tags:
- section18
- name: Include Section 19 Patches
- name: "Main | Include Section 19 Patches"
ansible.builtin.import_tasks:
file: section_19/main.yml
when: win11cis_section19
tags:
- section19
- name: Run Post Tasks
- name: "Main | Run Post Tasks"
ansible.builtin.import_tasks:
file: post.yml
tags:
- always
- name: If Warnings found Output count and control IDs affected
- name: "Main | If Warnings found Output count and control IDs affected"
ansible.builtin.debug:
msg:
- "You have {{ warn_count }} Warning(s) that require investigation(s). Their IDs are listed below:"
tasks/prelim.yml
+28 -11
View File
@@ -6,7 +6,7 @@
name: DisplayVersion
changed_when: false
failed_when: false
register: win11cis_displayversion
register: discovered_displayversion
tags:
- always
@@ -16,7 +16,7 @@
name: CurrentBuild
changed_when: false
failed_when: false
register: win11cis_currentbuild
register: discovered_currentbuild
tags:
- always
@@ -24,7 +24,7 @@
ansible.windows.win_shell: (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType
changed_when: false
failed_when: false
register: win11cis_tpm_enabled
register: discovered_tpm_enabled
tags:
- always
@@ -34,8 +34,9 @@
# https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205
- name: PRELIM | Set Fact If Cloud Based System.
ansible.builtin.set_fact:
win11cis_cloud_based_system: true
discovered_cloud_based_system: true
when:
- ansible_system_vendor == 'Microsoft Corporation'
- ansible_virtualization_type == 'Hyper-V' or
ansible_virtualization_type == 'hvm' or
ansible_virtualization_type == 'kvm'
@@ -46,19 +47,35 @@
ansible.windows.win_shell: Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All | Select-Object -Property State | ft -hide
changed_when: false
failed_when: false
register: win11cis_hyper_v_installed
register: discovered_hyper_v_installed
tags:
- always
- name: PRELIM | Check For Windows Defender Application Guard Status
ansible.windows.win_shell: Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All | Select-Object -Property State | ft -hide
changed_when: false
failed_when: false
register: discovered_wdag_enabled
- name: PRELIM | Get Windows installation type
ansible.windows.win_reg_stat:
path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
name: InstallationType
register: get_windows_installation_type
register: discovered_get_windows_installation_type
tags:
- always
- name: PRELIM | Set Windows installation type
ansible.builtin.set_fact:
win11cis_windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
discovered_windows_installation_type: "{{ discovered_get_windows_installation_type.value | default('') }}"
tags:
- always
- name: PRELIM | Set Fact If Domain Joined.
ansible.builtin.set_fact:
discovered_domain_joined: "{{ ansible_windows_domain_member }}"
when:
- ansible_windows_domain_member is defined
tags:
- always
@@ -73,11 +90,11 @@
ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID }
changed_when: false
failed_when: false
register: all_users
register: discovered_all_users
- name: PRELIM | Create Results List Fact For Username And SIDs
ansible.builtin.set_fact:
username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}"
username_and_sid_results_list: "{{ discovered_all_users.stdout_lines | map('split', ' ') | list }}"
- name: PRELIM | Load All User Hives From Username And SIDs List
ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT
@@ -89,11 +106,11 @@
ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"}
changed_when: false
failed_when: false
register: current_users_loaded_hku
register: discovered_current_users_loaded_hku
- name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS.
ansible.builtin.set_fact:
hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}"
discovered_hku_loaded_list: "{{ discovered_current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}"
when: win11cis_section19
tags:
- always
tasks/section_1/cis_1.1.x.yml
+59 -80
View File
@@ -2,58 +2,35 @@
- name: "1.1.1 | PATCH | Ensure Enforce password history is set to 24 or more passwords."
block:
- name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords. | Check for more then 24 saved passwords warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of maximum passwords set in win11cis_max_passwords_saved, please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_max_passwords_saved > 24 or
win11cis_max_passwords_saved <= 23
- name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords. | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.1'
when:
- win11cis_max_passwords_saved > 24 or
win11cis_max_passwords_saved <= 23
- name: "1.1.1 | PATCH | Ensure Enforce password history is set to 24 or more passwords. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: PasswordHistorySize
value: "{{ win11cis_max_passwords_saved }}"
when: win11cis_max_passwords_saved == 24
when:
- win11cis_rule_1_1_1
- name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords. | Check for more then 24 saved passwords warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of maximum passwords set in win11cis_max_passwords_saved, please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_max_passwords_saved > 24 or win11cis_max_passwords_saved <= 23
- name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords. | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.1'
when: win11cis_max_passwords_saved > 24 or win11cis_max_passwords_saved <= 23
when: win11cis_rule_1_1_1
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.1.1
- name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0."
block:
- name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Warning check for maximum password age time."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid age set for win11cis_maximum_password_age, please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_maximum_password_age > 365 or
win11cis_maximum_password_age == 0
- name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.2'
when:
- win11cis_maximum_password_age > 365 or
win11cis_maximum_password_age == 0
- name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set Variable."
community.windows.win_security_policy:
section: System Access
@@ -62,52 +39,65 @@
when:
- win11cis_maximum_password_age <= 365
- win11cis_maximum_password_age > 0
when:
- win11cis_rule_1_1_2
- name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Warning check for maximum password age time."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid age set for win11cis_maximum_password_age, please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_maximum_password_age > 365 or win11cis_maximum_password_age == 0
- name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.2'
when: win11cis_maximum_password_age > 365 or win11cis_maximum_password_age == 0
when: win11cis_rule_1_1_2
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.1.2
- name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days."
block:
- name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: MinimumPasswordAge
value: "{{ win11cis_minimum_password_age }}"
when: win11cis_minimum_password_age <= 999 or win11cis_minimum_password_age > 0
- name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Warning check for minimim password age."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid age set for win11cis_minimum_password_age, please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_minimum_password_age > 999 or
win11cis_minimum_password_age == 0
when: win11cis_minimum_password_age > 999 or win11cis_minimum_password_age == 0
- name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.3'
when:
- win11cis_minimum_password_age > 999 or
win11cis_minimum_password_age == 0
- name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: MinimumPasswordAge
value: "{{ win11cis_minimum_password_age }}"
when:
- win11cis_minimum_password_age <= 999 or
win11cis_minimum_password_age > 0
when:
- win11cis_rule_1_1_3
when: win11cis_minimum_password_age > 999 or win11cis_minimum_password_age == 0
when: win11cis_rule_1_1_3
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.1.3
- name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters."
block:
- name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: MinimumPasswordLength
value: "{{ win11cis_minimum_password_length }}"
when: win11cis_minimum_password_length >= 14
- name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
@@ -121,19 +111,11 @@
vars:
warn_control_id: '1.1.4'
when: win11cis_minimum_password_length < 14
- name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: MinimumPasswordLength
value: "{{ win11cis_minimum_password_length }}"
when: win11cis_minimum_password_length >= 14
when:
- win11cis_rule_1_1_4
when: win11cis_rule_1_1_4
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.1.4
- name: "1.1.5 | PATCH | Ensure Password must meet complexity requirements is set to Enabled."
@@ -141,12 +123,11 @@
section: System Access
key: PasswordComplexity
value: 1
when:
- win11cis_rule_1_1_5
when: win11cis_rule_1_1_5
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.1.5
- name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled."
@@ -155,23 +136,21 @@
name: RelaxMinimumPasswordLengthLimits
data: 1
type: dword
when:
- win11cis_rule_1_1_6
when: win11cis_rule_1_1_6
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.1.6
- name: "1.1.7 | PATCH | Ensure Store passwords using reversible encryption is set to Disabled"
- name: "1.1.7 | PATCH | Ensure Store passwords using reversible encryption is set to Disabled."
community.windows.win_security_policy:
section: System Access
key: ClearTextPassword
value: 0
when:
- win11cis_rule_1_1_7
when: win11cis_rule_1_1_7
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.1.7
tasks/section_1/cis_1.2.x.yml
+47 -56
View File
@@ -8,8 +8,7 @@
1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes."
ansible.builtin.import_tasks:
file: cis_1.2_cloud_lockout_order.yml
when:
- win11cis_cloud_based_system
when: discovered_cloud_based_system
tags:
- section01_cloud_lockout_order
@@ -18,24 +17,6 @@
# CONTROL 1.2.2, CONTROL 1.2.4, CONTROL 1.2.1
- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0."
block:
- name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of attempts set for win11cis_bad_login_lockout_count. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_bad_login_lockout_count > 5 or
win11cis_bad_login_lockout_count == 0
- name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.2'
when:
- win11cis_bad_login_lockout_count > 5 or
win11cis_bad_login_lockout_count == 0
- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set Variable."
community.windows.win_security_policy:
section: System Access
@@ -44,35 +25,31 @@
when:
- win11cis_bad_login_lockout_count <= 5
- win11cis_bad_login_lockout_count > 0
- name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of attempts set for win11cis_bad_login_lockout_count. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_bad_login_lockout_count > 5 or win11cis_bad_login_lockout_count == 0
- name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.2'
when: win11cis_bad_login_lockout_count > 5 or win11cis_bad_login_lockout_count == 0
when:
- win11cis_rule_1_2_2
- not win11cis_cloud_based_system
- not discovered_cloud_based_system
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.2.2
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes."
block:
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of minutes set for win11cis_account_lockout_counter_reset. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_account_lockout_counter_reset > win11cis_account_lockout_duration or
win11cis_account_lockout_counter_reset < 15
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.4'
when:
- win11cis_account_lockout_counter_reset > win11cis_account_lockout_duration or
win11cis_account_lockout_counter_reset < 15
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable."
community.windows.win_security_policy:
section: System Access
@@ -81,18 +58,39 @@
when:
- win11cis_account_lockout_counter_reset >= 15
- win11cis_account_lockout_counter_reset <= win11cis_account_lockout_duration
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of minutes set for win11cis_account_lockout_counter_reset. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_account_lockout_counter_reset > win11cis_account_lockout_duration or win11cis_account_lockout_counter_reset < 15
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.4'
when: win11cis_account_lockout_counter_reset > win11cis_account_lockout_duration or win11cis_account_lockout_counter_reset < 15
when:
- win11cis_rule_1_2_4
- not win11cis_cloud_based_system
- not discovered_cloud_based_system
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.2.4
# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
- name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes."
block:
- name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes. | Set Variable"
community.windows.win_security_policy:
section: System Access
key: LockoutDuration
value: "{{ win11cis_account_lockout_duration }}"
when: win11cis_account_lockout_duration >= 15
- name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning."
ansible.builtin.debug:
msg:
@@ -106,31 +104,24 @@
vars:
warn_control_id: '1.2.1'
when: win11cis_account_lockout_duration < 15
- name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes. | Set Variable"
community.windows.win_security_policy:
section: System Access
key: LockoutDuration
value: "{{ win11cis_account_lockout_duration }}"
when: win11cis_account_lockout_duration >= 15
when:
- win11cis_rule_1_2_1
- not win11cis_cloud_based_system
- not discovered_cloud_based_system
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.2.1
- name: "1.2.3 | AUDIT | Ensure Allow Administrator account lockout is set to Enabled."
- name: "1.2.3 | PATCH | Ensure Allow Administrator account lockout is set to Enabled."
community.windows.win_security_policy:
section: System Access
key: AllowAdministratorLockout
value: 1
when:
- win11cis_rule_1_2_3
when: win11cis_rule_1_2_3
tags:
- level1-corporate-enterprise-environment
- manual
- audit
- patch
- automated
- rule_1.2.3
- account_policies
tasks/section_1/cis_1.2_cloud_lockout_order.yml
+40 -50
View File
@@ -2,24 +2,6 @@
- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0."
block:
- name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of attempts set for win11cis_bad_login_lockout_count. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_bad_login_lockout_count > 5 or
win11cis_bad_login_lockout_count == 0
- name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.2'
when:
- win11cis_bad_login_lockout_count > 5 or
win11cis_bad_login_lockout_count == 0
- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set Variable."
community.windows.win_security_policy:
section: System Access
@@ -28,17 +10,37 @@
when:
- win11cis_bad_login_lockout_count <= 5
- win11cis_bad_login_lockout_count > 0
when:
- win11cis_rule_1_2_2
- name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of attempts set for win11cis_bad_login_lockout_count. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_bad_login_lockout_count > 5 or win11cis_bad_login_lockout_count == 0
- name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.2'
when: win11cis_bad_login_lockout_count > 5 or win11cis_bad_login_lockout_count == 0
when: win11cis_rule_1_2_2
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.2.2
# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
- name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes."
block:
- name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes. | Set Variable"
community.windows.win_security_policy:
section: System Access
key: LockoutDuration
value: "{{ win11cis_account_lockout_duration }}"
when: win11cis_account_lockout_duration >= 15
- name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning."
ansible.builtin.debug:
msg:
@@ -52,41 +54,15 @@
vars:
warn_control_id: '1.2.1'
when: win11cis_account_lockout_duration < 15
- name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes. | Set Variable"
community.windows.win_security_policy:
section: System Access
key: LockoutDuration
value: "{{ win11cis_account_lockout_duration }}"
when: win11cis_account_lockout_duration >= 15
when:
- win11cis_rule_1_2_1
when: win11cis_rule_1_2_1
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.2.1
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes."
block:
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of minutes set for win11cis_account_lockout_counter_reset. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_account_lockout_counter_reset > win11cis_account_lockout_duration or
win11cis_account_lockout_counter_reset < 15
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.4'
when:
- win11cis_account_lockout_counter_reset > win11cis_account_lockout_duration or
win11cis_account_lockout_counter_reset < 15
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable."
community.windows.win_security_policy:
section: System Access
@@ -95,10 +71,24 @@
when:
- win11cis_account_lockout_counter_reset >= 15
- win11cis_account_lockout_counter_reset <= win11cis_account_lockout_duration
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of minutes set for win11cis_account_lockout_counter_reset. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_account_lockout_counter_reset > win11cis_account_lockout_duration or win11cis_account_lockout_counter_reset < 15
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.4'
when: win11cis_account_lockout_counter_reset > win11cis_account_lockout_duration or win11cis_account_lockout_counter_reset < 15
when:
- win11cis_rule_1_2_4
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- automated
- rule_1.2.4
tasks/section_1/main.yml
+4 -4
View File
@@ -4,12 +4,12 @@
ansible.builtin.import_tasks:
file: cis_1.1.x.yml
tags:
- password-policy
- password
- account_policies
- password_policy
- name: "SECTION | 1.2 | Account Lockout Policy"
ansible.builtin.import_tasks:
file: cis_1.2.x.yml
tags:
- account-policies
- account-lockout-policy
- account_policies
- account_lockout_policy
tasks/section_17/cis_17.1.x.yml
+7 -9
View File
@@ -6,21 +6,19 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_1_1_audit
register: discovered_17_1_1_audit
- name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable
when: "'Success' not in rule_17_1_1_audit.stdout"
when: "'Success' not in discovered_17_1_1_audit.stdout"
- name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable
when: "'Failure' not in rule_17_1_1_audit.stdout"
when:
- win11cis_rule_17_1_1
when: "'Failure' not in discovered_17_1_1_audit.stdout"
when: win11cis_rule_17_1_1
tags:
- level1-corporate-enterprise-environment
- rule_17.1.1
- automated
- patch
- credential-validation
- automated
- rule_17.1.1
- credential_validation
tasks/section_17/cis_17.2.x.yml
+20 -26
View File
@@ -6,24 +6,22 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Application Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_2_1_audit
register: discovered_17_2_1_audit
- name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Application Group Management" /success:enable
when: "'Success' not in rule_17_2_1_audit.stdout"
when: "'Success' not in discovered_17_2_1_audit.stdout"
- name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Application Group Management" /failure:enable
when: "'Failure' not in rule_17_2_1_audit.stdout"
when:
- win11cis_rule_17_2_1
when: "'Failure' not in discovered_17_2_1_audit.stdout"
when: win11cis_rule_17_2_1
tags:
- level1-corporate-enterprise-environment
- rule_17.2.1
- automated
- patch
- application-group-management
- automated
- rule_17.2.1
- application_group_management
- name: "17.2.2 | PATCH | Ensure Audit Security Group Management is set to include Success"
block:
@@ -31,20 +29,18 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_2_2_audit
register: discovered_17_2_2_audit
- name: "17.2.2 | PATCH | Ensure Audit Security Group Management is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable
when: "'Success' not in rule_17_2_2_audit.stdout"
when:
- win11cis_rule_17_2_2
when: "'Success' not in discovered_17_2_2_audit.stdout"
when: win11cis_rule_17_2_2
tags:
- level1-corporate-enterprise-environment
- rule_17.2.2
- automated
- patch
- security-group-management
- automated
- rule_17.2.2
- security_group_management
- name: "17.2.3 | PATCH | Ensure Audit User Account Management is set to Success and Failure"
block:
@@ -52,21 +48,19 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_2_3_audit
register: discovered_17_2_3_audit
- name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable
when: "'Success' not in rule_17_2_3_audit.stdout"
when: "'Success' not in discovered_17_2_3_audit.stdout"
- name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable
when: "'Failure' not in rule_17_2_3_audit.stdout"
when:
- win11cis_rule_17_2_3
when: "'Failure' not in discovered_17_2_3_audit.stdout"
when: win11cis_rule_17_2_3
tags:
- level1-corporate-enterprise-environment
- rule_17.2.3
- automated
- patch
- user-account-management
- automated
- rule_17.2.3
- user_account_management
tasks/section_17/cis_17.3.x.yml
+12 -16
View File
@@ -6,20 +6,18 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_3_1_audit
register: discovered_17_3_1_audit
- name: "17.3.1 | PATCH | Ensure Audit PNP Activity is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable
when: "'Success' not in rule_17_3_1_audit.stdout"
when:
- win11cis_rule_17_3_1
when: "'Success' not in discovered_17_3_1_audit.stdout"
when: win11cis_rule_17_3_1
tags:
- level1-corporate-enterprise-environment
- rule_17.3.1
- automated
- patch
- pnp-activity
- automated
- rule_17.3.1
- pnp_activity
- name: "17.3.2 | PATCH | Ensure Audit Process Creation is set to include Success"
block:
@@ -27,17 +25,15 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_3_2_audit
register: diccovered_17_3_2_audit
- name: "17.3.2 | PATCH | Ensure Audit Process Creation is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable
when: "'Success' not in rule_17_3_2_audit.stdout"
when:
- win11cis_rule_17_3_2
when: "'Success' not in diccovered_17_3_2_audit.stdout"
when: win11cis_rule_17_3_2
tags:
- level1-corporate-enterprise-environment
- rule_17.3.2
- automated
- patch
- audit-process-creation
- automated
- rule_17.3.2
- audit_process_creation
tasks/section_17/cis_17.5.x.yml
+38 -50
View File
@@ -6,20 +6,18 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_5_1_audit
register: discovered_17_5_1_audit
- name: "17.5.1 | PATCH | Ensure Audit Account Lockout is set to include Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable
when: "'Failure' not in rule_17_5_1_audit.stdout"
when:
- win11cis_rule_17_5_1
when: "'Failure' not in discovered_17_5_1_audit.stdout"
when: win11cis_rule_17_5_1
tags:
- level1-corporate-enterprise-environment
- rule_17.5.1
- automated
- patch
- audit-account-lockout
- automated
- rule_17.5.1
- audit_account_lockout
- name: "17.5.2 | PATCH | Ensure Audit Group Membership is set to include Success"
block:
@@ -27,20 +25,18 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_5_2_audit
register: discovered_17_5_2_audit
- name: "17.5.2 | PATCH | Ensure Audit Group Membership is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable
when: "'Success' not in rule_17_5_2_audit.stdout"
when:
- win11cis_rule_17_5_2
when: "'Success' not in discovered_17_5_2_audit.stdout"
when: win11cis_rule_17_5_2
tags:
- level1-corporate-enterprise-environment
- rule_17.5.2
- automated
- patch
- audit-group-membership
- automated
- rule_17.5.2
- audit_group_membership
- name: "17.5.3 | PATCH | Ensure Audit Logoff is set to include Success"
block:
@@ -48,20 +44,18 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_5_3_audit
register: discovered_7_5_3_audit
- name: "17.5.3 | PATCH | Ensure Audit Logoff is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Logoff" /success:enable
when: "'Success' not in rule_17_5_3_audit.stdout"
when:
- win11cis_rule_17_5_3
when: "'Success' not in discovered_7_5_3_audit.stdout"
when: win11cis_rule_17_5_3
tags:
- level1-corporate-enterprise-environment
- rule_17.5.3
- automated
- patch
- audit-logoff
- automated
- rule_17.5.3
- audit_logoff
- name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure"
block:
@@ -69,24 +63,22 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_5_4_audit
register: discovered_17_5_4_audit
- name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Logon" /success:enable
when: "'Success' not in rule_17_5_4_audit.stdout"
when: "'Success' not in discovered_17_5_4_audit.stdout"
- name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Logon" /failure:enable
when: "'Failure' not in rule_17_5_4_audit.stdout"
when:
- win11cis_rule_17_5_4
when: "'Failure' not in discovered_17_5_4_audit.stdout"
when: win11cis_rule_17_5_4
tags:
- level1-corporate-enterprise-environment
- rule_17.5.4
- automated
- patch
- audit-logon
- automated
- rule_17.5.4
- audit_logon
- name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure"
block:
@@ -94,24 +86,22 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_5_5_audit
register: discovered_17_5_5_audit
- name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable
when: "'Success' not in rule_17_5_5_audit.stdout"
when: "'Success' not in discovered_17_5_5_audit.stdout"
- name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable
when: "'Failure' not in rule_17_5_5_audit.stdout"
when:
- win11cis_rule_17_5_5
when: "'Failure' not in discovered_17_5_5_audit.stdout"
when: win11cis_rule_17_5_5
tags:
- level1-corporate-enterprise-environment
- rule_17.5.5
- automated
- patch
- other-logon-logoff
- automated
- rule_17.5.5
- other_logon_logoff
- name: "17.5.6 | PATCH | Ensure Audit Special Logon is set to include Success"
block:
@@ -119,17 +109,15 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_5_6_audit
register: discovered_17_5_6_audit
- name: "17.5.6 | PATCH | Ensure Audit Special Logon is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable
when: "'Success' not in rule_17_5_6_audit.stdout"
when:
- win11cis_rule_17_5_6
when: "'Success' not in discovered_17_5_6_audit.stdout"
when: win11cis_rule_17_5_6
tags:
- level1-corporate-enterprise-environment
- rule_17.5.6
- automated
- patch
- audit-special-logon
- automated
- rule_17.5.6
- audit_special_logon
tasks/section_17/cis_17.6.x.yml
+27 -28
View File
@@ -6,20 +6,18 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_6_1_audit
register: discovered_17_6_1_audit
- name: "17.6.1 | PATCH | Ensure Audit Detailed File Share is set to include Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable
when: "'Failure' not in rule_17_6_1_audit.stdout"
when:
- win11cis_rule_17_6_1
when: "'Failure' not in discovered_17_6_1_audit.stdout"
when: win11cis_rule_17_6_1
tags:
- level1-corporate-enterprise-environment
- rule_17.6.1
- automated
- patch
- detailed-file-share
- automated
- rule_17.6.1
- detailed_file_share
- name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure"
block:
@@ -27,31 +25,34 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_6_2_audit
register: discovered_17_6_2_audit
- name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"File Share" /success:enable
when: "'Success' not in rule_17_6_2_audit.stdout"
when: "'Success' not in discovered_17_6_2_audit.stdout"
- name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"File Share" /failure:enable
when: "'Failure' not in rule_17_6_2_audit.stdout"
when:
- win11cis_rule_17_6_2
when: "'Failure' not in discovered_17_6_2_audit.stdout"
when: win11cis_rule_17_6_2
tags:
- level1-corporate-enterprise-environment
- rule_17.6.2
- automated
- patch
- audit-file-share
- automated
- rule_17.6.2
- audit_file_share
- name: "17.6.3 | PATCH | Ensure Audit Other Object Access Events is set to Success and Failure"
community.windows.win_audit_policy_system:
subcategory: Other Object Access Events
audit_type: success, failure
when:
- win11cis_rule_17_6_3
when: win11cis_rule_17_6_3
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_17.6.3
- object_access
- name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure"
block:
@@ -59,21 +60,19 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_6_4_audit
register: discovered_17_6_4_audit
- name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable
when: "'Success' not in rule_17_6_4_audit.stdout"
when: "'Success' not in discovered_17_6_4_audit.stdout"
- name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable
when: "'Failure' not in rule_17_6_4_audit.stdout"
when:
- win11cis_rule_17_6_4
when: "'Failure' not in discovered_17_6_4_audit.stdout"
when: win11cis_rule_17_6_4
tags:
- level1-corporate-enterprise-environment
- rule_17.6.4
- automated
- patch
- audit-removable-storage
- automated
- rule_17.6.4
- audit_removable_storage
tasks/section_17/cis_17.7.x.yml
+32 -42
View File
@@ -6,20 +6,18 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_7_1_audit
register: discovered_17_7_1_audit
- name: "17.7.1 | PATCH | Ensure Audit Audit Policy Change is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable
when: "'Success' not in rule_17_7_1_audit.stdout"
when:
- win11cis_rule_17_7_1
when: "'Success' not in discovered_17_7_1_audit.stdout"
when: win11cis_rule_17_7_1
tags:
- level1-corporate-enterprise-environment
- rule_17.7.1
- automated
- patch
- audit-policy-change
- automated
- rule_17.7.1
- audit_policy_change
- name: "17.7.2 | PATCH | Ensure Audit Authentication Policy Change is set to include Success"
block:
@@ -27,20 +25,18 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_7_2_audit
register: discovered_17_7_2_audit
- name: "17.7.2 | PATCH | Ensure Audit Authentication Policy Change is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable
when: "'Success' not in rule_17_7_2_audit.stdout"
when:
- win11cis_rule_17_7_2
when: "'Success' not in discovered_17_7_2_audit.stdout"
when: win11cis_rule_17_7_2
tags:
- level1-corporate-enterprise-environment
- rule_17.7.2
- automated
- patch
- audit-authentication-policy-change
- automated
- rule_17.7.2
- audit_authentication_policy_change
- name: "17.7.3 | PATCH | Ensure Audit Authorization Policy Change is set to include Success"
block:
@@ -48,20 +44,18 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_7_3_audit
register: discovered_17_7_3_audit
- name: "17.7.3 | PATCH | Ensure Audit Authorization Policy Change is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable
when: "'Success' not in rule_17_7_3_audit.stdout"
when:
- win11cis_rule_17_7_3
when: "'Success' not in discovered_17_7_3_audit.stdout"
when: win11cis_rule_17_7_3
tags:
- level1-corporate-enterprise-environment
- rule_17.7.3
- automated
- patch
- audit-authorization-policy-change
- automated
- rule_17.7.3
- audit_authorization_policy_change
- name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure"
block:
@@ -69,24 +63,22 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"MPSSVC Rule-Level Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_7_4_audit
register: discovered_17_7_4_audit
- name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable
when: "'Success' not in rule_17_7_4_audit.stdout"
when: "'Success' not in discovered_17_7_4_audit.stdout"
- name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable
when: "'Failure' not in rule_17_7_4_audit.stdout"
when:
- win11cis_rule_17_7_4
when: "'Failure' not in discovered_17_7_4_audit.stdout"
when: win11cis_rule_17_7_4
tags:
- level1-corporate-enterprise-environment
- rule_17.7.4
- automated
- level1_corporate_enterprise_environment
- patch
- mpssvc-rule-level-policy
- automated
- rule_17.7.4
- mpssvc_rule_level_policy
- name: "17.7.5 | PATCH | Ensure Audit Other Policy Change Events is set to include Failure"
block:
@@ -94,17 +86,15 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_7_5_audit
register: discovered_17_7_5_audit
- name: "17.7.5 | PATCH | Ensure Audit Other Policy Change Events is set to include Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /failure:enable
when: "'Failure' not in rule_17_7_5_audit.stdout"
when:
- win11cis_rule_17_7_5
when: "'Failure' not in discovered_17_7_5_audit.stdout"
when: win11cis_rule_17_7_5
tags:
- level1-corporate-enterprise-environment
- rule_17.7.5
- automated
- patch
- audit-other-policy-change
- automated
- rule_17.7.5
- audit_other_policy_change
tasks/section_17/cis_17.8.x.yml
+7 -9
View File
@@ -6,21 +6,19 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_8_1_audit
register: discovered_17_8_1_audit
- name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable
when: "'Success' not in rule_17_8_1_audit.stdout"
when: "'Success' not in discovered_17_8_1_audit.stdout"
- name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable
when: "'Failure' not in rule_17_8_1_audit.stdout"
when:
- win11cis_rule_17_8_1
when: "'Failure' not in discovered_17_8_1_audit.stdout"
when: win11cis_rule_17_8_1
tags:
- level1-corporate-enterprise-environment
- rule_17.8.1
- automated
- patch
- audit-sensitive-privilege
- automated
- rule_17.8.1
- audit_sensitive_privilege
tasks/section_17/cis_17.9.x.yml
+49 -45
View File
@@ -6,24 +6,26 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_9_1_audit
register: discovered_17_9_1_audit
- name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable
when: "'Success' not in rule_17_9_1_audit.stdout"
changed_when: false
failed_when: false
when: "'Success' not in discovered_17_9_1_audit.stdout"
- name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable
when: "'Failure' not in rule_17_9_1_audit.stdout"
when:
- win11cis_rule_17_9_1
changed_when: false
failed_when: false
when: "'Failure' not in discovered_17_9_1_audit.stdout"
when: win11cis_rule_17_9_1
tags:
- level1-corporate-enterprise-environment
- rule_17.9.1
- automated
- patch
- ipsec-driver
- automated
- rule_17.9.1
- ipsec_driver
- name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure"
block:
@@ -31,24 +33,26 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_9_2_audit
register: discovered_17_9_2_audit
- name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable
when: "'Success' not in rule_17_9_2_audit.stdout"
changed_when: false
failed_when: false
when: "'Success' not in discovered_17_9_2_audit.stdout"
- name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable
when: "'Failure' not in rule_17_9_2_audit.stdout"
when:
- win11cis_rule_17_9_2
changed_when: false
failed_when: false
when: "'Failure' not in discovered_17_9_2_audit.stdout"
when: win11cis_rule_17_9_2
tags:
- level1-corporate-enterprise-environment
- rule_17.9.2
- automated
- patch
- other-system-events
- automated
- rule_17.9.2
- other_system_events
- name: "17.9.3 | PATCH | Ensure Audit Security State Change is set to include Success"
block:
@@ -56,20 +60,20 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_9_3_audit
register: discovered_17_9_3_audit
- name: "17.9.3 | PATCH | Ensure Audit Security State Change is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable
when: "'Success' not in rule_17_9_3_audit.stdout"
when:
- win11cis_rule_17_9_3
changed_when: false
failed_when: false
when: "'Success' not in discovered_17_9_3_audit.stdout"
when: win11cis_rule_17_9_3
tags:
- level1-corporate-enterprise-environment
- rule_17.9.3
- automated
- patch
- security-state-change
- automated
- rule_17.9.3
- security_state_change
- name: "17.9.4 | PATCH | Ensure Audit Security System Extension is set to include Success"
block:
@@ -77,20 +81,20 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_9_4_audit
register: discovered_17_9_4_audit
- name: "17.9.4 | PATCH | Ensure Audit Security System Extension is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable
when: "'Success' not in rule_17_9_4_audit.stdout"
when:
- win11cis_rule_17_9_4
changed_when: false
failed_when: false
when: "'Success' not in discovered_17_9_4_audit.stdout"
when: win11cis_rule_17_9_4
tags:
- level1-corporate-enterprise-environment
- rule_17.9.4
- automated
- patch
- security-system-extension
- automated
- rule_17.9.4
- security_system_extension
- name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure"
block:
@@ -98,23 +102,23 @@
ansible.windows.win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_9_5_audit
register: discovered_17_9_5_audit
- name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable
changed_when: "'Success' not in rule_17_9_5_audit.stdout"
when: "'Success' not in rule_17_9_5_audit.stdout"
changed_when: false
failed_when: false
when: "'Success' not in discovered_17_9_5_audit.stdout"
- name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable
changed_when: "'Failure' not in rule_17_9_5_audit.stdout"
when: "'Failure' not in rule_17_9_5_audit.stdout"
when:
- win11cis_rule_17_9_5
changed_when: false
failed_when: false
when: "'Failure' not in discovered_17_9_5_audit.stdout"
when: win11cis_rule_17_9_5
tags:
- level1-corporate-enterprise-environment
- rule_17.9.5
- automated
- patch
- system-integrity
- automated
- rule_17.9.5
- system_integrity
tasks/section_17/main.yml
+15 -15
View File
@@ -4,54 +4,54 @@
ansible.builtin.import_tasks:
file: cis_17.1.x.yml
tags:
- advanced-audit-policy-configuration
- account-logon
- advanced_audit_policy_configuration
- account_logon
- name: "SECTION | 17.2 | Account Management"
ansible.builtin.import_tasks:
file: cis_17.2.x.yml
tags:
- advanced-audit-policy-configuration
- account-management
- advanced_audit_policy_configuration
- account_management
- name: "SECTION | 17.3 | Detail Tracking"
ansible.builtin.import_tasks:
file: cis_17.3.x.yml
tags:
- advanced-audit-policy-configuration
- detailed-tracking
- advanced_audit_policy_configuration
- detailed_tracking
- name: "SECTION | 17.5 | Logon/Logoff"
ansible.builtin.import_tasks:
file: cis_17.5.x.yml
tags:
- advanced-audit-policy-configuration
- logon-logoff
- advanced_audit_policy_configuration
- logon_logoff
- name: "SECTION | 17.6 | Object Access"
ansible.builtin.import_tasks:
file: cis_17.6.x.yml
tags:
- advanced-audit-policy-configuration
- object-access
- advanced_audit_policy_configuration
- object_access
- name: "SECTION | 17.7 | Policy Change"
ansible.builtin.import_tasks:
file: cis_17.7.x.yml
tags:
- advanced-audit-policy-configuration
- policy-access
- advanced_audit_policy_configuration
- policy_access
- name: "SECTION | 17.8 | Privilege Use"
ansible.builtin.import_tasks:
file: cis_17.8.x.yml
tags:
- advanced-audit-policy-configuration
- privilege-use
- advanced_audit_policy_configuration
- privilege_use
- name: "SECTION | 17.9 | System"
ansible.builtin.import_tasks:
file: cis_17.9.x.yml
tags:
- advanced-audit-policy-configuration
- advanced_audit_policy_configuration
- system
tasks/section_18/main.yml
-4
View File
@@ -4,10 +4,6 @@
ansible.builtin.import_tasks:
file: section_18.1/main.yml
- name: "SECTION | 18.3 | LAPS"
ansible.builtin.import_tasks:
file: section_18.3/main.yml
- name: "SECTION | 18.4 | MS Security Guide"
ansible.builtin.import_tasks:
file: section_18.4/main.yml
tasks/section_18/section_18.1/cis_18.1.1.x.yml
+8 -10
View File
@@ -6,14 +6,13 @@
name: NoLockScreenCamera
data: 1
type: dword
when:
- win11cis_rule_18_1_1_1
when: win11cis_rule_18_1_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.1.1.1
- automated
- patch
- lock-screen-camera
- automated
- rule_18.1.1.1
- lock_screen_camera
- name: "18.1.1.2 | PATCH | Ensure Prevent enabling lock screen slide show is set to Enabled"
ansible.windows.win_regedit:
@@ -21,11 +20,10 @@
name: NoLockScreenSlideshow
data: 1
type: dword
when:
- win11cis_rule_18_1_1_2
when: win11cis_rule_18_1_1_2
tags:
- level1-corporate-enterprise-environment
- rule_18.1.1.2
- automated
- patch
- lock-screen-slideshow
- automated
- rule_18.1.1.2
- lock_screen_slideshow
tasks/section_18/section_18.1/cis_18.1.2.x.yml
+4 -6
View File
@@ -6,12 +6,10 @@
name: AllowInputPersonalization
data: 0
type: dword
when:
- win11cis_rule_18_1_2_2
when: win11cis_rule_18_1_2_2
tags:
- level1-corporate-enterprise-environment
- rule_18.1.2.2
- automated
- patch
- administrative-templates-computer
- speech-recognition
- automated
- rule_18.1.2.2
- speech_recognition
tasks/section_18/section_18.1/cis_18.1.3.x.yml
+4 -5
View File
@@ -6,11 +6,10 @@
name: AllowOnlineTips
data: 0
type: dword
when:
- win11cis_rule_18_1_3
when: win11cis_rule_18_1_3
tags:
- level2-high-security-sensitive-data-environment
- rule_18.1.3
- automated
- patch
- online-tips
- automated
- rule_18.1.3
- online_tips
tasks/section_18/section_18.1/main.yml
+8 -8
View File
@@ -4,22 +4,22 @@
ansible.builtin.import_tasks:
file: cis_18.1.1.x.yml
tags:
- administrative-templates-computer
- control-panel
- administrative_templates_computer
- control_panel
- personalization
- name: "SECTION | 18.1.2 | Regional And Language Options"
ansible.builtin.import_tasks:
file: cis_18.1.2.x.yml
tags:
- administrative-templates-computer
- control-panel
- regional-and-language-options
- administrative_templates_computer
- control_panel
- regional_and_language_options
- handwriting_personalization
- name: "SECTION | 18.1.3 | Online Tips"
ansible.builtin.import_tasks:
file: cis_18.1.3.x.yml
tags:
- administrative-templates-computer
- control-panel
- regional-and-language-options
- administrative_templates_computer
- control_panel
tasks/section_18/section_18.10/cis_18.10.10.x.yml
+4 -4
View File
@@ -6,10 +6,10 @@
name: AllowCamera
data: 0
type: dword
when:
- win11cis_rule_18_10_10_1
when: win11cis_rule_18_10_10_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.10.1
- automated
- patch
- automated
- rule_18.10.10.1
- camera
tasks/section_18/section_18.10/cis_18.10.12.x.yml
+9 -12
View File
@@ -6,13 +6,12 @@
name: DisableConsumerAccountStateContent
data: 1
type: dword
when:
- win11cis_rule_18_10_12_1
when: win11cis_rule_18_10_12_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.12.1
- automated
- patch
- automated
- rule_18.10.12.1
- name: "18.10.12.2 | PATCH | Ensure 'Turn off cloud optimized content' is set to 'Enabled'"
ansible.windows.win_regedit:
@@ -20,13 +19,12 @@
name: DisableCloudOptimizedContent
data: 1
type: dword
when:
- win11cis_rule_18_10_12_2
when: win11cis_rule_18_10_12_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.12.2
- automated
- patch
- automated
- rule_18.10.12.2
- name: "18.10.12.3 | PATCH | Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'"
ansible.windows.win_regedit:
@@ -34,10 +32,9 @@
name: DisableWindowsConsumerFeatures
data: 1
type: dword
when:
- win11cis_rule_18_10_12_3
when: win11cis_rule_18_10_12_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.12.3
- automated
- patch
- automated
- rule_18.10.12.3
tasks/section_18/section_18.10/cis_18.10.13.x.yml
+11 -13
View File
@@ -2,6 +2,14 @@
- name: "18.10.13.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always"
block:
- name: "18.10.13.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect
name: RequirePinForPairing
data: "{{ win11cis_require_pin_for_pairing }}"
type: dword
when: win11cis_require_pin_for_pairing == 1 or win11cis_require_pin_for_pairing == 2
- name: "18.10.13.1 | AUDIT | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
@@ -19,20 +27,10 @@
when:
- win11cis_require_pin_for_pairing != 1
- win11cis_require_pin_for_pairing != 2
- name: "18.10.13.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect
name: RequirePinForPairing
data: "{{ win11cis_require_pin_for_pairing }}"
type: dword
when:
- win11cis_require_pin_for_pairing == 1 or win11cis_require_pin_for_pairing == 2
when:
- win11cis_rule_18_10_13_1
when: win11cis_rule_18_10_13_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.13.1
- automated
- patch
- automated
- rule_18.10.13.1
- pin
tasks/section_18/section_18.10/cis_18.10.14.x.yml
+9 -12
View File
@@ -6,13 +6,12 @@
name: DisablePasswordReveal
data: 1
type: dword
when:
- win11cis_rule_18_10_14_1
when: win11cis_rule_18_10_14_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.14.1
- automated
- patch
- automated
- rule_18.10.14.1
- gui
- name: "18.10.14.2 | PATCH | Ensure Enumerate administrator accounts on elevation is set to Disabled"
@@ -21,13 +20,12 @@
name: EnumerateAdministrators
data: 0
type: dword
when:
- win11cis_rule_18_10_14_2
when: win11cis_rule_18_10_14_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.14.2
- automated
- patch
- automated
- rule_18.10.14.2
- accounts
- name: "18.10.14.3 | PATCH | Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'"
@@ -36,11 +34,10 @@
name: NoLocalPasswordResetQuestions
data: 1
type: dword
when:
- win11cis_rule_18_10_14_3
when: win11cis_rule_18_10_14_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.14.3
- automated
- patch
- automated
- rule_18.10.14.3
- accounts
tasks/section_18/section_18.10/cis_18.10.15.x.yml
+35 -44
View File
@@ -2,6 +2,14 @@
- name: "18.10.15.1 | PATCH | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data"
block:
- name: "18.10.15.1 | AUDIT | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection
name: AllowTelemetry
data: "{{ win11cis_allow_telemetry }}"
type: dword
when: win11cis_allow_telemetry == 0 or win11cis_allow_telemetry == 1
- name: "18.10.15.1 | AUDIT | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
@@ -19,22 +27,12 @@
when:
- win11cis_allow_telemetry != 0
- win11cis_allow_telemetry != 1
- name: "18.10.15.1 | AUDIT | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection
name: AllowTelemetry
data: "{{ win11cis_allow_telemetry }}"
type: dword
when:
- win11cis_allow_telemetry == 0 or win11cis_allow_telemetry == 1
when:
- win11cis_rule_18_10_15_1
when: win11cis_rule_18_10_15_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.1
- automated
- patch
- automated
- rule_18.10.15.1
- diagnostics
- name: "18.10.15.2 | PATCH | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage"
@@ -43,13 +41,12 @@
name: DisableEnterpriseAuthProxy
data: 1
type: dword
when:
- win11cis_rule_18_10_15_2
when: win11cis_rule_18_10_15_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.15.2
- automated
- patch
- automated
- rule_18.10.15.2
- proxy
- name: "18.10.15.3 | PATCH | Ensure Disable OneSettings Downloads is set to Enabled"
@@ -58,14 +55,13 @@
name: DisableOneSettingsDownloads
data: 1
type: dword
when:
- win11cis_rule_18_10_15_3
when: win11cis_rule_18_10_15_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.3
- automated
- patch
- one-settings
- automated
- rule_18.10.15.3
- one_settings
- name: "18.10.15.4 | PATCH | Ensure Do not show feedback notifications is set to Enabled"
ansible.windows.win_regedit:
@@ -73,13 +69,12 @@
name: DoNotShowFeedbackNotifications
data: 1
type: dword
when:
- win11cis_rule_18_10_15_4
when: win11cis_rule_18_10_15_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.4
- automated
- patch
- automated
- rule_18.10.15.4
- notifications
- name: "18.10.15.5 | PATCH | Ensure Enable OneSettings Auditing' is set to Enabled"
@@ -88,14 +83,13 @@
name: EnableOneSettingsAuditing
data: 1
type: dword
when:
- win11cis_rule_18_10_15_5
when: win11cis_rule_18_10_15_5
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.5
- automated
- patch
- one-settings
- automated
- rule_18.10.15.5
- one_settings
- name: "18.10.15.6 | PATCH | Ensure Limit Diagnostic Log Collection is set to Enabled"
ansible.windows.win_regedit:
@@ -103,13 +97,12 @@
name: LimitDiagnosticLogCollection
data: 1
type: dword
when:
- win11cis_rule_18_10_15_6
when: win11cis_rule_18_10_15_6
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.6
- automated
- patch
- automated
- rule_18.10.15.6
- logs
- name: "18.10.15.7 | PATCH | Ensure Limit Dump Collection is set to Enabled"
@@ -118,14 +111,13 @@
name: LimitDumpCollection
data: 1
type: dword
when:
- win11cis_rule_18_10_15_7
when: win11cis_rule_18_10_15_7
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.7
- automated
- patch
- dump-collection
- automated
- rule_18.10.15.7
- dump_collection
- name: "18.10.15.8 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled"
ansible.windows.win_regedit:
@@ -133,11 +125,10 @@
name: AllowBuildPreview
data: 0
type: dword
when:
- win11cis_rule_18_10_15_8
when: win11cis_rule_18_10_15_8
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.8
- automated
- patch
- automated
- rule_18.10.15.8
- builds
tasks/section_18/section_18.10/cis_18.10.16.x.yml
+24 -18
View File
@@ -2,20 +2,6 @@
- name: "18.10.16.1 | PATCH | Ensure 'Download Mode' is NOT set to 'Enabled: Internet'"
block:
- name: "18.10.16.1 | AUDIT | Ensure 'Download Mode' is NOT set to 'Enabled: Internet' | Warning Check For Bad Variable "
ansible.builtin.debug:
msg:
- "Warning!! You have an incorrect variable set for win11cis_do_download_mode. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_do_download_mode > 2 and win11cis_do_download_mode != 99 and win11cis_do_download_mode != 100
- name: "18.10.16.1 | AUDIT | Ensure 'Download Mode' is NOT set to 'Enabled: Internet' | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.16.1'
when: win11cis_do_download_mode > 2 and win11cis_do_download_mode != 99 and win11cis_do_download_mode != 100
- name: "18.10.16.1 | PATCH | Ensure 'Download Mode' is NOT set to 'Enabled: Internet' | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization
@@ -23,10 +9,30 @@
data: "{{ win11cis_do_download_mode }}"
datatype: dword
when: win11cis_do_download_mode <= 2 or win11cis_do_download_mode == 99 or win11cis_do_download_mode == 100
when:
- win11cis_rule_18_10_16_1
- name: "18.10.16.1 | AUDIT | Ensure 'Download Mode' is NOT set to 'Enabled: Internet' | Warning Check For Bad Variable "
ansible.builtin.debug:
msg:
- "Warning!! You have an incorrect variable set for win11cis_do_download_mode. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_do_download_mode > 2
- win11cis_do_download_mode != 99
- win11cis_do_download_mode != 100
- name: "18.10.16.1 | AUDIT | Ensure 'Download Mode' is NOT set to 'Enabled: Internet' | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.16.1'
when:
- win11cis_do_download_mode > 2
- win11cis_do_download_mode != 99
- win11cis_do_download_mode != 100
when: win11cis_rule_18_10_16_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.16.1
- automated
- patch
- automated
- rule_18.10.16.1
- download_mode
tasks/section_18/section_18.10/cis_18.10.17.x.yml
+12 -16
View File
@@ -6,13 +6,12 @@
name: EnableAppInstaller
data: 0
type: dword
when:
- win11cis_rule_18_10_17_1
when: win11cis_rule_18_10_17_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.17.1
- automated
- patch
- automated
- rule_18.10.17.1
- name: "18.10.17.2 | PATCH | Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'"
ansible.windows.win_regedit:
@@ -20,13 +19,12 @@
name: EnableExperimentalFeatures
data: 0
type: dword
when:
- win11cis_rule_18_10_17_2
when: win11cis_rule_18_10_17_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.17.2
- automated
- patch
- automated
- rule_18.10.17.2
- experimental
- name: "18.10.17.3 | PATCH | Ensure 'Enable App Installer Hash Override' is set to 'Disabled'"
@@ -35,13 +33,12 @@
name: EnableHashOverride
data: 0
type: dword
when:
- win11cis_rule_18_10_17_3
when: win11cis_rule_18_10_17_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.17.3
- automated
- patch
- automated
- rule_18.10.17.3
- hash
- name: "18.10.17.4 | PATCH | Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'"
@@ -50,11 +47,10 @@
name: EnableMSAppInstallerProtocol
data: 0
type: dword
when:
- win11cis_rule_18_10_17_4
when: win11cis_rule_18_10_17_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.17.4
- automated
- patch
- automated
- rule_18.10.17.4
- hash
vars/tasks/section_18/section_18.10/cis_18.10.25.x.yml → tasks/section_18/section_18.10/cis_18.10.25.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.26.x.yml
-197
View File
@@ -1,197 +0,0 @@
---
- name: "18.10.26.1.1 | PATCH | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application
name: Retention
data: 0
type: string
when:
- win11cis_rule_18_10_26_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.1.1
- automated
- patch
- application
- logs
- name: "18.10.26.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater"
block:
- name: "18.10.26.1.2 | AUDIT | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid file size set for win11cis_application_max_log_file_size. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_application_max_log_file_size < 32768
- name: "18.10.26.1.2 | AUDIT | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.26.1.2'
when: win11cis_application_max_log_file_size < 32768
- name: "18.10.26.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Set File Size."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application
name: MaxSize
data: "{{ win11cis_application_max_log_file_size }}"
type: dword
when: win11cis_application_max_log_file_size >= 32768
when:
- win11cis_rule_18_10_26_1_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.1.2
- automated
- patch
- application
- application-log-size
- name: "18.10.26.2.1 | PATCH | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security
name: Retention
data: 0
type: string
when:
- win11cis_rule_18_10_26_2_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.2.1
- automated
- patch
- security
- logs
- name: "18.10.26.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater"
block:
- name: "18.10.26.2.2 | AUDIT | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid file size set for win11cis_security_max_log_file_size. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_security_max_log_file_size < 196608
- name: "18.10.26.2.2 | AUDIT | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.9.27.2.2'
when: win11cis_security_max_log_file_size < 196608
- name: "18.10.26.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security
name: MaxSize
data: "{{ win11cis_security_max_log_file_size }}"
type: dword
when: win11cis_security_max_log_file_size >= 196608
when:
- win11cis_rule_18_10_26_2_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.2.2
- automated
- patch
- security
- security-log-size
- name: "18.10.26.3.1 | PATCH | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup
name: Retention
data: 0
type: string
when:
- win11cis_rule_18_10_26_3_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.3.1
- automated
- patch
- setup
- logs
- name: "18.10.26.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater"
block:
- name: "18.10.26.3.2 | AUDIT | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid file size set for win11cis_setup_max_log_file_size. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_setup_max_log_file_size < 32768
- name: "18.10.26.3.2 | AUDIT | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.26.3.2'
when: win11cis_setup_max_log_file_size < 32768
- name: "18.10.26.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup
name: MaxSize
data: "{{ win11cis_setup_max_log_file_size }}"
type: dword
when: win11cis_setup_max_log_file_size >= 32768
when:
- win11cis_rule_18_10_26_3_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.3.2
- automated
- patch
- setup
- setup-log-size
- name: "18.10.26.4.1 | PATCH | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System
name: Retention
data: 0
type: string
when:
- win11cis_rule_18_10_26_4_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.4.1
- automated
- patch
- system
- logs
- name: "18.10.26.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater"
block:
- name: "18.10.26.4.2 | AUDIT | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid file size set for win11cis_system_max_log_file_size. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_system_max_log_file_size < 32768
- name: "18.10.26.4.2 | AUDIT | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.26.4.2'
when: win11cis_system_max_log_file_size < 32768
- name: "18.10.26.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System
name: MaxSize
data: "{{ win11cis_system_max_log_file_size }}"
type: dword
when: win11cis_system_max_log_file_size >= 32768
when:
- win11cis_rule_18_10_26_4_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.4.2
- automated
- patch
- system
- system-log-size
vars/tasks/section_18/section_18.10/cis_18.10.28.x.yml → tasks/section_18/section_18.10/cis_18.10.28.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.29.x.yml
-60
View File
@@ -1,60 +0,0 @@
---
- name: "18.10.29.2 | PATCH | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Explorer
name: NoDataExecutionPrevention
data: 0
type: dword
when:
- win11cis_rule_18_10_29_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.29.2
- automated
- patch
- data-execution-prevention
- name: "18.10.29.3 | PATCH | Ensure 'Turn off files from Office.com in Quick access view' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Explorer
name: DisableGraphRecentItems
data: 1
type: dword
when:
- win11cis_rule_18_10_29_3
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.29.3
- automated
- patch
- name: "18.10.29.4 | PATCH | Ensure Turn off heap termination on corruption is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Explorer
name: NoHeapTerminationOnCorruption
data: 0
type: dword
when:
- win11cis_rule_18_10_29_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.29.4
- automated
- patch
- heap-termination
- name: "18.10.29.5 | PATCH | Ensure Turn off shell protocol protected mode is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer
name: PreXPSP2ShellProtocolBehavior
data: 0
type: dword
when:
- win11cis_rule_18_10_29_5
tags:
- level1-corporate-enterprise-environment
- rule_18.10.29.5
- automated
- patch
- shell
tasks/section_18/section_18.10/cis_18.10.3.x.yml
+6 -8
View File
@@ -6,13 +6,12 @@
name: AllowSharedLocalAppData
data: 0
type: dword
when:
- win11cis_rule_18_10_3_1
when: win11cis_rule_18_10_3_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.3.1
- automated
- patch
- automated
- rule_18.10.3.1
- name: "18.10.3.2 | PATCH | Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'"
ansible.windows.win_regedit:
@@ -20,10 +19,9 @@
name: BlockNonAdminUserInstall
data: 1
type: dword
when:
- win11cis_rule_18_10_3_2
when: win11cis_rule_18_10_3_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.3.2
- automated
- patch
- automated
- rule_18.10.3.2
tasks/section_18/section_18.10/cis_18.10.33.x.yml
-17
View File
@@ -1,17 +0,0 @@
---
- name: "18.10.33.1 | PATCH | Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\HomeGroup
name: DisableHomeGroup
data: 1
type: dword
when:
- win11cis_rule_18_10_33_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.33.1
- automated
- patch
- administrative-templates-computer
- windows-components
vars/tasks/section_18/section_18.10/cis_18.10.36.x.yml → tasks/section_18/section_18.10/cis_18.10.36.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.37.x.yml
-16
View File
@@ -1,16 +0,0 @@
---
- name: "18.10.37.2 | PATCH | Ensure Turn off location is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors
name: DisableLocation
data: 1
type: dword
when:
- win11cis_rule_18_10_37_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.37.2
- automated
- patch
- location
tasks/section_18/section_18.10/cis_18.10.4.x.yml
+3 -4
View File
@@ -6,11 +6,10 @@
name: LetAppsActivateWithVoiceAboveLock
data: 1
type: dword
when:
- win11cis_rule_18_10_4_1
when: win11cis_rule_18_10_4_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.4.1
- automated
- patch
- automated
- rule_18.10.4.1
- voice
vars/tasks/section_18/section_18.10/cis_18.10.40.x.yml → tasks/section_18/section_18.10/cis_18.10.40.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.41.x.yml
+9 -9
View File
@@ -1,15 +1,15 @@
---
- name: "18.10.41.1 | PATCH | Ensure Allow Message Service Cloud Sync is set to Disabled"
- name: "18.10.41.1 | PATCH | Ensure Block all consumer Microsoft account user authentication is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Messaging
name: AllowMessageSync
data: 0
path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount
name: DisableUserAuth
data: 1
type: dword
when:
- win11cis_rule_18_10_41_1
when: win11cis_rule_18_10_41_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.41.1
- automated
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.41.1
- account
tasks/section_18/section_18.10/cis_18.10.42.x.yml
+242 -9
View File
@@ -1,16 +1,249 @@
---
- name: "18.10.42.1 | PATCH | Ensure Block all consumer Microsoft account user authentication is set to Enabled"
- name: "18.10.42.5.1 | PATCH | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount
name: DisableUserAuth
data: 1
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet
name: LocalSettingOverrideSpynetReporting
data: 0
type: dword
when:
- win11cis_rule_18_10_42_1
when: win11cis_rule_18_10_42_5_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.42.1
- automated
- patch
- account
- automated
- rule_18.10.42.5.1
- maps
- name: "18.10.42.5.2 | PATCH | Ensure Join Microsoft MAPS is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet
name: SpynetReporting
data: 0
type: dword
when: win11cis_rule_18_10_42_5_2
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.42.5.2
- maps
- name: "18.10.42.6.1.1 | PATCH | Ensure Configure Attack Surface Reduction rules is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR
name: ExploitGuard_ASR_Rules
data: 1
type: dword
when: win11cis_rule_18_10_42_6_1_1
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.6.1.1
- microsoft_defender_exploit_guard
- attack_surface_reduction
- defender
- name: "18.10.42.6.1.2 | PATCH | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
name: "{{ item }}"
data: 1
type: string
loop:
- 26190899-1602-49e8-8b27-eb1d0a1ce869
- 3b576869-a4ec-4529-8536-b80a7769e899
- 56a863a9-875e-4185-98a7-b882c64b5ce5
- 5beb7efe-fd9a-4556-801d-275e5ffc04cc
- 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
- 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
- 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
- 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
- b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
- be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
- d3e037e1-3eb8-44c8-a917-57927947596d
- d4f940ab-401b-4efc-aadc-ad5f3c50688a
- e6db77e5-3df2-4cf1-b95a-636979351e5b
when: win11cis_rule_18_10_42_6_1_2
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.6.1.2
- microsoft_defender_exploit_guard
- attack_surface_reduction
- defender
- name: "18.10.42.6.3.1 | PATCH | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
name: EnableNetworkProtection
data: 1
type: dword
when: win11cis_rule_18_10_42_6_3_1
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.6.3.1
- microsoft_defender_exploit_guard
- network_protection
- name: "18.10.42.7.1 | PATCH | (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine
name: EnableFileHashComputation
data: 1
type: dword
when: win11cis_rule_18_10_42_7_1
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.7.1
- mpengine
- hash
- name: "18.10.42.10.1 | PATCH | Ensure Scan all downloaded files and attachments is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
name: DisableIOAVProtection
data: 0
type: dword
when: win11cis_rule_18_10_42_10_1
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.10.1
- real_time_protection
- downloads
- name: "18.10.42.10.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
name: DisableRealtimeMonitoring
data: 0
datatype: dword
when: win11cis_rule_18_10_42_10_2
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.10.2
- real_time_protection
- name: "18.10.42.10.3 | PATCH | Ensure Turn on behavior monitoring is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
name: DisableBehaviorMonitoring
data: 0
type: dword
when: win11cis_rule_18_10_42_10_3
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.10.3
- real_time_protection
- behavior_monitoring
- name: "18.10.42.10.4 | PATCH | Ensure 'Turn on script scanning' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
name: DisableScriptScanning
data: 0
type: dword
when: win11cis_rule_18_10_42_10_4
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.10.4
- real_time_protection
- script_scanning
- name: "18.10.42.12.1 | PATCH | Ensure Configure Watson events is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting
name: DisableGenericRePorts
data: 1
type: dword
when: win11cis_rule_18_10_42_12_1
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.42.12.1
- reporting
- watson
- name: "18.10.42.13.1 | PATCH | Ensure 'Scan packed executables' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan
name: DisablePackedExeScanning
data: 0
type: dword
when: win11cis_rule_18_10_42_13_1
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.13.1
- scan
- name: "18.10.42.13.2 | PATCH | Ensure Scan removable drives is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan
name: DisableRemovableDriveScanning
data: 0
type: dword
when: win11cis_rule_18_10_42_13_2
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.13.2
- scan
- name: "18.10.42.13.3 | PATCH | Ensure Turn on e-mail scanning is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan
name: DisableEmailScanning
data: 0
type: dword
when: win11cis_rule_18_10_42_13_3
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.13.3
- email_scanning
- name: "18.10.42.16 | PATCH | Ensure Configure detection for potentially unwanted applications is set to Enabled Block"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender
name: PUAProtection
data: 1
type: dword
when: win11cis_rule_18_10_42_16
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.16
- defender
- name: "18.10.42.17 | PATCH | Ensure Turn off Windows Defender AntiVirus is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender
name: DisableAntiSpyware
data: 0
type: dword
when: win11cis_rule_18_10_42_17
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.42.17
- defender
tasks/section_18/section_18.10/cis_18.10.43.x.yml
+35 -206
View File
@@ -1,253 +1,82 @@
---
- name: "18.10.43.5.1 | PATCH | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled"
- name: "18.10.43.1 | PATCH | Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet
name: LocalSettingOverrideSpynetReporting
data: 0
type: dword
when:
- win11cis_rule_18_10_43_5_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.5.1
- automated
- patch
- maps
- name: "18.10.43.5.2 | PATCH | Ensure Join Microsoft MAPS is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet
name: SpynetReporting
data: 0
type: dword
when:
- win11cis_rule_18_10_43_5_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.43.5.2
- automated
- patch
- maps
- name: "18.10.43.6.1.1 | PATCH | Ensure Configure Attack Surface Reduction rules is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR
name: ExploitGuard_ASR_Rules
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AuditApplicationGuard
data: 1
type: dword
when:
- win11cis_rule_18_10_43_6_1_1
when: win11cis_rule_18_10_43_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.6.1.1
- automated
- patch
- microsoft-defender-exploit-guard
- attack-surface-reduction
- defender
- name: "18.10.43.6.1.2 | PATCH | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
name: "{{ item }}"
data: 1
type: string
loop:
- 26190899-1602-49e8-8b27-eb1d0a1ce869
- 3b576869-a4ec-4529-8536-b80a7769e899
- 56a863a9-875e-4185-98a7-b882c64b5ce5
- 5beb7efe-fd9a-4556-801d-275e5ffc04cc
- 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
- 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
- 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
- 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
- b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
- be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
- d3e037e1-3eb8-44c8-a917-57927947596d
- d4f940ab-401b-4efc-aadc-ad5f3c50688a
- e6db77e5-3df2-4cf1-b95a-636979351e5b
when:
- win11cis_rule_18_10_43_6_1_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.6.1.2
- automated
- patch
- microsoft-defender-exploit-guard
- attack-surface-reduction
- defender
- rule_18.10.43.1
- auditing
- name: "18.10.43.6.3.1 | PATCH | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block"
- name: "18.10.43.2 | PATCH | Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
name: EnableNetworkProtection
data: 1
type: dword
when:
- win11cis_rule_18_10_43_6_3_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.6.3.1
- automated
- patch
- administrative-templates-computer
- windows-components
- microsoft-defender-antivirus
- microsoft-defender-exploit-guard
- network-protection
- name: "18.10.43.7.1 | PATCH | (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine
name: EnableFileHashComputation
data: 1
type: dword
when:
- win11cis_rule_18_10_43_7_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.43.7.1
- automated
- patch
- mpengine
- hash
- name: "18.10.43.10.1 | PATCH | Ensure Scan all downloaded files and attachments is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
name: DisableIOAVProtection
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AllowCameraMicrophoneRedirection
data: 0
type: dword
when:
- win11cis_rule_18_10_43_10_1
when: win11cis_rule_18_10_43_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.10.1
- automated
- patch
- real-time-protection
- downloads
- name: "18.10.43.10.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
name: DisableRealtimeMonitoring
data: 1
datatype: dword
when:
- win11cis_rule_18_10_43_10_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.10.2
- automated
- patch
- real-time-protection
- rule_18.10.43.2
- camera
- name: "18.10.43.10.3 | PATCH | Ensure Turn on behavior monitoring is set to Enabled"
- name: "18.10.43.3 | PATCH | Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
name: DisableBehaviorMonitoring
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AllowPersistence
data: 0
type: dword
when:
- win11cis_rule_18_10_43_10_3
when: win11cis_rule_18_10_43_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.10.3
- automated
- patch
- real-time-protection
- behavior-monitoring
- automated
- rule_18.10.43.3
- data_persistence
- name: "18.10.43.10.4 | PATCH | Ensure 'Turn on script scanning' is set to 'Enabled'"
- name: "18.10.43.4 | PATCH | Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
name: DisableScriptScanning
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: SaveFilesToHost
data: 0
type: dword
when:
- win11cis_rule_18_10_43_10_4
when: win11cis_rule_18_10_43_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.10.4
- automated
- patch
- real-time-protection
- script-scanning
- automated
- rule_18.10.43.4
- name: "18.10.43.12.1 | PATCH | Ensure Configure Watson events is set to Disabled"
- name: "18.10.43.5 | PATCH | Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting
name: DisableGenericRePorts
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AppHVSIClipboardSettings
data: 1
type: dword
when:
- win11cis_rule_18_10_43_12_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.43.12.1
- automated
- patch
- reporting
- watson
- name: "18.10.43.13.1 | PATCH | Ensure Scan removable drives is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan
name: DisableRemovableDriveScanning
data: 0
type: dword
when:
- win11cis_rule_18_10_43_13_1
when: win11cis_rule_18_10_43_5
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.13.1
- automated
- patch
- scan
- name: "18.10.43.13.2 | PATCH | Ensure Turn on e-mail scanning is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan
name: DisableEmailScanning
data: 0
type: dword
when:
- win11cis_rule_18_10_43_13_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.13.2
- automated
- patch
- email-scanning
- rule_18.10.43.5
- name: "18.10.43.16 | PATCH | Ensure Configure detection for potentially unwanted applications is set to Enabled Block"
- name: "18.10.43.6 | PATCH | Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender
name: PUAProtection
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AllowAppHVSI_ProviderSet
data: 1
type: dword
when:
- win11cis_rule_18_10_43_16
when: win11cis_rule_18_10_43_6
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.16
- automated
- patch
- defender
- name: "18.10.43.17 | PATCH | Ensure Turn off Windows Defender AntiVirus is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender
name: DisableAntiSpyware
data: 0
type: dword
when:
- win11cis_rule_18_10_43_17
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.17
- automated
- patch
- defender
- rule_18.10.43.6
tasks/section_18/section_18.10/cis_18.10.44.x.yml
-88
View File
@@ -1,88 +0,0 @@
---
- name: "18.10.44.1 | PATCH | Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AuditApplicationGuard
data: 1
type: dword
when:
- win11cis_rule_18_10_44_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.44.1
- automated
- patch
- auditing
- name: "18.10.44.2 | PATCH | Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AllowCameraMicrophoneRedirection
data: 0
type: dword
when:
- win11cis_rule_18_10_44_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.44.2
- automated
- patch
- camera
- name: "18.10.44.3 | PATCH | Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AllowPersistence
data: 0
type: dword
when:
- win11cis_rule_18_10_44_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.44.3
- automated
- patch
- data-persistence
- name: "18.10.44.4 | PATCH | Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: SaveFilesToHost
data: 0
type: dword
when:
- win11cis_rule_18_10_44_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.44.4
- automated
- patch
- name: "18.10.44.5 | PATCH | Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AppHVSIClipboardSettings
data: 1
type: dword
when:
- win11cis_rule_18_10_44_5
tags:
- level1-corporate-enterprise-environment
- rule_18.10.44.5
- automated
- patch
- name: "18.10.44.6 | PATCH | Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AllowAppHVSI_ProviderSet
data: 1
type: dword
when:
- win11cis_rule_18_10_44_6
tags:
- level1-corporate-enterprise-environment
- rule_18.10.44.6
- automated
- patch
vars/tasks/section_18/section_18.10/cis_18.10.49.x.yml → tasks/section_18/section_18.10/cis_18.10.49.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.5.x.yml
+7 -9
View File
@@ -6,25 +6,23 @@
name: MSAOptional
data: 1
type: dword
when:
- win11cis_rule_18_10_5_1
when: win11cis_rule_18_10_5_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.5.1
- automated
- patch
- automated
- rule_18.10.5.1
- name: "18.10.5.2 | PATCH | Ensure Allow Microsoft accounts to be optional is set to Enabled"
- name: "18.10.5.2 | PATCH | Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System
name: BlockHostedAppAccessWinRT
data: 1
type: dword
when:
- win11cis_rule_18_10_5_2
when: win11cis_rule_18_10_5_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.5.2
- automated
- patch
- automated
- rule_18.10.5.2
- api
tasks/section_18/section_18.10/cis_18.10.50.x.yml
+8 -9
View File
@@ -1,15 +1,14 @@
---
- name: "18.10.50.1 | PATCH | Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'"
- name: "18.10.50.1 | PATCH | Ensure Prevent the usage of OneDrive for file storage is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Feeds
name: EnableFeeds
data: 0
path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive
name: DisableFileSyncNGSC
data: 1
type: dword
when:
- win11cis_rule_18_10_50_1
when: win11cis_rule_18_10_50_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.50.1
- automated
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.50.1
tasks/section_18/section_18.10/cis_18.10.51.x.yml
-15
View File
@@ -1,15 +0,0 @@
---
- name: "18.10.51.1 | PATCH | Ensure Prevent the usage of OneDrive for file storage is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive
name: DisableFileSyncNGSC
data: 1
type: dword
when:
- win11cis_rule_18_10_51_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.51.1
- automated
- patch
vars/tasks/section_18/section_18.10/cis_18.10.55.x.yml → tasks/section_18/section_18.10/cis_18.10.55.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.56.x.yml
+282 -6
View File
@@ -1,15 +1,291 @@
---
- name: "18.10.56.1 | PATCH | (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'"
- name: "18.10.56.2.2 | PATCH | Ensure 'Disable Cloud Clipboard integration for server-to-client data transfer' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall
name: DisablePushToInstall
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client
name: DisableCloudClipboardIntegration
data: 1
type: dword
when: win11cis_rule_18_10_56_2_2
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.56.2.2
- remote_desktop_connection_client
- name: "18.10.56.2.3 | PATCH | Ensure Do not allow passwords to be saved is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: DisablePasswordSaving
data: 1
type: dword
when: win11cis_rule_18_10_56_2_3
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.56.2.3
- remote_desktop_connection_client
- name: "18.10.56.3.2.1 | PATCH | Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDenyTSConnections
data: 1
type: dword
when:
- win11cis_rule_18_10_56_1
- win11cis_rule_18_10_56_3_2_1
- not win_skip_for_test
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.56.1
- automated
- patch
- automated
- rule_18.10.56.3.2.1
- remote_desktop_session_host
- connections
- rdp
- name: "18.10.56.3.3.1 | PATCH | Ensure 'Allow UI Automation redirection' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: EnableUiaRedirection
data: 0
type: dword
when: win11cis_rule_18_10_56_3_3_1
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.56.3.3.1
- remote_desktop_session_host
- device_and_resource_redirection
- name: "18.10.56.3.3.2 | PATCH | Ensure Do not allow COM port redirection is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableCcm
data: 1
type: dword
when: win11cis_rule_18_10_56_3_3_2
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.56.3.3.2
- remote_desktop_session_host
- device_and_resource_redirection
- name: "18.10.56.3.3.3 | PATCH | Ensure Do not allow drive redirection is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableCdm
data: 1
type: dword
when: win11cis_rule_18_10_56_3_3_3
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.56.3.3.3
- remote_desktop_session_host
- device_and_resource_redirection
- name: "18.10.56.3.3.4 | PATCH | Ensure 'Do not allow location redirection' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableLocationRedir
data: 1
type: dword
when: win11cis_rule_18_10_56_3_3_4
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.56.3.3.4
- remote_desktop_session_host
- device_and_resource_redirection
- name: "18.10.56.3.3.5 | PATCH | Ensure 'Do not allow LPT port redirection' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableLPT
data: 1
type: dword
when: win11cis_rule_18_10_56_3_3_5
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.56.3.3.5
- remote_desktop_session_host
- device_and_resource_redirection
- name: "18.10.56.3.3.6 | PATCH | Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisablePNPRedir
data: 1
type: dword
when: win11cis_rule_18_10_56_3_3_6
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.56.3.3.6
- remote_desktop_session_host
- device_and_resource_redirection
- name: "18.10.56.3.3.7 | PATCH | Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableWebAuthn
data: 1
type: dword
when: win11cis_rule_18_10_56_3_3_7
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.56.3.3.7
- remote_desktop_session_host
- device_and_resource_redirection
- name: "18.10.56.3.9.1 | PATCH | Ensure Always prompt for password upon connection is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: fPromptForPassword
data: 1
type: dword
when: win11cis_rule_18_10_56_3_9_1
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.56.3.9.1
- remote_desktop_session_host
- security
- name: "18.10.56.3.9.2 | PATCH | Ensure Require secure RPC communication is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: fEncryptRPCTraffic
data: 1
type: dword
when: win11cis_rule_18_10_56_3_9_2
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.56.3.9.2
- remote_desktop_session_host
- security
- name: "18.10.56.3.9.3 | PATCH | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: SecurityLayer
data: 2
type: dword
when: win11cis_rule_18_10_56_3_9_3
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.56.3.9.3
- remote_desktop_session_host
- security
- name: "18.10.56.3.9.4 | PATCH | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: UserAuthentication
data: 1
type: dword
when: win11cis_rule_18_10_56_3_9_4
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.56.3.9.4
- remote_desktop_session_host
- security
- name: "18.10.56.3.9.5 | PATCH | Ensure Set client connection encryption level is set to Enabled High Level"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: MinEncryptionLevel
data: 3
type: dword
when: win11cis_rule_18_10_56_3_9_5
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.56.3.9.5
- remote_desktop_session_host
- security
- name: "18.10.56.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less, but not Never (0)"
block:
- name: "18.10.56.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less, but not Never (0) | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: MaxIdleTime
data: "{{ win11cis_idle_rdp_session_disconnect_time }}"
type: dword
when:
- win11cis_idle_rdp_session_disconnect_time <= 900000
- win11cis_idle_rdp_session_disconnect_time != 0
- name: "18.10.56.3.10.1 | AUDIT | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less, but not Never (0) | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid time set for win11cis_idle_rdp_session_disconnect_time. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_idle_rdp_session_disconnect_time == 0 or win11cis_idle_rdp_session_disconnect_time > 900000
- name: "18.10.56.3.10.1 | AUDIT | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less, but not Never (0) | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.56.3.10.1'
when: win11cis_idle_rdp_session_disconnect_time == 0 or win11cis_idle_rdp_session_disconnect_time > 900000
when: win11cis_rule_18_10_56_3_10_1
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.56.3.10.1
- remote_desktop_session_host
- session_time_limits
- name: "18.10.56.3.10.2 | PATCH | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: MaxDisconnectionTime
data: 60000
type: dword
when: win11cis_rule_18_10_56_3_10_2
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.56.3.10.2
- remote_desktop_session_host
- session_time_limits
- name: "18.10.56.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: DeleteTempDirsOnExit
data: 1
type: dword
when: win11cis_rule_18_10_56_3_11_1
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.56.3.11.1
- remote_desktop_session_host
- temporary_folders
tasks/section_18/section_18.10/cis_18.10.57.x.yml
+5 -303
View File
@@ -1,312 +1,14 @@
---
- name: "18.10.57.2.2 | PATCH | Ensure 'Disable Cloud Clipboard integration for server-to-client data transfer' is set to 'Enabled'"
- name: "18.10.57.1 | PATCH | Ensure Prevent downloading of enclosures is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client
name: DisableCloudClipboardIntegration
path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds
name: DisableEnclosureDownload
data: 1
type: dword
when:
- win11cis_rule_18_10_57_2_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.2.2
- automated
- patch
- remote-desktop-connection-client
- name: "18.10.57.2.3 | PATCH | Ensure Do not allow passwords to be saved is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: DisablePasswordSaving
data: 1
type: dword
when:
- win11cis_rule_18_10_57_2_3
when: win11cis_rule_18_10_57_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.2.3
- automated
- patch
- remote-desktop-connection-client
- name: "18.10.57.3.2.1 | PATCH | Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDenyTSConnections
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_2_1
- not win_skip_for_test
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.2.1
- automated
- patch
- remote-desktop-session-host
- connections
- rdp
- name: "18.10.57.3.3.1 | PATCH | Ensure 'Allow UI Automation redirection' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: EnableUiaRedirection
data: 0
type: dword
when:
- win11cis_rule_18_10_57_3_3_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.3.1
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.3.2 | PATCH | Ensure Do not allow COM port redirection is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableCcm
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_3_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.3.2
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.3.3 | PATCH | Ensure Do not allow drive redirection is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableCdm
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_3_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.3.3
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.3.4 | PATCH | Ensure 'Do not allow location redirection' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableLocationRedir
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_3_4
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.3.4
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.3.5 | PATCH | Ensure 'Do not allow LPT port redirection' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableLPT
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_3_5
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.3.5
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.3.6 | PATCH | Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisablePNPRedir
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_3_6
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.3.6
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.3.7 | PATCH | Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableWebAuthn
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_3_7
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.3.7
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.9.1 | PATCH | Ensure Always prompt for password upon connection is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: fPromptForPassword
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_9_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.9.1
- automated
- patch
- remote-desktop-session-host
- security
- name: "18.10.57.3.9.2 | PATCH | Ensure Require secure RPC communication is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: fEncryptRPCTraffic
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_9_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.9.2
- automated
- patch
- remote-desktop-session-host
- security
- name: "18.10.57.3.9.3 | PATCH | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: SecurityLayer
data: 2
type: dword
when:
- win11cis_rule_18_10_57_3_9_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.9.3
- automated
- patch
- remote-desktop-session-host
- security
- name: "18.10.57.3.9.4 | PATCH | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: UserAuthentication
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_9_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.9.4
- automated
- patch
- remote-desktop-session-host
- security
- name: "18.10.57.3.9.5 | PATCH | Ensure Set client connection encryption level is set to Enabled High Level"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: MinEncryptionLevel
data: 3
type: dword
when:
- win11cis_rule_18_10_57_3_9_5
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.9.5
- automated
- patch
- remote-desktop-session-host
- security
- name: "18.10.57.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less, but not Never (0)"
block:
- name: "18.10.57.3.10.1 | AUDIT | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less, but not Never (0) | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid time set for win11cis_idle_rdp_session_disconnect_time. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_idle_rdp_session_disconnect_time == 0 or
win11cis_idle_rdp_session_disconnect_time > 900000
- name: "18.10.57.3.10.1 | AUDIT | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less, but not Never (0) | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.57.3.10.1'
when:
- win11cis_idle_rdp_session_disconnect_time == 0 or
win11cis_idle_rdp_session_disconnect_time > 900000
- name: "18.10.57.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less, but not Never (0) | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: MaxIdleTime
data: "{{ win11cis_idle_rdp_session_disconnect_time }}"
type: dword
when:
- win11cis_idle_rdp_session_disconnect_time <= 900000
- win11cis_idle_rdp_session_disconnect_time != 0
when:
- win11cis_rule_18_10_57_3_10_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.10.1
- automated
- patch
- remote-desktop-session-host
- session-time-limits
- name: "18.10.57.3.10.2 | PATCH | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: MaxDisconnectionTime
data: 60000
type: dword
when:
- win11cis_rule_18_10_57_3_10_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.10.2
- automated
- patch
- remote-desktop-session-host
- session-time-limits
- name: "18.10.57.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: DeleteTempDirsOnExit
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_11_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.11.1
- automated
- patch
- remote-desktop-session-host
- temporary-folders
- rule_18.10.57.1
tasks/section_18/section_18.10/cis_18.10.58.x.yml
+77 -8
View File
@@ -1,15 +1,84 @@
---
- name: "18.10.58.1 | PATCH | Ensure Prevent downloading of enclosures is set to Enabled"
- name: "18.10.58.2 | PATCH | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds
name: DisableEnclosureDownload
data: 1
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowCloudSearch
data: 0
type: dword
when:
- win11cis_rule_18_10_58_1
when: win11cis_rule_18_10_58_2
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.58.2
- cloud_search
- name: "18.10.58.3 | PATCH | Ensure 'Allow Cortana' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowCortana
data: 0
type: dword
when: win11cis_rule_18_10_58_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.58.1
- automated
- patch
- automated
- rule_18.10.58.3
- cortana
- name: "18.10.58.4 | PATCH | Ensure 'Allow Cortana above lock screen' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowCortanaAboveLock
data: 0
type: dword
when: win11cis_rule_18_10_58_4
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.58.4
- cortana
- name: "18.10.58.5 | PATCH | Ensure Allow indexing of encrypted files is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowIndexingEncryptedStoresOrItems
data: 0
type: dword
when: win11cis_rule_18_10_58_5
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.58.5
- indexing
- name: "18.10.58.6 | PATCH | Ensure 'Allow search and Cortana to use location' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowSearchToUseLocation
data: 0
type: dword
when: win11cis_rule_18_10_58_6
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.58.6
- cortana
- name: "18.10.58.7 | PATCH | Ensure 'Allow search highlights' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: EnableDynamicContentInWSB
data: 0
type: dword
when: win11cis_rule_18_10_58_7
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.58.7
tasks/section_18/section_18.10/cis_18.10.59.x.yml
-90
View File
@@ -1,90 +0,0 @@
---
- name: "18.10.59.2 | PATCH | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowCloudSearch
data: 0
type: dword
when:
- win11cis_rule_18_10_59_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.59.2
- automated
- patch
- cloud-search
- name: "18.10.59.3 | PATCH | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowCortana
data: 0
type: dword
when:
- win11cis_rule_18_10_59_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.59.3
- automated
- patch
- cortana
- name: "18.10.59.4 | PATCH | Ensure 'Allow Cortana above lock screen' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowCortanaAboveLock
data: 0
type: dword
when:
- win11cis_rule_18_10_59_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.59.4
- automated
- patch
- cortana
- name: "18.10.59.5 | PATCH | Ensure Allow indexing of encrypted files is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowIndexingEncryptedStoresOrItems
data: 0
type: dword
when:
- win11cis_rule_18_10_59_5
tags:
- level1-corporate-enterprise-environment
- rule_18.10.59.5
- automated
- patch
- indexing
- name: "18.10.59.6 | PATCH | Ensure 'Allow search and Cortana to use location' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowSearchToUseLocation
data: 0
type: dword
when:
- win11cis_rule_18_10_59_6
tags:
- level1-corporate-enterprise-environment
- rule_18.10.59.6
- automated
- patch
- cortana
- name: "18.10.59.7 | PATCH | Ensure 'Allow search highlights' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: EnableDynamicContentInWSB
data: 0
type: dword
when:
- win11cis_rule_18_10_59_7
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.59.7
- automated
- patch
vars/tasks/section_18/section_18.10/cis_18.10.62.x.yml → tasks/section_18/section_18.10/cis_18.10.62.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.63.x.yml
-15
View File
@@ -1,15 +0,0 @@
---
- name: "18.10.63.1 | PATCH | Ensure Turn off KMS Client Online AVS Validation is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform
name: NoGenTicket
data: 1
type: dword
when:
- win11cis_rule_18_10_63_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.63.1
- automated
- patch
vars/tasks/section_18/section_18.10/cis_18.10.65.x.yml → tasks/section_18/section_18.10/cis_18.10.65.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.66.x.yml
-71
View File
@@ -1,71 +0,0 @@
---
- name: "18.10.66.1 | PATCH | Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\WindowsStore
name: DisableStoreApps
data: 1
type: dword
when:
- win11cis_rule_18_10_66_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.66.1
- automated
- patch
- name: "18.10.66.2 | PATCH | Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\WindowsStore
name: RequirePrivateStoreOnly
data: 1
type: dword
when:
- win11cis_rule_18_10_66_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.66.2
- automated
- patch
- name: "18.10.66.3 | PATCH | Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\WindowsStore
name: AutoDownload
data: 4
type: dword
when:
- win11cis_rule_18_10_66_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.66.3
- automated
- patch
- name: "18.10.66.4 | PATCH | Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\WindowsStore
name: DisableOSUpgrade
data: 1
type: dword
when:
- win11cis_rule_18_10_66_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.66.4
- automated
- patch
- name: "18.10.66.5 | PATCH | Ensure 'Turn off the Store application' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\WindowsStore
name: DisableOSUpgrade
data: 1
type: dword
when:
- win11cis_rule_18_10_66_5
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.66.5
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.7.x.yml
+9 -12
View File
@@ -6,13 +6,12 @@
name: NoAutoplayfornonVolume
data: 1
type: dword
when:
- win11cis_rule_18_10_7_1
when: win11cis_rule_18_10_7_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.7.1
- automated
- patch
- automated
- rule_18.10.7.1
- autoplay
- name: "18.10.7.2 | PATCH | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands"
@@ -21,13 +20,12 @@
name: NoAutorun
data: 1
type: dword
when:
- win11cis_rule_18_10_7_2
when: win11cis_rule_18_10_7_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.7.2
- automated
- patch
- automated
- rule_18.10.7.2
- autoplay
- name: "18.10.7.3 | PATCH | Ensure Turn off Autoplay is set to Enabled All drives"
@@ -36,11 +34,10 @@
name: NoDriveTypeAutoRun
data: 255
type: dword
when:
- win11cis_rule_18_10_7_3
when: win11cis_rule_18_10_7_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.7.3
- automated
- patch
- automated
- rule_18.10.7.3
- autoplay
vars/tasks/section_18/section_18.10/cis_18.10.71.x.yml → tasks/section_18/section_18.10/cis_18.10.71.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.72.x.yml
-15
View File
@@ -1,15 +0,0 @@
---
- name: "18.10.72.1 | PATCH | Ensure 'Allow widgets' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Dsh
name: AllowNewsAndInterests
data: 0
type: dword
when:
- win11cis_rule_18_10_72_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.72.1
- automated
- patch
vars/tasks/section_18/section_18.10/cis_18.10.75.x.yml → tasks/section_18/section_18.10/cis_18.10.75.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.76.x.yml
-115
View File
@@ -1,115 +0,0 @@
---
- name: "18.10.76.1.1 | PATCH | Ensure 'Notify Malicious' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components
name: NotifyMalicious
data: 1
type: dword
when:
- win11cis_rule_18_10_76_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.1.1
- automated
- patch
- enhanced-phishing-protection
- name: "18.10.76.1.2 | PATCH | Ensure 'Notify Password Reuse' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components
name: NotifyPasswordReuse
data: 1
type: dword
when:
- win11cis_rule_18_10_76_1_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.1.2
- automated
- patch
- enhanced-phishing-protection
- name: "18.10.76.1.3 | PATCH | Ensure 'Notify Unsafe App' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components
name: NotifyUnsafeApp
data: 1
type: dword
when:
- win11cis_rule_18_10_76_1_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.1.3
- automated
- patch
- enhanced-phishing-protection
- name: "18.10.76.1.4 | PATCH | Ensure 'Service Enabled' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components
name: ServiceEnabled
data: 1
type: dword
when:
- win11cis_rule_18_10_76_1_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.1.4
- automated
- patch
- enhanced-phishing-protection
- name: "18.10.76.2.1 | PATCH | Ensure 'Service Enabled' is set to 'Enabled'"
block:
- name: "18.10.76.2.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\System
name: EnableSmartScreen
data: 1
type: dword
- name: "18.10.76.2.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\System
name: ShellSmartScreenLevel
data: Block
type: string
when:
- win11cis_rule_18_10_76_2_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.2.1
- automated
- patch
- explorer
- name: "18.10.76.3.1 | PATCH | Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter
name: EnabledV9
data: 1
type: dword
when:
- win11cis_rule_18_10_76_3_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.3.1
- automated
- patch
- microsoft-edge
- name: "18.10.76.3.2 | PATCH | Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter
name: PreventOverride
data: 1
type: dword
when:
- win11cis_rule_18_10_76_3_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.3.2
- automated
- patch
- microsoft-edge
vars/tasks/section_18/section_18.10/cis_18.10.77.x.yml → tasks/section_18/section_18.10/cis_18.10.77.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.78.x.yml
+7 -8
View File
@@ -1,15 +1,14 @@
---
- name: "18.10.78.1 | PATCH | Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'"
- name: "18.10.78.1 | PATCH | Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\GameDVR
name: AllowGameDVR
data: 0
path: HKLM:\Software\Microsoft\Policies\PassportForWork\Biometrics
name: EnableESSwithSupportedPeripherals
data: 1
type: dword
when:
- win11cis_rule_18_10_78_1
when: win11cis_rule_18_10_78_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.78.1
- automated
- patch
- automated
- rule_18.10.78.1
tasks/section_18/section_18.10/cis_18.10.79.x.yml
+41 -8
View File
@@ -1,15 +1,48 @@
---
- name: "18.10.79.1 | PATCH | Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1'"
- name: "18.10.79.1 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Policies\PassportForWork\Biometrics
name: EnableESSwithSupportedPeripherals
data: 1
path: HKLM:\Software\Microsoft\Policies\Microsoft\WindowsInkWorkspace
name: AllowSuggestedAppsInWindowsInkWorkspace
data: 0
type: dword
when:
- win11cis_rule_18_10_79_1
when: win11cis_rule_18_10_79_1
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.79.1
- name: "18.10.79.2 | PATCH | Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'"
block:
- name: "18.10.79.2 | PATCH | Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled' | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Policies\Microsoft\WindowsInkWorkspace
name: AllowWindowsInkWorkspace
data: "{{ win11cis_allow_windows_ink_workspace }}"
type: dword
when: win11cis_allow_windows_ink_workspace == 0 or win11cis_allow_windows_ink_workspace == 1
- name: "18.10.79.2 | AUDIT | Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled' | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid setting for win11cis_allow_windows_ink_workspace. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_allow_windows_ink_workspace != 0
- win11cis_allow_windows_ink_workspace != 1
- name: "18.10.79.2 | AUDIT | Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled' | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.79.2'
when:
- win11cis_allow_windows_ink_workspace != 0
- win11cis_allow_windows_ink_workspace != 1
when: win11cis_rule_18_10_79_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.79.1
- automated
- patch
- automated
- rule_18.10.79.2
tasks/section_18/section_18.10/cis_18.10.8.x.yml
+4 -5
View File
@@ -6,12 +6,11 @@
name: EnhancedAntiSpoofing
data: 1
type: dword
when:
- win11cis_rule_18_10_8_1_1
when: win11cis_rule_18_10_8_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.8.1.1
- automated
- patch
- facial-features
- automated
- rule_18.10.8.1.1
- facial_features
- antispoofing
tasks/section_18/section_18.10/cis_18.10.80.x.yml
+31 -41
View File
@@ -1,51 +1,41 @@
---
- name: "18.10.80.1 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'"
- name: "18.10.80.1 | PATCH | Ensure 'Allow user control over installs' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Policies\Microsoft\WindowsInkWorkspace
name: AllowSuggestedAppsInWindowsInkWorkspace
path: HKLM:\Software\Policies\Microsoft\Windows\Installer
name: EnableUserControl
data: 0
type: dword
when:
- win11cis_rule_18_10_80_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.80.1
- automated
- patch
- name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'"
block:
- name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid setting for win11cis_allow_windows_ink_workspace. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_allow_windows_ink_workspace != 0
- win11cis_allow_windows_ink_workspace != 1
- name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.80.2'
when:
- win11cis_allow_windows_ink_workspace != 0
- win11cis_allow_windows_ink_workspace != 1
- name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Policies\Microsoft\WindowsInkWorkspace
name: AllowWindowsInkWorkspace
data: "{{ win11cis_allow_windows_ink_workspace }}"
type: dword
when:
- win11cis_allow_windows_ink_workspace == 0 or win11cis_allow_windows_ink_workspace == 1
when:
- win11cis_rule_18_10_80_2
when: win11cis_rule_18_10_80_1
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.80.1
- name: "18.10.80.2 | PATCH | Ensure Always install with elevated privileges is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Installer
name: AlwaysInstallElevated
data: 0
type: dword
when: win11cis_rule_18_10_80_2
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.80.2
- automated
- name: "18.10.80.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Installer
name: SafeForScripting
data: 0
type: dword
when: win11cis_rule_18_10_80_3
tags:
- level2-high-security-sensitive-data-environment
- patch
- automated
- rule_18.10.80.3
tasks/section_18/section_18.10/cis_18.10.81.x.yml
+13 -29
View File
@@ -1,43 +1,27 @@
---
- name: "18.10.81.1 | PATCH | Ensure 'Allow user control over installs' is set to 'Disabled'"
- name: "18.10.81.1 | PATCH | Ensure 'Enable MPR notifications for the system' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Installer
name: EnableUserControl
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System
name: EnableMPR
data: 0
type: dword
when:
- win11cis_rule_18_10_81_1
when: win11cis_rule_18_10_81_1
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.81.1
- automated
- patch
- name: "18.10.81.2 | PATCH | Ensure Always install with elevated privileges is set to Disabled"
- name: "18.10.81.2 | PATCH | Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Installer
name: AlwaysInstallElevated
data: 0
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System
name: DisableAutomaticRestartSignOn
data: 1
type: dword
when:
- win11cis_rule_18_10_81_2
when: win11cis_rule_18_10_81_2
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.81.2
- automated
- patch
- name: "18.10.81.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Installer
name: SafeForScripting
data: 0
type: dword
when:
- win11cis_rule_18_10_81_3
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.81.3
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.82.x.yml
-29
View File
@@ -1,29 +0,0 @@
---
- name: "18.10.82.1 | PATCH | Ensure 'Enable MPR notifications for the system' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System
name: EnableMPR
data: 0
type: dword
when:
- win11cis_rule_18_10_82_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.82.1
- automated
- patch
- name: "18.10.82.2 | PATCH | Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System
name: DisableAutomaticRestartSignOn
data: 1
type: dword
when:
- win11cis_rule_18_10_82_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.82.2
- automated
- patch
vars/tasks/section_18/section_18.10/cis_18.10.86.x.yml → tasks/section_18/section_18.10/cis_18.10.86.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.87.x.yml
-46
View File
@@ -1,46 +0,0 @@
---
- name: "18.10.87.1 | PATCH | Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
name: EnableScriptBlockLogging
data: 1
type: dword
when:
- win11cis_rule_18_10_87_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.87.1
- automated
- patch
- name: "18.10.87.2 | PATCH | Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'"
block:
- name: "18.10.87.2 | PATCH | Ensure 'Turn on PowerShell Transcription' is set to 'Enabled | Turn on PowerShell Transcription."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription
name: EnableTranscripting
data: 1
type: dword
- name: "18.10.87.2 | PATCH | Ensure 'Turn on PowerShell Transcription' is set to 'Enabled | Set Log Directory"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription
name: OutputDirectory
data: "{{ win11cis_powershell_transcription_dir }}"
type: string
when: "'Default' not in win11cis_powershell_transcription_dir"
- name: "18.10.87.2 | PATCH | Ensure 'Turn on PowerShell Transcription' is set to 'Enabled | Remove Custom Log Directory"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription
name: OutputDirectory
state: absent
when: "'Default' in win11cis_powershell_transcription_dir"
when:
- win11cis_rule_18_10_87_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.87.2
- automated
- patch
vars/tasks/section_18/section_18.10/cis_18.10.88.x.yml → tasks/section_18/section_18.10/cis_18.10.88.x.yml
View File
tasks/section_18/section_18.10/cis_18.10.89.x.yml
+5 -101
View File
@@ -1,112 +1,16 @@
---
- name: "18.10.89.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled"
- name: "18.10.89.1 | PATCH | Ensure Allow Remote Shell Access is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client
name: AllowBasic
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs
name: AllowRemoteShellAccess
data: 0
type: dword
when:
- win11cis_rule_18_10_89_1_1
- not win_skip_for_test
tags:
- level1-corporate-enterprise-environment
- rule_18.10.89.1.1
- automated
- patch
- winrm-client
- name: "18.10.89.1.2 | PATCH | Ensure Allow unencrypted traffic is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client
name: AllowUnencryptedTraffic
data: 0
type: dword
when:
- win11cis_rule_18_10_89_1_2
- not win_skip_for_test
tags:
- level1-corporate-enterprise-environment
- rule_18.10.89.1.2
- automated
- patch
- winrm-client
- name: "18.10.89.1.3 | PATCH | Ensure Disallow Digest authentication is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client
name: AllowDigest
data: 0
type: dword
when:
- win11cis_rule_18_10_89_1_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.89.1.3
- automated
- patch
- winrm-client
- name: "18.10.89.2.1 | PATCH | Ensure Allow Basic authentication is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service
name: AllowBasic
data: 0
type: dword
when:
- win11cis_rule_18_10_89_2_1
- not win_skip_for_test
tags:
- level1-corporate-enterprise-environment
- rule_18.10.89.2.1
- automated
- patch
- winrm-service
# This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart
- name: "18.10.89.2.2 | PATCH | Ensure Allow remote server management through WinRM is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service
name: AllowAutoConfig
data: 0
type: dword
when:
- win11cis_rule_18_10_89_2_2
- win11cis_rule_18_10_89_1
- not win_skip_for_test
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.89.2.2
- automated
- patch
- winrm-service
- name: "18.10.89.2.3 | PATCH | Ensure Allow unencrypted traffic is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service
name: AllowUnencryptedTraffic
data: 0
type: dword
when:
- win11cis_rule_18_10_89_2_3
- not win_skip_for_test
tags:
- level1-corporate-enterprise-environment
- rule_18.10.89.2.3
- automated
- patch
- winrm-service
- name: "18.9.102.2.4 | PATCH | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service
name: DisableRunAs
data: 1
type: dword
when:
- win11cis_rule_18_10_89_2_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.89.2.4
- automated
- patch
- winrm-service
- rule_18.10.89.1
tasks/section_18/section_18.10/cis_18.10.9.x.yml
+321 -245
View File
File diff suppressed because it is too large Load Diff
tasks/section_18/section_18.10/cis_18.10.90.x.yml
+20 -9
View File
@@ -1,16 +1,27 @@
---
- name: "18.1.90.1 | PATCH | Ensure Allow Remote Shell Access is set to Disabled"
- name: "18.10.90.1 | PATCH | Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs
name: AllowRemoteShellAccess
path: HKLM:\Software\Policies\Microsoft\Windows\Sandbox
name: AllowClipboardRedirection
data: 0
type: dword
when:
- win11cis_rule_18_1_90_1
- not win_skip_for_test
when: win11cis_rule_18_10_90_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.1.90.1
- automated
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.90.1
- name: "18.10.90.2 | PATCH | Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Sandbox
name: AllowNetworking
data: 0
type: dword
when: win11cis_rule_18_10_90_2
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.90.2
tasks/section_18/section_18.10/cis_18.10.91.x.yml
+7 -22
View File
@@ -1,29 +1,14 @@
---
- name: "18.1.91.1 | PATCH | Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'"
- name: "18.10.91.2.1 | PATCH | Ensure Prevent users from modifying settings is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Sandbox
name: AllowClipboardRedirection
data: 0
path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection
name: DisallowExploitProtectionOverride
data: 1
type: dword
when:
- win11cis_rule_18_1_91_1
when: win11cis_rule_18_10_91_2_1
tags:
- level1-corporate-enterprise-environment
- rule_18.1.91.1
- automated
- patch
- name: "18.1.91.2 | PATCH | Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Sandbox
name: AllowNetworking
data: 0
type: dword
when:
- win11cis_rule_18_1_91_2
tags:
- level1-corporate-enterprise-environment
- rule_18.1.91.2
- automated
- patch
- rule_18.10.91.2.1
- app_and_browser_protection
tasks/section_18/section_18.10/cis_18.10.92.x.yml
+175 -9
View File
@@ -1,15 +1,181 @@
---
- name: "18.10.92.2.1 | PATCH | Ensure Prevent users from modifying settings is set to Enabled"
- name: "18.10.92.1.1 | PATCH | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection
name: DisallowExploitProtectionOverride
data: 1
path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au
name: NoAutoRebootWithLoggedOnUsers
data: 0
type: dword
when:
- win11cis_rule_18_10_92_2_1
when: win11cis_rule_18_10_92_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.92.2.1
- automated
- patch
- app-and-browser-protection
- automated
- rule_18.10.92.1.1
- legacy_policies
- name: "18.10.92.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled"
block:
- name: "18.10.92.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled | Set Auto Update."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au
name: NoAutoUpdate
data: 0
type: dword
- name: "18.10.92.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled | Set Properties For Updates."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au
name: AUOptions
data: "{{ win11cis_au_options }}"
type: dword
when:
- win11cis_au_options >= 2
- win11cis_au_options <= 5
- name: "18.10.92.2.1 | AUDIT | Ensure Configure Automatic Updates is set to Enabled | Warning Message Bad Variable."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid setting for win11cis_au_options. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_au_options < 2 or win11cis_au_options > 5
- name: "18.10.92.2.1 | AUDIT | Ensure Configure Automatic Updates is set to Enabled | Warning Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.92.2.1'
when: win11cis_au_options < 2 or win11cis_au_options > 5
when: win11cis_rule_18_10_92_2_1
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.92.2.1
- manage_end_user_experience
- updates
- name: "18.10.92.2.2 | PATCH | Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' "
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au
name: ScheduledInstallDay
data: 0
type: dword
when:
- win11cis_rule_18_10_92_2_2
- win11cis_au_options == 4
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.92.2.2
- manage_end_user_experience
- updates
- name: "18.10.92.2.3 | PATCH | Ensure 'Enable features introduced via servicing that are off by default' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
name: AllowTemporaryEnterpriseFeatureControl
data: 0
type: dword
when: win11cis_rule_18_10_92_2_3
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.92.2.3
- manage_end_user_experience
- features
- name: "18.10.92.2.4 | PATCH | Ensure 'Remove access to “Pause updates” feature' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
name: SetDisablePauseUXAccess
data: 1
type: dword
when: win11cis_rule_18_10_92_2_4
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.92.2.4
- manage_end_user_experience
- updates
- name: "18.10.92.4.1 | PATCH | Ensure 'Manage preview builds' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
name: ManagePreviewBuildsPolicyValue
data: 1
type: dword
when: win11cis_rule_18_10_92_4_1
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.92.4.1
- manage_updates_offered_from_windows_update
- preview
- name: "18.10.92.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'"
block:
- name: "18.10.92.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdates"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
name: DeferFeatureUpdates
data: 1
type: dword
- name: "18.10.92.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdatesPeriodInDays"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
name: DeferFeatureUpdatesPeriodInDays
data: "{{ win11cis_defer_feature_updates_period_in_days }}"
type: dword
when: win11cis_defer_feature_updates_period_in_days >= 180
- name: "18.10.92.4.2 | AUDIT | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | Variable Warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of days for win11cis_defer_feature_updates_period_in_days. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_defer_feature_updates_period_in_days < 180
- name: "18.10.92.4.2 | AUDIT | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | Warning Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.92.4.2'
when: win11cis_defer_feature_updates_period_in_days < 180
when: win11cis_rule_18_10_92_4_2
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.92.4.2
- manage_updates_offered_from_windows_update
- preview
- name: "18.10.92.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days"
block:
- name: "18.10.92.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
name: DeferQualityUpdates
data: 1
type: dword
- name: "18.10.92.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
name: DeferQualityUpdatesPeriodInDays
data: 0
type: dword
when: win11cis_rule_18_10_92_4_3
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.10.92.4.3
- manage_updates_offered_from_windows_update
- updates
tasks/section_18/section_18.10/cis_18.10.93.x.yml
-174
View File
@@ -1,174 +0,0 @@
---
- name: "18.10.93.1.1 | PATCH | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au
name: NoAutoRebootWithLoggedOnUsers
data: 0
type: dword
when:
- win11cis_rule_18_10_93_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.1.1
- automated
- patch
- legacy-policies
- name: "18.10.93.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled"
block:
- name: "18.10.93.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled | Set Auto Update."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au
name: NoAutoUpdate
data: 0
type: dword
- name: "18.10.93.2.1 | AUDIT | Ensure Configure Automatic Updates is set to Enabled | Warning Message Bad Variable."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid setting for win11cis_au_options. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_au_options < 2 or win11cis_au_options > 5
- name: "18.10.93.2.1 | AUDIT | Ensure Configure Automatic Updates is set to Enabled | Warning Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.93.2.1'
when:
- win11cis_au_options < 2 or win11cis_au_options > 5
- name: "18.10.93.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled | Set Properties For Updates."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au
name: AUOptions
data: "{{ win11cis_au_options }}"
type: dword
when:
- win11cis_au_options >= 2
- win11cis_au_options <= 5
when:
- win11cis_rule_18_10_93_2_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.2.1
- automated
- patch
- manage-end-user-experience
- updates
- name: "18.10.93.2.2 | PATCH | Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' "
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au
name: ScheduledInstallDay
data: 0
type: dword
when:
- win11cis_rule_18_10_93_2_2
- win11cis_au_options == 4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.2.2
- automated
- patch
- manage-end-user-experience
- updates
- name: "18.10.93.2.3 | PATCH | Ensure 'Remove access to “Pause updates” feature' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\PPolicies\Microsoft\Windows\WindowsUpdate
name: SetDisablePauseUXAccess
data: 1
type: dword
when:
- win11cis_rule_18_10_93_2_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.2.3
- automated
- patch
- manage-end-user-experience
- updates
- name: "18.10.93.4.1 | PATCH | Ensure 'Manage preview builds' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
name: ManagePreviewBuildsPolicyValue
data: 0
type: dword
when:
- win11cis_rule_18_10_93_4_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.4.1
- automated
- patch
- manage-updates-offered-from-windows-update
- preview
- name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'"
block:
- name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdates"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
name: DeferFeatureUpdates
data: 1
type: dword
- name: "18.10.93.4.2 | AUDIT | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | Variable Warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of days for win11cis_defer_feature_updates_period_in_days. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_defer_feature_updates_period_in_days < 180
- name: "18.10.93.4.2 | AUDIT | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | Warning Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.93.4.2'
when: win11cis_defer_feature_updates_period_in_days < 180
- name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdatesPeriodInDays"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
name: DeferFeatureUpdatesPeriodInDays
data: "{{ win11cis_defer_feature_updates_period_in_days }}"
type: dword
when: win11cis_defer_feature_updates_period_in_days >= 180
when:
- win11cis_rule_18_10_93_4_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.4.2
- automated
- patch
- manage-updates-offered-from-windows-update
- preview
- name: "18.10.93.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days"
block:
- name: "18.10.93.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
name: DeferQualityUpdates
data: 1
type: dword
- name: "18.10.93.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
name: DeferQualityUpdatesPeriodInDays
data: 0
type: dword
when:
- win11cis_rule_18_10_93_4_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.4.3
- automated
- patch
- manage-updates-offered-from-windows-update
- updates
tasks/section_18/section_18.10/main.yml
+163 -171
View File
@@ -4,334 +4,326 @@
ansible.builtin.import_tasks:
file: cis_18.10.3.x.yml
tags:
- administrative-templates-computer
- windows-components
- app-package-deployment
- administrative_templates_computer
- windows_components
- app_package_deployment
- name: "SECTION | 18.10.4 | App Privacy"
ansible.builtin.import_tasks:
file: cis_18.10.4.x.yml
tags:
- administrative-templates-computer
- windows-components
- app-privacy
- administrative_templates_computer
- windows_components
- app_privacy
- name: "SECTION | 18.10.5 | App Runtime"
ansible.builtin.import_tasks:
file: cis_18.10.5.x.yml
tags:
- administrative-templates-computer
- windows-components
- app-runtime
- administrative_templates_computer
- windows_components
- app_runtime
- name: "SECTION | 18.10.7 | Autoplay Policies"
ansible.builtin.import_tasks:
file: cis_18.10.7.x.yml
tags:
- administrative-templates-computer
- windows-components
- autoplay-policies
- administrative_templates_computer
- windows_components
- autoplay_policies
- name: "SECTION | 18.10.8 | Biometrics"
ansible.builtin.import_tasks:
file: cis_18.10.8.x.yml
tags:
- administrative-templates-computer
- windows-components
- administrative_templates_computer
- windows_components
- biometrics
- name: "SECTION | 18.10.9 | Bitlocker Drive Encryption"
ansible.builtin.import_tasks:
file: cis_18.10.9.x.yml
tags:
- administrative-templates-computer
- windows-components
- bitlocker-drive-encryption
- administrative_templates_computer
- windows_components
- bitlocker_drive_encryption
- name: "SECTION | 18.10.10 | Camera"
ansible.builtin.import_tasks:
file: cis_18.10.10.x.yml
tags:
- administrative-templates-computer
- windows-components
- administrative_templates_computer
- windows_components
- camera
- name: "SECTION | 18.10.12 | Cloud Content"
ansible.builtin.import_tasks:
file: cis_18.10.12.x.yml
tags:
- administrative-templates-computer
- windows-components
- cloud-content
- administrative_templates_computer
- windows_components
- cloud_content
- name: "SECTION | 18.10.13 | Connect"
ansible.builtin.import_tasks:
file: cis_18.10.13.x.yml
tags:
- administrative-templates-computer
- windows-components
- administrative_templates_computer
- windows_components
- connect
- name: "SECTION | 18.10.14 | Credential User Interface"
ansible.builtin.import_tasks:
file: cis_18.10.14.x.yml
tags:
- administrative-templates-computer
- windows-components
- credential-user-interface
- administrative_templates_computer
- windows_components
- credential_user_interface
- name: "SECTION | 18.10.15 | Data Collection And Preview Builds"
ansible.builtin.import_tasks:
file: cis_18.10.15.x.yml
tags:
- administrative-templates-computer
- windows-components
- data-collection-and-preview-builds
- administrative_templates_computer
- windows_components
- data_collection_and_preview_builds
- name: "SECTION | 18.10.16 | Delivery Optimization"
ansible.builtin.import_tasks:
file: cis_18.10.16.x.yml
tags:
- administrative-templates-computer
- windows-components
- delivery-optimization
- administrative_templates_computer
- windows_components
- delivery_optimization
- name: "SECTION | 18.10.17 | Desktop App Installer"
ansible.builtin.import_tasks:
file: cis_18.10.17.x.yml
tags:
- administrative-templates-computer
- windows-components
- desktop-app-installer
- administrative_templates_computer
- windows_components
- desktop_app_installer
- name: "SECTION | 18.10.26 | Event Log Service"
- name: "SECTION | 18.10.25 | Event Log Service"
ansible.builtin.import_tasks:
file: cis_18.10.26.x.yml
file: cis_18.10.25.x.yml
tags:
- administrative-templates-computer
- windows-components
- event-log-service
- administrative_templates_computer
- windows_components
- event_log_service
- name: "SECTION | 18.10.29 | File Explorer (Formerly Windows Explorer)"
- name: "SECTION | 18.10.28 | File Explorer (Formerly Windows Explorer)"
ansible.builtin.import_tasks:
file: cis_18.10.29.x.yml
file: cis_18.10.28.x.yml
tags:
- administrative-templates-computer
- windows-components
- file-explorer
- administrative_templates_computer
- windows_components
- file_explorer
- name: "SECTION | 18.10.33 | Homegroup"
- name: "SECTION | 18.10.36 | Location And Sensors"
ansible.builtin.import_tasks:
file: cis_18.10.33.x.yml
file: cis_18.10.36.x.yml
tags:
- administrative-templates-computer
- windows-components
- homegroup
- administrative_templates_computer
- windows_components
- location_and_sensors
- name: "SECTION | 18.10.37 | Location And Sensors"
- name: "SECTION | 18.10.40 | Messaging"
ansible.builtin.import_tasks:
file: cis_18.10.37.x.yml
file: cis_18.10.40.x.yml
tags:
- administrative-templates-computer
- windows-components
- location-and-sensors
- administrative_templates_computer
- windows_components
- messaging
- name: "SECTION | 18.10.41 | Messaging"
- name: "SECTION | 18.10.41 | Microsoft Account"
ansible.builtin.import_tasks:
file: cis_18.10.41.x.yml
tags:
- administrative-templates-computer
- windows-components
- messaging
- administrative_templates_computer
- windows_components
- microsoft_account
- name: "SECTION | 18.10.42 | Microsoft Account"
- name: "SECTION | 18.10.42 | Microsoft Defender Antivirus (formerly Windows Defender and Windows Defender Antivirus)"
ansible.builtin.import_tasks:
file: cis_18.10.42.x.yml
tags:
- administrative-templates-computer
- windows-components
- microsoft-account
- administrative_templates_computer
- windows_components
- microsoft_defender_antivirus
- name: "SECTION | 18.10.43 | Microsoft Defender Antivirus (formerly Windows Defender and Windows Defender Antivirus)"
- name: "SECTION | 18.10.43 | Microsoft Defender Application Guard (formerly Windows Defender Application Guard)"
ansible.builtin.import_tasks:
file: cis_18.10.43.x.yml
tags:
- administrative-templates-computer
- windows-components
- microsoft-defender-antivirus
- administrative_templates_computer
- windows_components
- microsoft_defender_application_guard
- name: "SECTION | 18.10.44 | Microsoft Defender Application Guard (formerly Windows Defender Application Guard)"
- name: "SECTION | 18.10.49 | News And Interests"
ansible.builtin.import_tasks:
file: cis_18.10.44.x.yml
file: cis_18.10.49.x.yml
tags:
- administrative-templates-computer
- windows-components
- microsoft-defender-application-guard
- administrative_templates_computer
- windows_components
- news_and_interests
- name: "SECTION | 18.10.50 | News And Interests"
- name: "SECTION | 18.10.50 | OneDrive (Formerly SkyDrive)"
ansible.builtin.import_tasks:
file: cis_18.10.50.x.yml
tags:
- administrative-templates-computer
- windows-components
- news-and-interests
- name: "SECTION | 18.10.51 | OneDrive (Formerly SkyDrive)"
ansible.builtin.import_tasks:
file: cis_18.10.51.x.yml
tags:
- administrative-templates-computer
- windows-components
- administrative_templates_computer
- windows_components
- onedrive
- name: "SECTION | 18.10.56 | Push To Install"
- name: "SECTION | 18.10.55 | Push To Install"
ansible.builtin.import_tasks:
file: cis_18.10.55.x.yml
tags:
- administrative_templates_computer
- windows_components
- push_to_install
- name: "SECTION | 18.10.56 | Remote Desktop Services (formerly Terminal Services)"
ansible.builtin.import_tasks:
file: cis_18.10.56.x.yml
tags:
- administrative-templates-computer
- windows-components
- push-to-install
- administrative_templates_computer
- windows_components
- remote_desktop_services
- name: "SECTION | 18.10.57 | Remote Desktop Services (formerly Terminal Services)"
- name: "SECTION | 18.10.57 | RSS Feeds"
ansible.builtin.import_tasks:
file: cis_18.10.57.x.yml
tags:
- administrative-templates-computer
- windows-components
- remote-desktop-services
- administrative_templates_computer
- windows_components
- rss_feeds
- name: "SECTION | 18.10.58 | RSS Feeds"
- name: "SECTION | 18.10.58 | Search"
ansible.builtin.import_tasks:
file: cis_18.10.58.x.yml
tags:
- administrative-templates-computer
- windows-components
- rss-feeds
- name: "SECTION | 18.10.59 | Search"
ansible.builtin.import_tasks:
file: cis_18.10.59.x.yml
tags:
- administrative-templates-computer
- windows-components
- administrative_templates_computer
- windows_components
- search
- name: "SECTION | 18.10.63 | Software Protection Platform"
- name: "SECTION | 18.10.62 | Software Protection Platform"
ansible.builtin.import_tasks:
file: cis_18.10.63.x.yml
file: cis_18.10.62.x.yml
tags:
- administrative-templates-computer
- windows-components
- software-protection-platform
- administrative_templates_computer
- windows_components
- software_protection_platform
- name: "SECTION | 18.10.66 | Store"
- name: "SECTION | 18.10.65 | Store"
ansible.builtin.import_tasks:
file: cis_18.10.66.x.yml
file: cis_18.10.65.x.yml
tags:
- administrative-templates-computer
- windows-components
- administrative_templates_computer
- windows_components
- store
- name: "SECTION | 18.10.72 | Widgets"
- name: "SECTION | 18.10.71 | Widgets"
ansible.builtin.import_tasks:
file: cis_18.10.72.x.yml
file: cis_18.10.71.x.yml
tags:
- administrative-templates-computer
- windows-components
- administrative_templates_computer
- windows_components
- widgets
- name: "SECTION | 18.10.76 | Windows Defender SmartScreen"
- name: "SECTION | 18.10.75 | Windows Defender SmartScreen"
ansible.builtin.import_tasks:
file: cis_18.10.76.x.yml
file: cis_18.10.75.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-defender-smartscreen
- administrative_templates_computer
- windows_components
- windows_defender_smartscreen
- name: "SECTION | 18.10.78 | Windows Game Recording and Broadcasting"
- name: "SECTION | 18.10.77 | Windows Game Recording and Broadcasting"
ansible.builtin.import_tasks:
file: cis_18.10.77.x.yml
tags:
- administrative_templates_computer
- windows_components
- windows_game_recording_and_broadcasting
- name: "SECTION | 18.10.78 | Windows Hello for Business (formerly Microsoft Passport for Work)"
ansible.builtin.import_tasks:
file: cis_18.10.78.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-game-recording-and-broadcasting
- administrative_templates_computer
- windows_components
- windows_hello_for_business
- name: "SECTION | 18.10.79 | Windows Hello for Business (formerly Microsoft Passport for Work)"
- name: "SECTION | 18.10.79 | Windows Ink Workspace"
ansible.builtin.import_tasks:
file: cis_18.10.79.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-hello-for-business
- administrative_templates_computer
- windows_components
- windows_ink_workspace
- name: "SECTION | 18.10.80 | Windows Ink Workspace"
- name: "SECTION | 18.10.80 | Windows Installer"
ansible.builtin.import_tasks:
file: cis_18.10.80.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-ink-workspace
- administrative_templates_computer
- windows_components
- windows_installer
- name: "SECTION | 18.10.81 | Windows Installer"
- name: "SECTION | 18.10.81 | Windows Logon Options"
ansible.builtin.import_tasks:
file: cis_18.10.81.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-installer
- administrative_templates_computer
- windows_components
- windows_logon_options
- name: "SECTION | 18.10.82 | Windows Logon Options"
- name: "SECTION | 18.10.86 | Windows Powershell"
ansible.builtin.import_tasks:
file: cis_18.10.82.x.yml
file: cis_18.10.86.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-logon-options
- administrative_templates_computer
- windows_components
- windows_powershell
- name: "SECTION | 18.10.87 | Windows Powershell"
- name: "SECTION | 18.10.88 | Windows Remote Management (WinRM)"
ansible.builtin.import_tasks:
file: cis_18.10.87.x.yml
file: cis_18.10.88.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-powershell
- administrative_templates_computer
- windows_components
- windows_remote_management
- name: "SECTION | 18.10.89 | Windows Remote Management (WinRM)"
- name: "SECTION | 18.10.89 | Windows Remote Shell"
ansible.builtin.import_tasks:
file: cis_18.10.89.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-remote-management
- administrative_templates_computer
- windows_components
- windows_remote_shell
- name: "SECTION | 18.10.90 | Windows Remote Shell"
- name: "SECTION | 18.10.90 | Windows Sandbox"
ansible.builtin.import_tasks:
file: cis_18.10.90.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-remote-shell
- administrative_templates_computer
- windows_components
- windows_sandbox
- name: "SECTION | 18.10.91 | Windows Sandbox"
- name: "SECTION | 18.10.91 | Windows Security (formerly Windows Defender Security Center)"
ansible.builtin.import_tasks:
file: cis_18.10.91.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-sandbox
- administrative_templates_computer
- windows_components
- windows_security
- name: "SECTION | 18.10.92 | Windows Security (formerly Windows Defender Security Center)"
- name: "SECTION | 18.10.92 | Windows Update"
ansible.builtin.import_tasks:
file: cis_18.10.92.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-security
- name: "SECTION | 18.10.93 | Windows Update"
ansible.builtin.import_tasks:
file: cis_18.10.93.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-update
- administrative_templates_computer
- windows_components
- windows_update
tasks/section_18/section_18.3/cis_18.3.x.yml
-124
View File
@@ -1,124 +0,0 @@
---
- name: "18.3.1 | PATCH | Ensure LAPS AdmPwd GPO Extension CSE is installed."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}
name: DllName
data: C:\Program Files\LAPS\CSE\AdmPwd.dll
type: string
when:
- win11cis_rule_18_3_1
tags:
- level1-corporate-enterprise-environment
- rule_18.3.1
- automated
- patch
- gpo
- name: "18.3.2 | PATCH | Ensure Do not allow password expiration time longer than required by policy is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd
name: PwdExpirationProtectionEnabled
data: 1
type: dword
when:
- win11cis_rule_18_3_2
tags:
- level1-corporate-enterprise-environment
- rule_18.3.2
- automated
- patch
- password
- name: "18.3.3 | PATCH | Ensure Enable Local Admin Password Management is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd
name: AdmPwdEnabled
data: 1
type: dword
when:
- win11cis_rule_18_3_3
tags:
- level1-corporate-enterprise-environment
- rule_18.3.3
- automated
- patch
- administrator-password
- name: "18.3.4 | PATCH | Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd
name: PasswordComplexity
data: 4
type: dword
when:
- win11cis_rule_18_3_4
tags:
- level1-corporate-enterprise-environment
- rule_18.3.4
- automated
- patch
- password
- name: "18.3.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more."
block:
- name: "18.3.5 | AUDIT | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have a invalid password length set for win11cis_laps_password_length please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_laps_password_length < 15
- name: "18.3.5 | AUDIT | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.3.5'
when: win11cis_laps_password_length < 15
- name: "18.3.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd
name: PasswordLength
data: "{{ win11cis_laps_password_length }}"
type: dword
when: win11cis_laps_password_length >= 15
when:
- win11cis_rule_18_3_5
tags:
- level1-corporate-enterprise-environment
- rule_18.3.5
- patch
- password
- name: "18.3.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer."
block:
- name: "18.3.6 | AUDIT | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have a invalid password length set for win11cis_laps_password_length please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_laps_password_age_days > 30
- name: "18.3.6 | AUDIT | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.3.6'
when: win11cis_laps_password_age_days > 30
- name: "18.3.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd
name: PasswordAgeDays
data: "{{ win11cis_laps_password_age_days }}"
type: dword
when: win11cis_laps_password_age_days <= 30
when:
- win11cis_rule_18_3_6
tags:
- level1-corporate-enterprise-environment
- rule_18.3.6
- automated
- patch
- password
tasks/section_18/section_18.3/main.yml
-8
View File
@@ -1,8 +0,0 @@
---
- name: "SECTION | 18.3 | LAPS"
ansible.builtin.import_tasks:
file: cis_18.3.x.yml
tags:
- administrative-templates-computer
- laps
tasks/section_18/section_18.4/cis_18.4.x.yml
+39 -34
View File
@@ -6,13 +6,12 @@
name: LocalAccountTokenFilterPolicy
data: 0
type: dword
when:
- win11cis_rule_18_4_1
when: win11cis_rule_18_4_1
tags:
- level1-corporate-enterprise-environment
- rule_18.4.1
- automated
- patch
- automated
- rule_18.4.1
- uac
- name: "18.4.2 | PATCH | 18.4.2 | Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'"
@@ -21,13 +20,12 @@
name: RpcAuthnLevelPrivacyEnabled
data: 1
type: dword
when:
- win11cis_rule_18_4_2
when: win11cis_rule_18_4_2
tags:
- level1-corporate-enterprise-environment
- rule_18.4.2
- automated
- patch
- automated
- rule_18.4.2
- rpc
- name: "18.4.3 | PATCH | Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended"
@@ -36,13 +34,12 @@
name: Start
data: 4
type: dword
when:
- win11cis_rule_18_4_3
when: win11cis_rule_18_4_3
tags:
- level1-corporate-enterprise-environment
- rule_18.4.3
- automated
- patch
- automated
- rule_18.4.3
- smb
- name: "18.4.4 | PATCH | Ensure Configure SMB v1 server is set to Disabled"
@@ -51,61 +48,69 @@
name: SMB1
data: 0
type: dword
state: present
notify: change_requires_reboot
when:
- win11cis_rule_18_4_4
when: win11cis_rule_18_4_4
tags:
- level1-corporate-enterprise-environment
- rule_18.4.4
- automated
- patch
- automated
- rule_18.4.4
- smb
- name: "18.4.5 | PATCH | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled"
- name: "18.4.5 | PATCH | Ensure 'Enable Certificate Padding' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Cryptography\Wintrust\Config
name: EnableCertPaddingCheck
data: 1
type: dword
when: win11cis_rule_18_4_5
tags:
- level1-corporate-enterprise-environment
- patch
- automated
- rule_18.4.5
- certificate_padding
- name: "18.4.6 | PATCH | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
name: DisableExceptionChainValidation
data: 0
type: dword
state: present
when:
- win11cis_rule_18_4_5
when: win11cis_rule_18_4_6
tags:
- level1-corporate-enterprise-environment
- rule_18.4.5
- automated
- patch
- automated
- rule_18.4.6
- sehop
- name: "18.4.6 | PATCH | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'"
- name: "18.4.7 | PATCH | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
state: present
value: NodeType
data: "{{ win11cis_netbt_nodetype }}"
datatype: dword
when:
- win11cis_rule_18_4_6
when: win11cis_rule_18_4_7
tags:
- level1-corporate-enterprise-environment
- rule_18.4.6
- automated
- patch
- automated
- rule_18.4.7
- sehop
- name: "18.4.7 | PATCH | Ensure WDigest Authentication is set to Disabled"
- name: "18.4.8 | PATCH | Ensure WDigest Authentication is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest
state: present
value: UseLogonCredential
data: 0
datatype: dword
when:
- win11cis_rule_18_4_7
- win11cis_rule_18_4_8
- discovered_domain_joined
tags:
- level1-corporate-enterprise-environment
- rule_18.4.7
- automated
- patch
- automated
- rule_18.4.8
- wdigest
tasks/section_18/section_18.4/main.yml
+2 -2
View File
@@ -4,5 +4,5 @@
ansible.builtin.import_tasks:
file: cis_18.4.x.yml
tags:
- administrative-templates-computer
- ms-security-guide
- administrative_templates_computer
- ms_security_guide
tasks/section_18/section_18.5/cis_18.5.x.yml
+66 -89
View File
@@ -2,130 +2,114 @@
- name: "18.5.1 | PATCH | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
state: present
value: AutoAdminLogon
path: HKLM:\Software\Microsoft\Windows Nt\CurrentVersion\Winlogon
name: AutoAdminLogon
data: 0
datatype: string
when:
- win11cis_rule_18_5_1
when: win11cis_rule_18_5_1
tags:
- level1-corporate-enterprise-environment
- rule_18.5.1
- automated
- patch
- mss-auto-logon
- automated
- rule_18.5.1
- mss_auto_logon
- name: "18.5.2 | PATCH | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled"
- name: "18.5.2 | PATCH | Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
state: present
value: DisableIPSourceRouting
data: 2
datatype: dword
when:
- win11cis_rule_18_5_2
when: win11cis_rule_18_5_2
tags:
- level1-corporate-enterprise-environment
- rule_18.5.2
- automated
- patch
- automated
- rule_18.5.2
- iprouting
- name: "18.5.3 | PATCH | Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled"
- name: "18.5.3 | PATCH | Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
state: present
value: DisableIPSourceRouting
data: 2
datatype: dword
when:
- win11cis_rule_18_5_3
when: win11cis_rule_18_5_3
tags:
- level1-corporate-enterprise-environment
- rule_18.5.3
- automated
- patch
- automated
- rule_18.5.3
- iprouting
- name: "18.5.4 | PATCH | Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
state: present
value: DisableSavePassword
data: 1
datatype: dword
when:
- win11cis_rule_18_5_4
when: win11cis_rule_18_5_4
tags:
- level2-high-security-sensitive-data-environment
- rule_18.5.4
- automated
- patch
- dial-up-password
- automated
- rule_18.5.4
- dial_up_password
- name: "18.5.5 | PATCH | Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
state: present
value: EnableICMPRedirect
data: 0
datatype: dword
when:
- win11cis_rule_18_5_5
when: win11cis_rule_18_5_5
tags:
- level1-corporate-enterprise-environment
- rule_18.5.5
- automated
- patch
- automated
- rule_18.5.5
- icmp
- name: "18.5.6 | PATCH | Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
state: present
value: KeepAliveTime
data: 300000
datatype: dword
when:
- win11cis_rule_18_5_6
when: win11cis_rule_18_5_6
tags:
- level2-high-security-sensitive-data-environment
- rule_18.5.6
- automated
- patch
- automated
- rule_18.5.6
- keepalivetime
- name: "18.5.7 | PATCH | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters
state: present
name: NoNameReleaseOnDemand
data: 1
type: dword
when:
- win11cis_rule_18_5_7
when: win11cis_rule_18_5_7
tags:
- level1-corporate-enterprise-environment
- rule_18.5.7
- automated
- patch
- automated
- rule_18.5.7
- nonamereleaseondemand
- name: "18.5.8 | PATCH | Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled"
- name: "18.5.8 | PATCH | Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters
state: present
name: PerformRouterDiscovery
data: 0
type: dword
when:
- win11cis_rule_18_5_8
when: win11cis_rule_18_5_8
tags:
- level2-high-security-sensitive-data-environment
- rule_18.5.8
- automated
- patch
- automated
- rule_18.5.8
- irdp
- name: "18.5.9 | PATCH | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled"
@@ -134,18 +118,24 @@
name: SafeDllSearchMode
data: 1
type: dword
state: present
when:
- win11cis_rule_18_5_9
when: win11cis_rule_18_5_9
tags:
- level1-corporate-enterprise-environment
- rule_18.5.9
- automated
- patch
- automated
- rule_18.5.9
- safedllsearchmode
- name: "18.5.10 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds"
block:
- name: "18.5.10 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon
name: ScreenSaverGracePeriod
data: "{{ win11cis_screen_saver_grace_period }}"
type: string
when: win11cis_screen_saver_grace_period <= 5
- name: "18.5.10 | AUDIT | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
@@ -159,23 +149,13 @@
vars:
warn_control_id: '18.5.10'
when: win11cis_screen_saver_grace_period > 5
- name: "18.5.10 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon
name: ScreenSaverGracePeriod
data: "{{ win11cis_screen_saver_grace_period }}"
type: string
state: present
when: win11cis_screen_saver_grace_period <= 5
when:
- win11cis_rule_18_5_10
when: win11cis_rule_18_5_10
tags:
- level1-corporate-enterprise-environment
- rule_18.5.10
- automated
- patch
- screen-saver
- automated
- rule_18.5.10
- screen_saver
- name: "18.5.11 | PATCH | Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3"
ansible.windows.win_regedit:
@@ -183,14 +163,13 @@
name: TcpMaxDataRetransmissions
data: 3
type: dword
when:
- win11cis_rule_18_5_11
when: win11cis_rule_18_5_11
tags:
- level2-high-security-sensitive-data-environment
- rule_18.5.11
- automated
- patch
- tcp-max-data-retransmissions
- automated
- rule_18.5.11
- tcp_max_data_retransmissions
- name: "18.5.12 | PATCH | Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3"
ansible.windows.win_regedit:
@@ -198,17 +177,24 @@
name: TcpMaxDataRetransmissions
data: 3
type: dword
when:
- win11cis_rule_18_5_12
when: win11cis_rule_18_5_12
tags:
- level2-high-security-sensitive-data-environment
- rule_18.5.12
- automated
- patch
- tcp-max-data-retransmissions
- automated
- rule_18.5.12
- tcp_max_data_retransmissions
- name: "18.5.13 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less"
block:
- name: "18.5.13 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security
name: WarningLevel
data: "{{ win11cis_log_threshold_audit_event }}"
type: dword
when: win11cis_log_threshold_audit_event <= 90
- name: "18.5.13 | AUDIT | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
@@ -222,19 +208,10 @@
vars:
warn_control_id: '18.5.13'
when: win11cis_log_threshold_audit_event > 90
- name: "18.5.13 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security
name: WarningLevel
data: "{{ win11cis_log_threshold_audit_event }}"
type: dword
when: win11cis_log_threshold_audit_event <= 90
when:
- win11cis_rule_18_5_13
when: win11cis_rule_18_5_13
tags:
- level1-corporate-enterprise-environment
- rule_18.5.13
- automated
- patch
- mss-warning-level
- automated
- rule_18.5.13
- mss_warning_level
tasks/section_18/section_18.5/main.yml
+2 -2
View File
@@ -4,5 +4,5 @@
ansible.builtin.import_tasks:
file: cis_18.5.x.yml
tags:
- administrative-templates-computer
- mss-legacy
- administrative_templates_computer
- mss_legacy
tasks/section_18/section_18.6/cis_18.6.10.x.yml
+4 -5
View File
@@ -6,11 +6,10 @@
name: Disabled
data: 1
type: dword
when:
- win11cis_rule_18_6_10_2
when: win11cis_rule_18_6_10_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.6.10.2
- automated
- patch
- networking-services
- automated
- rule_18.6.10.2
- networking_services
tasks/section_18/section_18.6/cis_18.6.11.x.yml
+11 -14
View File
@@ -6,14 +6,13 @@
name: NC_AllowNetBridge_NLA
data: 0
type: dword
when:
- win11cis_rule_18_6_11_2
when: win11cis_rule_18_6_11_2
tags:
- level1-corporate-enterprise-environment
- rule_18.6.11.2
- automated
- patch
- network-bridge
- automated
- rule_18.6.11.2
- network_bridge
- name: "18.6.11.3 | PATCH | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled"
ansible.windows.win_regedit:
@@ -21,13 +20,12 @@
name: NC_ShowSharedAccessUI
data: 0
type: dword
when:
- win11cis_rule_18_6_11_3
when: win11cis_rule_18_6_11_3
tags:
- level1-corporate-enterprise-environment
- rule_18.6.11.3
- automated
- patch
- automated
- rule_18.6.11.3
- ics
- name: "18.6.11.4 | PATCH | Ensure Require domain users to elevate when setting a networks location is set to Enabled"
@@ -36,11 +34,10 @@
name: NC_StdDomainUserSetLocation
data: 1
type: dword
when:
- win11cis_rule_18_6_11_4
when: win11cis_rule_18_6_11_4
tags:
- level1-corporate-enterprise-environment
- rule_18.6.11.4
- automated
- patch
- domain-users
- automated
- rule_18.6.11.4
- domain_users
tasks/section_18/section_18.6/cis_18.6.14.x.yml
+5 -6
View File
@@ -6,20 +6,19 @@
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths
name: "\\\\*\\NETLOGON"
data: "RequireMutualAuthentication=1, RequireIntegrity=1"
data: "RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1"
type: string
- name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths
name: "\\\\*\\SYSVOL"
data: "RequireMutualAuthentication=1, RequireIntegrity=1"
data: "RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1"
type: string
when:
- win11cis_rule_18_6_14_1
when: win11cis_rule_18_6_14_1
tags:
- level1-corporate-enterprise-environment
- rule_18.6.14.1
- automated
- patch
- automated
- rule_18.6.14.1
- unc
tasks/section_18/section_18.6/cis_18.6.19.2.x.yml
+3 -4
View File
@@ -6,12 +6,11 @@
name: DisabledComponents
data: 255
type: dword
when:
- win11cis_rule_18_6_19_2_1
when: win11cis_rule_18_6_19_2_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.6.19.2.1
- automated
- patch
- automated
- rule_18.6.19.2.1
- parameters
- ipv6
tasks/section_18/section_18.6/cis_18.6.20.x.yml
+7 -8
View File
@@ -36,13 +36,12 @@
name: DisableWPDRegistrar
data: 0
type: dword
when:
- win11cis_rule_18_6_20_1
when: win11cis_rule_18_6_20_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.6.20.1
- automated
- patch
- automated
- rule_18.6.20.1
- wireless
- name: "18.6.20.2 | PATCH | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled"
@@ -51,10 +50,10 @@
name: DisableWcnUi
data: 1
type: dword
when:
- win11cis_rule_18_6_20_2
when: win11cis_rule_18_6_20_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.6.20.2
- patch
- automated
- windows-connect-now
- rule_18.6.20.2
- windows_connect_now
tasks/section_18/section_18.6/cis_18.6.21.x.yml
+10 -8
View File
@@ -1,20 +1,20 @@
---
- name: "18.6.21.1 | PATCH | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled"
- name: "18.6.21.1 | PATCH | Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy
name: fMinimizeConnections
data: 3
type: dword
when:
- win11cis_rule_18_6_21_1
when: win11cis_rule_18_6_21_1
tags:
- level1-corporate-enterprise-environment
- rule_18.6.21.1
- automated
- patch
- automated
- rule_18.6.21.1
- domain
- name: "18.6.21.2 | PATCH | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only"
- name: "18.6.21.2 | PATCH | Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy
name: fBlockNonDomain
@@ -22,8 +22,10 @@
type: dword
when:
- win11cis_rule_18_6_21_2
- discovered_domain_joined
tags:
- level1-corporate-enterprise-environment
- rule_18.6.21.2
- automated
- patch
- automated
- rule_18.6.21.2
- non_domain
tasks/section_18/section_18.6/cis_18.6.23.2.x.yml
+3 -5
View File
@@ -6,12 +6,10 @@
name: AutoConnectAllowedOEM
data: 0
type: dword
when:
- win11cis_rule_18_6_23_2_1
when: win11cis_rule_18_6_23_2_1
tags:
- level1-corporate-enterprise-environment
- rule_18.6.23.2.1
- automated
- patch
- wlan-settings
- automated
- rule_18.6.23.2.1
- autoconnect
tasks/section_18/section_18.6/cis_18.6.4.x.yml
+26 -25
View File
@@ -2,6 +2,14 @@
- name: "18.6.4.1 | PATCH | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher"
block:
- name: "18.6.4.1 | PATCH | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher. | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
name: DoHPolicy
data: "{{ win11cis_doh_policy }}"
type: dword
when: win11cis_doh_policy == 2 or win11cis_doh_policy == 3
- name: "18.6.4.1 | AUDIT | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher. | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
@@ -19,25 +27,24 @@
when:
- win11cis_doh_policy != 2
- win11cis_doh_policy != 3
- name: "18.6.4.1 | AUDIT | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher. | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
name: DoHPolicy
data: "{{ win11cis_doh_policy }}"
type: dword
when: win11cis_doh_policy == 2 or win11cis_doh_policy == 3
when:
- win11cis_rule_18_6_4_1
when: win11cis_rule_18_6_4_1
tags:
- level1-corporate-enterprise-environment
- rule_18.6.4.1
- automated
- patch
- dns-over-https
- automated
- rule_18.6.4.1
- dns_over_https
- name: "18.6.4.2 | PATCH | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'"
block:
- name: "18.6.4.2 | PATCH | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
name: EnableNetbios
data: "{{ win11cis_enable_netbios_policy }}"
type: dword
when: win11cis_enable_netbios_policy == 2 or win11cis_enable_netbios_policy == 0
- name: "18.6.4.2 | AUDIT | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
@@ -55,21 +62,14 @@
when:
- win11cis_enable_netbios_policy != 2
- win11cis_enable_netbios_policy != 0
- name: "18.6.4.2 | PATCH | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
name: EnableNetbios
data: "{{ win11cis_enable_netbios_policy }}"
type: dword
when: win11cis_enable_netbios_policy == 2 or win11cis_enable_netbios_policy == 0
when:
- win11cis_rule_18_6_4_2
- discovered_domain_joined
tags:
- level1-corporate-enterprise-environment
- rule_18.6.4.2
- automated
- patch
- automated
- rule_18.6.4.2
- netbios
- name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled."
@@ -80,9 +80,10 @@
type: dword
when:
- win11cis_rule_18_6_4_3
- discovered_domain_joined
tags:
- level1-corporate-enterprise-environment
- rule_18.6.4.3
- automated
- patch
- automated
- rule_18.6.4.3
- multicast
tasks/section_18/section_18.6/cis_18.6.5.x.yml
+4 -5
View File
@@ -6,11 +6,10 @@
name: EnableFontProviders
data: 0
type: dword
when:
- win11cis_rule_18_6_5_1
when: win11cis_rule_18_6_5_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.6.5.1
- automated
- patch
- font-providers
- automated
- rule_18.6.5.1
- font_providers

Some files were not shown because too many files have changed in this diff Show More