swissmakers_gmbh/Windows-11-CIS
12
0
Fork 0
mirror of https://github.com/ansible-lockdown/Windows-11-CIS.git synced 2026-05-09 04:19:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

gpg_fix

Browse Source 
Signed-off-by: Stephen Williams <stephenw@mindpointgroup.com>
This commit is contained in:
Stephen Williams
2024-06-17 16:15:42 -04:00
parent 28ba6663fb
commit d84ecb8829
151 changed files with 12764 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.ansible-lint
Executable
+27
View File
@@ -0,0 +1,27 @@
---
parseable: true
quiet: true
skip_list:
- 'schema'
- 'no-changed-when'
- 'experimental'
- 'fqcn-builtins'
- 'fqcn[action]'
- 'name[casing]'
- 'name[template]'
- 'name[play]'
- 'jinja[spacing]'
- 'yaml[line-length]'
- 'key-order[task]'
- 'var-naming' # Older playbook no new release
- 'var-spacing'
- '204'
- '208'
- '305'
- '303'
- '403'
- '306'
- '602'
use_default_rules: true
verbosity: 0
.gitattributes
+6
View File
@@ -0,0 +1,6 @@
# adding github settings to show correct language
*.sh linguist-detectable=true
*.yml linguist-detectable=true
*.ps1 linguist-detectable=true
*.j2 linguist-detectable=true
*.md linguist-documentation
.gitignore
+45
View File
@@ -0,0 +1,45 @@
.env
*.log
*.retry
.vagrant
tests/*redhat-subscription
tests/Dockerfile
*.iso
*.box
packer_cache
delete*
ignore*
# VSCode
.vscode
vagrant
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# DS_Store
.DS_Store
._*
# Linux Editors
*~
\#*\#
/.emacs.desktop
/.emacs.desktop.lock
.elc
auto-save-list
tramp
.\#*
*.swp
*.swo
rh-creds.env
travis.env
# Lockdown-specific
benchparse/
*xccdf.xml
*.retry
# GitHub Action/Workflow files
.github/
.yamllint
Executable
+33
View File
@@ -0,0 +1,33 @@
---
extends: default
ignore: |
tests/
molecule/
.github/
.gitlab-ci.yml
*molecule.yml
rules:
indentation:
# Requiring 4 space indentation
spaces: 4
# Requiring consistent indentation within a file, either indented or not
indent-sequences: consistent
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
empty-lines:
max: 1
line-length: disable
key-duplicates: enable
new-line-at-end-of-file: enable
new-lines:
type: unix
trailing-spaces: enable
truthy:
allowed-values: ['true', 'false']
check-keys: true
CONTRIBUTING.rst
+67
View File
@@ -0,0 +1,67 @@
Contributing to MindPoint Group Projects
========================================
Rules
-----
1) All commits must be GPG signed (details in Signing section)
2) All commits must have Signed-off-by (Signed-off-by: Joan Doe <joan.doe@email.com>) in the commit message (details in Signing section)
3) All work is done in your own branch
4) All pull requests go into the devel branch. There are automated checks for signed commits, signoff in commit message, and functional testing)
5) Be open and nice to each other
Workflow
--------
- Your work is done in your own individual branch. Make sure to to Signed-off and GPG sign all commits you intend to merge
- All community Pull Requests are into the devel branch. There are automated checks for GPG signed, Signed-off in commits, and functional tests before being approved. If your pull request comes in from outside of our repo, the pull request will go into a staging branch. There is info needed from our repo for our CI/CD testing.
- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
Signing your contribution
-------------------------
We've chosen to use the Developer's Certificate of Origin (DCO) method
that is employed by the Linux Kernel Project, which provides a simple
way to contribute to MindPoint Group projects.
The process is to certify the below DCO 1.1 text
::
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
::
Then, when it comes time to submit a contribution, include the
following text in your contribution commit message:
::
Signed-off-by: Joan Doe <joan.doe@email.com>
::
This message can be entered manually, or if you have configured git
with the correct `user.name` and `user.email`, you can use the `-s`
option to `git commit` to automatically include the sign-off message.
ChangeLog.md
+16
View File
@@ -0,0 +1,16 @@
# Changelog
## Release 1.0.0
March 2024
- Updated Section 19 To Take Into Account All HKU Accounts And Windows Default Template.
- Fixed A Number Of Typos
- Updated Readme
- Added Option For skip_reboot And Warning Message For It.
- Added Two New Comtrols To Win_Skip_For_Test
- 18.10.89.1.2
- 18.10.89.2.3
- Removed When Checks For Domain, Member Server, And Standalone
September 2023
- Initial Release For Benchmark 2.0.0 Released 03.07.2023
LICENSE
+1 -1
View File
@@ -1,6 +1,6 @@
MIT License
Copyright (c) 2023 Ansible Lockdown
Copyright (c) 2023 MindPoint Group / Lockdown Enterprise
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
README.md
+172
View File
@@ -0,0 +1,172 @@
# Windows 11 Enterprise CIS
## Configure a Windows 11 Enterprise system to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant
### Based on [ Microsoft Windows 11 Enterprise Benchmark v2.0.0 - 03-07-2023 ](https://www.cisecurity.org/cis-benchmarks/)
---
![Org Stars](https://img.shields.io/github/stars/ansible-lockdown?label=Org%20Stars&style=social)
![Stars](https://img.shields.io/github/stars/ansible-lockdown/Windows-11-CIS?label=Repo%20Stars&style=social)
![Forks](https://img.shields.io/github/forks/ansible-lockdown/Windows-11-CIS?style=social)
![followers](https://img.shields.io/github/followers/ansible-lockdown?style=social)
[![Twitter URL](https://img.shields.io/twitter/url/https/twitter.com/AnsibleLockdown.svg?style=social&label=Follow%20%40AnsibleLockdown)](https://twitter.com/AnsibleLockdown)
<!-- ![Ansible Galaxy Quality](https://img.shields.io/ansible/quality/56324?label=Quality&&logo=ansible) -->
![Discord Badge](https://img.shields.io/discord/925818806838919229?logo=discord)
![Release Branch](https://img.shields.io/badge/Release%20Branch-Main-brightgreen)
![Release Tag](https://img.shields.io/github/v/tag/ansible-lockdown/Windows-11-CIS?label=Release%20Tag&&color=success)
![Main Release Date](https://img.shields.io/github/release-date/ansible-lockdown/Windows-11-CIS?label=Release%20Date)
[![Main Pipeline Status](https://github.com/ansible-lockdown/Windows-11-CIS/actions/workflows/main_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-11-CIS/actions/workflows/main_pipeline_validation.yml)
[![Devel Pipeline Status](https://github.com/ansible-lockdown/Windows-11-CIS/actions/workflows/devel_pipeline_validation.yml/badge.svg?)](https://github.com/ansible-lockdown/Windows-11-CIS/actions/workflows/devel_pipeline_validation.yml)
![Devel Commits](https://img.shields.io/github/commit-activity/m/ansible-lockdown/Windows-11-CIS/devel?color=dark%20green&label=Devel%20Branch%20Commits)
![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/Windows-11-CIS?label=Open%20Issues)
![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/Windows-11-CIS?label=Closed%20Issues&&color=success)
![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/Windows-11-CIS?label=Pull%20Requests)
![License](https://img.shields.io/github/license/ansible-lockdown/Windows-11-CIS?label=License)
---
## Looking for support?
[Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_WINDOWS_11_cis)
[Ansible Support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_WINDOWS_11_cis)
### Community
On our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users
---
## Caution(s)
This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution.
This role was developed against a clean install of the Windows 11 Enterprise 22H2 Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.
To use release version please point to main branch and relevant release for the cis benchmark you wish to work with.
---
## Matching a security Level for CIS
It is possible to only run level 1 or level 2 controls for CIS as well as a variety of other tags that are available for this role.
This is managed using tags:
- level1-corporate-enterprise-environment
- level2-high-security-sensitive-data-environment
- level1-next-generation-windows-security
- level1-bitlocker-next-generation-windows-security
- level2-next-generation-windows-security
- level2-bitlocker-next-generation-windows-security
- next-generation-windows-security
- level1-bitlocker
- level2-bitlocker
- bitlocker
The controls found in defaults/main also need to reflect those control numbers due to aligning every control to the audit component.
## Coming from a previous release
CIS releases always contain changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release.
This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly.
Further details can be seen in the [Changelog](./ChangeLog.md)
## Auditing (new)
Currently this release does not have a auditing tool that is up to date.
## Documentation
- [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/)
- [Getting Started](https://www.lockdownenterprise.com/docs/getting-started-with-lockdown#GH_AL_WINDOWS_11_cis)
- [Customizing Roles](https://www.lockdownenterprise.com/docs/customizing-lockdown-enterprise#GH_AL_WINDOWS_11_cis)
- [Per-Host Configuration](https://www.lockdownenterprise.com/docs/per-host-lockdown-enterprise-configuration#GH_AL_WINDOWS_11_cis)
- [Getting the Most Out of the Role](https://www.lockdownenterprise.com/docs/get-the-most-out-of-lockdown-enterprise#GH_AL_WINDOWS_11_cis)
## Requirements
**General:**
- Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
- [Main Ansible documentation page](https://docs.ansible.com)
- [Ansible Getting Started](https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html)
- [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
- [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
- Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file.
**Technical Dependencies:**
- Windows 11 Enterprise 22H2 - Other versions are not supported
- Running Ansible/Tower setup (this role is tested against Ansible version 2.10.1 and newer)
- Python3 Ansible run environment
- passlib (or python2-passlib, if using python2)
- python-lxml
- python-xmltodict
- python-jmespath
- pywinrm
Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible.
## Role Variables
This role is designed so that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc.
## Tags
There are many tags available for added control precision. Each control has it's own set of tags noting what level, if its automated or manual check, if it's a patch or audit, and the rule number.
Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag rpc, this task will be skipped. The opposite can also happen where you run only controls tagged with smb.
```sh
tags:
- level1-corporate-enterprise-environment
- rule_18.4.2
- automated
- patch
- rpc
```
Tags for entire sections can be run using the tags that are in the main.yml files for each section. In this particular case this is the following example and how it breaks down for sections.
Section 18 - administrative-templates-computer <br>
Section 18.10 - windows-components <br>
Section 18.10.3 - app-package-deployment
```sh
- name: "SECTION | 18.10.3 | App Package Deployment"
ansible.builtin.import_tasks:
file: cis_18.10.3.x.yml
tags:
- administrative-templates-computer
- windows-components
- app-package-deployment
```
## Community Contribution
We encourage you (the community) to contribute to this role. Please read the rules below.
- Your work is done in your own individual branch. Make sure to Signed-off and GPG sign all commits you intend to merge.
- All community Pull Requests are pulled into the devel branch
- Pull Requests into devel will confirm your commits have a GPG signature, Signed-off, and a functional test before being approved
- Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release
## Pipeline Testing
uses:
- ansible-core 2.12
- ansible collections - pulls in the latest version based on requirements file
- runs the audit using the devel branch
- This is an automated test that occurs on pull requests into devel
collections/requirements.yml
+14
View File
@@ -0,0 +1,14 @@
---
collections:
- name: ansible.windows
type: git
source: https://github.com/ansible-collections/ansible.windows
- name: community.windows
type: git
source: https://github.com/ansible-collections/community.windows
- name: community.general
type: git
source: https://github.com/ansible-collections/community.general
defaults/main.yml
+1005
View File
File diff suppressed because it is too large Load Diff
handlers/main.yml
+7
View File
@@ -0,0 +1,7 @@
---
- name: change_requires_reboot
ansible.builtin.set_fact:
reboot_host: true
tags:
- always
meta/main.yml
+27
View File
@@ -0,0 +1,27 @@
---
galaxy_info:
author: "Stephen Williams"
description: "Ansible Role to Apply The Windows 11 Enterprise CIS Benchmark"
company: "MindPoint Group"
license: MIT
role_name: windows_11_cis
namespace: mindpointgroup
min_ansible_version: 2.10.1
galaxy_tags:
- system
- security
- cis
- hardening
- benchmark
- microsoft
- windows
- complianceascode
- compliance
collections:
- ansible.windows
- community.windows
- community.general
dependencies: []
site.yml
+8
View File
@@ -0,0 +1,8 @@
---
- hosts: all # noqa: name[play]
gather_facts: true
roles:
- role: "{{ playbook_dir }}"
tasks/main.yml
+103
View File
@@ -0,0 +1,103 @@
---
- name: Display Banner
ansible.builtin.debug:
msg: "{{ lockdown_banner.split('\n') }}"
tags:
- always
- name: Gather distribution info
ansible.builtin.setup:
gather_subset: distribution,!all,!min
when:
- ansible_distribution is not defined
tags:
- always
- name: Check OS Version & Family
ansible.builtin.assert:
that:
- ansible_os_family == 'Windows'
- ansible_distribution | regex_search('(Microsoft Windows 11 Enterprise)')
success_msg: "{{ ansible_distribution }} Distribution {{ ansible_distribution_major_version }} is the detected operating system."
fail_msg: "This role can only be run against Microsoft Windows 11 Enterprise. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
tags:
- always
- name: Check Ansible Version
ansible.builtin.assert:
that: ansible_version.full is version_compare(win11cis_min_ansible_version, '>=')
msg: You must use Ansible {{ win11cis_min_ansible_version }} or greater.
tags:
- always
- name: Include The Preliminary Tasks
ansible.builtin.include_tasks:
file: prelim.yml
tags:
- always
- prelim_tasks
- name: Include Section 1 Patches
ansible.builtin.import_tasks:
file: section_1/main.yml
when: win11cis_section1
tags:
- section1
- name: Include Section 2 Patches
ansible.builtin.import_tasks:
file: section_2/main.yml
when: win11cis_section2
tags:
- section2
- name: Include Section 5 Patches
ansible.builtin.import_tasks:
file: section_5/main.yml
when: win11cis_section5
tags:
- section5
- name: Include Section 9 Patches
ansible.builtin.import_tasks:
file: section_9/main.yml
when: win11cis_section9
tags:
- section9
- name: Include Section 17 Patches
ansible.builtin.import_tasks:
file: section_17/main.yml
when: win11cis_section17
tags:
- section17
- name: Include Section 18 Patches
ansible.builtin.import_tasks:
file: section_18/main.yml
when: win11cis_section18
tags:
- section18
- name: Include Section 19 Patches
ansible.builtin.import_tasks:
file: section_19/main.yml
when: win11cis_section19
tags:
- section19
- name: Run Post Tasks
ansible.builtin.import_tasks:
file: post.yml
tags:
- always
- name: If Warnings found Output count and control IDs affected
ansible.builtin.debug:
msg:
- "You have {{ warn_count }} Warning(s) that require investigation(s). Their IDs are listed below:"
- "{{ warn_control_list }}"
when: warn_count != 0
tags:
- always
tasks/post.yml
+36
View File
@@ -0,0 +1,36 @@
---
- name: "POST | Flush Handlers"
ansible.builtin.meta: flush_handlers
tags:
- always
- name: "POST | Reboot System Options"
block:
- name: "POST | Rebooting System................. Skip Reboot Has Been Set To: False"
ansible.windows.win_reboot:
reboot_timeout: 3600
when:
- reboot_host
- not skip_reboot
- name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set"
ansible.builtin.debug:
msg:
- "Warning!! Changes Have Been Made That Require A Reboot To Be Implemented Manually."
- "Skip Reboot Was Set To: True - This Can Affect Compliance Check Results."
changed_when: true
when:
- reboot_host
- skip_reboot
- name: "POST | Warning A Reboot Is Required, Skip Reboot Has Been Set | Warning Count"
ansible.builtin.import_tasks:
file: warning_facts.yml
when:
- reboot_host
- skip_reboot
vars:
warn_control_id: Reboot_Required
tags:
- always
tasks/prelim.yml
+99
View File
@@ -0,0 +1,99 @@
---
- name: "PRELIM | Get Display Version value."
ansible.windows.win_reg_stat:
path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion
name: DisplayVersion
changed_when: false
failed_when: false
register: win11cis_displayversion
tags:
- always
- name: "PRELIM | Get OS Build value."
ansible.windows.win_reg_stat:
path: HKLM:\Software\Microsoft\Windows NT\CurrentVersion
name: CurrentBuild
changed_when: false
failed_when: false
register: win11cis_currentbuild
tags:
- always
- name: "PRELIM | Detect if Trusted Platform Module (TPM) is Available"
ansible.windows.win_shell: (Get-CimInstance -ClassName Win32_OperatingSystem).ProductType
changed_when: false
failed_when: false
register: win11cis_tpm_enabled
tags:
- always
# HVM is Amazon AMI's, Hyper-V is Azure's, KVM is used for ('QEMU', 'Amazon EC2', 'DigitalOcean', 'Google', 'Scaleway', 'Nutanix', 'KVM', 'KVM Server', 'Bochs', 'AHV')
# Current list is elastic and will be updated as we test more cloud based services.
# Current testing is working in Azure using Hyper-V. We are currently using this for reference:
# https://github.com/ansible/ansible/blob/905131fc76a07cf89dbc8d33e7a4910da3f10a16/lib/ansible/module_utils/facts/virtual/linux.py#L205
- name: PRELIM | Set Fact If Cloud Based System.
ansible.builtin.set_fact:
win11cis_cloud_based_system: true
when:
- ansible_virtualization_type == 'Hyper-V' or
ansible_virtualization_type == 'hvm' or
ansible_virtualization_type == 'kvm'
tags:
- always
- name: PRELIM | Check Hyper-V Installation
ansible.windows.win_shell: Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All | Select-Object -Property State | ft -hide
changed_when: false
failed_when: false
register: win11cis_hyper_v_installed
- name: PRELIM | Get Windows installation type
ansible.windows.win_reg_stat:
path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
name: InstallationType
register: get_windows_installation_type
tags:
- always
- name: PRELIM | Set Windows installation type
ansible.builtin.set_fact:
win11cis_windows_installation_type: "{{ get_windows_installation_type.value | default('') }}"
tags:
- always
- name: PRELIM | Obtatin And Load Default Hive As Well As User Hives
block:
- name: PRELIM | Load Default User Hive (Account That All New Users Get Created From Profile)
ansible.windows.win_shell: REG LOAD HKU\DEFAULT C:\Users\Default\NTUSER.DAT
changed_when: false
failed_when: false
- name: PRELIM | Pull All Username and SIDs
ansible.windows.win_shell: Get-CimInstance -Class Win32_UserAccount -Filter "SID LIKE 'S-1-5-%'" | ForEach-Object { $_.Name + " " + $_.SID }
changed_when: false
failed_when: false
register: all_users
- name: PRELIM | Create Results List Fact For Username And SIDs
ansible.builtin.set_fact:
username_and_sid_results_list: "{{ all_users.stdout_lines | map('split', ' ') | list }}"
- name: PRELIM | Load All User Hives From Username And SIDs List
ansible.windows.win_shell: REG LOAD HKU\{{ item.1 }} C:\Users\{{ item.0 }}\NTUSER.DAT
changed_when: false
failed_when: false
loop: "{{ username_and_sid_results_list }}"
- name: PRELIM | Retrieve Current Users SIDs from HKEY_USERS
ansible.windows.win_shell: (Get-ChildItem "REGISTRY::HKEY_USERS").name | Where-Object {$_ -notlike "*_classes"}
changed_when: false
failed_when: false
register: current_users_loaded_hku
- name: PRELIM | Create List Fact For Current Users SIDs from HKEY_USERS
ansible.builtin.set_fact:
hku_loaded_list: "{{ current_users_loaded_hku.stdout | regex_replace('HKEY_USERS\\\\','') | split }}"
when: win11cis_section19
tags:
- always
tasks/section_1/cis_1.1.x.yml
+177
View File
@@ -0,0 +1,177 @@
---
- name: "1.1.1 | PATCH | Ensure Enforce password history is set to 24 or more passwords."
block:
- name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords. | Check for more then 24 saved passwords warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of maximum passwords set in win11cis_max_passwords_saved, please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_max_passwords_saved > 24 or
win11cis_max_passwords_saved <= 23
- name: "1.1.1 | AUDIT | Ensure Enforce password history is set to 24 or more passwords. | Set warning count"
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.1'
when:
- win11cis_max_passwords_saved > 24 or
win11cis_max_passwords_saved <= 23
- name: "1.1.1 | PATCH | Ensure Enforce password history is set to 24 or more passwords. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: PasswordHistorySize
value: "{{ win11cis_max_passwords_saved }}"
when: win11cis_max_passwords_saved == 24
when:
- win11cis_rule_1_1_1
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.1.1
- name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0."
block:
- name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Warning check for maximum password age time."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid age set for win11cis_maximum_password_age, please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_maximum_password_age > 365 or
win11cis_maximum_password_age == 0
- name: "1.1.2 | AUDIT | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.2'
when:
- win11cis_maximum_password_age > 365 or
win11cis_maximum_password_age == 0
- name: "1.1.2 | PATCH | Ensure Maximum password age is set to 365 or fewer days but not 0. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: MaximumPasswordAge
value: "{{ win11cis_maximum_password_age }}"
when:
- win11cis_maximum_password_age <= 365
- win11cis_maximum_password_age > 0
when:
- win11cis_rule_1_1_2
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.1.2
- name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days."
block:
- name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Warning check for minimim password age."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid age set for win11cis_minimum_password_age, please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_minimum_password_age > 999 or
win11cis_minimum_password_age == 0
- name: "1.1.3 | AUDIT | Ensure Minimum password age is set to 1 or more days. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.3'
when:
- win11cis_minimum_password_age > 999 or
win11cis_minimum_password_age == 0
- name: "1.1.3 | PATCH | Ensure Minimum password age is set to 1 or more days. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: MinimumPasswordAge
value: "{{ win11cis_minimum_password_age }}"
when:
- win11cis_minimum_password_age <= 999 or
win11cis_minimum_password_age > 0
when:
- win11cis_rule_1_1_3
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.1.3
- name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters."
block:
- name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid length set for win11cis_minimum_password_length, please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_minimum_password_length < 14
- name: "1.1.4 | AUDIT | Ensure Minimum password length is set to 14 or more characters. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.1.4'
when: win11cis_minimum_password_length < 14
- name: "1.1.4 | PATCH | Ensure Minimum password length is set to 14 or more characters. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: MinimumPasswordLength
value: "{{ win11cis_minimum_password_length }}"
when: win11cis_minimum_password_length >= 14
when:
- win11cis_rule_1_1_4
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.1.4
- name: "1.1.5 | PATCH | Ensure Password must meet complexity requirements is set to Enabled."
community.windows.win_security_policy:
section: System Access
key: PasswordComplexity
value: 1
when:
- win11cis_rule_1_1_5
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.1.5
- name: "1.1.6 | PATCH | Ensure Relax minimum password length limits is set to Enabled."
ansible.windows.win_regedit:
path: HKLM:\System\CurrentControlSet\Control\SAM
name: RelaxMinimumPasswordLengthLimits
data: 1
type: dword
when:
- win11cis_rule_1_1_6
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.1.6
- name: "1.1.7 | PATCH | Ensure Store passwords using reversible encryption is set to Disabled"
community.windows.win_security_policy:
section: System Access
key: ClearTextPassword
value: 0
when:
- win11cis_rule_1_1_7
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.1.7
tasks/section_1/cis_1.2.x.yml
+136
View File
@@ -0,0 +1,136 @@
---
# We have found the order of tasks varies between cloud based instances and VM based instances.
# The task below loads the control group in the correct order for cloud based systems
- name:
“1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0.
1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes
1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes."
ansible.builtin.import_tasks:
file: cis_1.2_cloud_lockout_order.yml
when:
- win11cis_cloud_based_system
tags:
- section01_cloud_lockout_order
# THE FOLLOWING 3 CONTROLS WILL FAIL UNLESS THEY ARE IN THE FOLLOWING ORDER FOR LOCAL BASED SYSTEMS.
# We have a seperate set of controls to run when the instance is running in a cloud environment, so that it does not fail.
# CONTROL 1.2.2, CONTROL 1.2.4, CONTROL 1.2.1
- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0."
block:
- name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of attempts set for win11cis_bad_login_lockout_count. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_bad_login_lockout_count > 5 or
win11cis_bad_login_lockout_count == 0
- name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.2'
when:
- win11cis_bad_login_lockout_count > 5 or
win11cis_bad_login_lockout_count == 0
- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: LockoutBadCount
value: "{{ win11cis_bad_login_lockout_count }}"
when:
- win11cis_bad_login_lockout_count <= 5
- win11cis_bad_login_lockout_count > 0
when:
- win11cis_rule_1_2_2
- not win11cis_cloud_based_system
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.2.2
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes."
block:
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of minutes set for win11cis_account_lockout_counter_reset. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_account_lockout_counter_reset > win11cis_account_lockout_duration or
win11cis_account_lockout_counter_reset < 15
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.4'
when:
- win11cis_account_lockout_counter_reset > win11cis_account_lockout_duration or
win11cis_account_lockout_counter_reset < 15
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: ResetLockoutCount
value: "{{ win11cis_account_lockout_counter_reset }}"
when:
- win11cis_account_lockout_counter_reset >= 15
- win11cis_account_lockout_counter_reset <= win11cis_account_lockout_duration
when:
- win11cis_rule_1_2_4
- not win11cis_cloud_based_system
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.2.4
# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
- name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes."
block:
- name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of minutes set for win11cis_account_lockout_duration please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_account_lockout_duration < 15
- name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.1'
when: win11cis_account_lockout_duration < 15
- name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes. | Set Variable"
community.windows.win_security_policy:
section: System Access
key: LockoutDuration
value: "{{ win11cis_account_lockout_duration }}"
when: win11cis_account_lockout_duration >= 15
when:
- win11cis_rule_1_2_1
- not win11cis_cloud_based_system
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.2.1
- name: "1.2.3 | AUDIT | Ensure Allow Administrator account lockout is set to Enabled."
community.windows.win_security_policy:
section: System Access
key: AllowAdministratorLockout
value: 1
when:
- win11cis_rule_1_2_3
tags:
- level1-corporate-enterprise-environment
- manual
- audit
- rule_1.2.3
tasks/section_1/cis_1.2_cloud_lockout_order.yml
+104
View File
@@ -0,0 +1,104 @@
---
- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0."
block:
- name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Verify Variable Not 0 or more then 5 warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of attempts set for win11cis_bad_login_lockout_count. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_bad_login_lockout_count > 5 or
win11cis_bad_login_lockout_count == 0
- name: "1.2.2 | AUDIT | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.2'
when:
- win11cis_bad_login_lockout_count > 5 or
win11cis_bad_login_lockout_count == 0
- name: "1.2.2 | PATCH | Ensure Account lockout threshold is set to 5 or fewer invalid logon attempt(s), but not 0. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: LockoutBadCount
value: "{{ win11cis_bad_login_lockout_count }}"
when:
- win11cis_bad_login_lockout_count <= 5
- win11cis_bad_login_lockout_count > 0
when:
- win11cis_rule_1_2_2
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.2.2
# Speelman | added because of this error "Failed to import secedit.ini file from C:\\Users\\vagrant\\AppData\\Local\\Temp\\tmp81F3.tmp
- name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes."
block:
- name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of minutes set for win11cis_account_lockout_duration please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_account_lockout_duration < 15
- name: "1.2.1 | AUDIT | Ensure Account lockout duration is set to 15 or more minutes. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.1'
when: win11cis_account_lockout_duration < 15
- name: "1.2.1 | PATCH | Ensure Account lockout duration is set to 15 or more minutes. | Set Variable"
community.windows.win_security_policy:
section: System Access
key: LockoutDuration
value: "{{ win11cis_account_lockout_duration }}"
when: win11cis_account_lockout_duration >= 15
when:
- win11cis_rule_1_2_1
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.2.1
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes."
block:
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Verify variable set to 15 or more minutes warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of minutes set for win11cis_account_lockout_counter_reset. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_account_lockout_counter_reset > win11cis_account_lockout_duration or
win11cis_account_lockout_counter_reset < 15
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set warning count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '1.2.4'
when:
- win11cis_account_lockout_counter_reset > win11cis_account_lockout_duration or
win11cis_account_lockout_counter_reset < 15
- name: "1.2.4 | PATCH | Ensure Reset account lockout counter after is set to 15 or more minutes. | Set Variable."
community.windows.win_security_policy:
section: System Access
key: ResetLockoutCount
value: "{{ win11cis_account_lockout_counter_reset }}"
when:
- win11cis_account_lockout_counter_reset >= 15
- win11cis_account_lockout_counter_reset <= win11cis_account_lockout_duration
when:
- win11cis_rule_1_2_4
tags:
- level1-corporate-enterprise-environment
- automated
- patch
- rule_1.2.4
tasks/section_1/main.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: "SECTION | 1.1 | Password Policy"
ansible.builtin.import_tasks:
file: cis_1.1.x.yml
tags:
- password-policy
- password
- name: "SECTION | 1.2 | Account Lockout Policy"
ansible.builtin.import_tasks:
file: cis_1.2.x.yml
tags:
- account-policies
- account-lockout-policy
tasks/section_17/cis_17.1.x.yml
+26
View File
@@ -0,0 +1,26 @@
---
- name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure"
block:
- name: "17.1.1 | AUDIT | Ensure Audit Credential Validation is set to Success and Failure. | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Credential Validation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_1_1_audit
- name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /success:enable
when: "'Success' not in rule_17_1_1_audit.stdout"
- name: "17.1.1 | PATCH | Ensure Audit Credential Validation is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Credential Validation" /failure:enable
when: "'Failure' not in rule_17_1_1_audit.stdout"
when:
- win11cis_rule_17_1_1
tags:
- level1-corporate-enterprise-environment
- rule_17.1.1
- automated
- patch
- credential-validation
tasks/section_17/cis_17.2.x.yml
+72
View File
@@ -0,0 +1,72 @@
---
- name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure"
block:
- name: "17.2.1 | AUDIT | Ensure Audit Application Group Management is set to Success and Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Application Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_2_1_audit
- name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Application Group Management" /success:enable
when: "'Success' not in rule_17_2_1_audit.stdout"
- name: "17.2.1 | PATCH | Ensure Audit Application Group Management is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Application Group Management" /failure:enable
when: "'Failure' not in rule_17_2_1_audit.stdout"
when:
- win11cis_rule_17_2_1
tags:
- level1-corporate-enterprise-environment
- rule_17.2.1
- automated
- patch
- application-group-management
- name: "17.2.2 | PATCH | Ensure Audit Security Group Management is set to include Success"
block:
- name: "17.2.2 | AUDIT | Ensure Audit Security Group Management is set to include Success | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Security Group Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_2_2_audit
- name: "17.2.2 | PATCH | Ensure Audit Security Group Management is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Security Group Management" /success:enable
when: "'Success' not in rule_17_2_2_audit.stdout"
when:
- win11cis_rule_17_2_2
tags:
- level1-corporate-enterprise-environment
- rule_17.2.2
- automated
- patch
- security-group-management
- name: "17.2.3 | PATCH | Ensure Audit User Account Management is set to Success and Failure"
block:
- name: "17.2.3 | AUDIT | Ensure Audit User Account Management is set to Success and Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"User Account Management" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_2_3_audit
- name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"User Account Management" /success:enable
when: "'Success' not in rule_17_2_3_audit.stdout"
- name: "17.2.6 | PATCH | Ensure Audit User Account Management is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"User Account Management" /failure:enable
when: "'Failure' not in rule_17_2_3_audit.stdout"
when:
- win11cis_rule_17_2_3
tags:
- level1-corporate-enterprise-environment
- rule_17.2.3
- automated
- patch
- user-account-management
tasks/section_17/cis_17.3.x.yml
+43
View File
@@ -0,0 +1,43 @@
---
- name: "17.3.1 | PATCH | Ensure Audit PNP Activity is set to include Success"
block:
- name: "17.3.1 | AUDIT | Ensure Audit PNP Activity is set to include Success | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Plug and Play Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_3_1_audit
- name: "17.3.1 | PATCH | Ensure Audit PNP Activity is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Plug and Play Events" /success:enable
when: "'Success' not in rule_17_3_1_audit.stdout"
when:
- win11cis_rule_17_3_1
tags:
- level1-corporate-enterprise-environment
- rule_17.3.1
- automated
- patch
- pnp-activity
- name: "17.3.2 | PATCH | Ensure Audit Process Creation is set to include Success"
block:
- name: "17.3.2 | AUDIT | Ensure Audit Process Creation is set to include Success | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Process Creation" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_3_2_audit
- name: "17.3.2 | PATCH | Ensure Audit Process Creation is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Process Creation" /success:enable
when: "'Success' not in rule_17_3_2_audit.stdout"
when:
- win11cis_rule_17_3_2
tags:
- level1-corporate-enterprise-environment
- rule_17.3.2
- automated
- patch
- audit-process-creation
tasks/section_17/cis_17.5.x.yml
+135
View File
@@ -0,0 +1,135 @@
---
- name: "17.5.1 | PATCH | Ensure Audit Account Lockout is set to include Failure"
block:
- name: "17.5.1 | AUDIT | Ensure Audit Account Lockout is set to include Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Account Lockout" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_5_1_audit
- name: "17.5.1 | PATCH | Ensure Audit Account Lockout is set to include Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Account Lockout" /failure:enable
when: "'Failure' not in rule_17_5_1_audit.stdout"
when:
- win11cis_rule_17_5_1
tags:
- level1-corporate-enterprise-environment
- rule_17.5.1
- automated
- patch
- audit-account-lockout
- name: "17.5.2 | PATCH | Ensure Audit Group Membership is set to include Success"
block:
- name: "17.5.2 | AUDIT | Ensure Audit Group Membership is set to include Success | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Group Membership" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_5_2_audit
- name: "17.5.2 | PATCH | Ensure Audit Group Membership is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Group Membership" /success:enable
when: "'Success' not in rule_17_5_2_audit.stdout"
when:
- win11cis_rule_17_5_2
tags:
- level1-corporate-enterprise-environment
- rule_17.5.2
- automated
- patch
- audit-group-membership
- name: "17.5.3 | PATCH | Ensure Audit Logoff is set to include Success"
block:
- name: "17.5.3 | AUDIT | Ensure Audit Logoff is set to include Success | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Logoff" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_5_3_audit
- name: "17.5.3 | PATCH | Ensure Audit Logoff is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Logoff" /success:enable
when: "'Success' not in rule_17_5_3_audit.stdout"
when:
- win11cis_rule_17_5_3
tags:
- level1-corporate-enterprise-environment
- rule_17.5.3
- automated
- patch
- audit-logoff
- name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure"
block:
- name: "17.5.4 | AUDIT | Ensure Audit Logon is set to Success and Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_5_4_audit
- name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Logon" /success:enable
when: "'Success' not in rule_17_5_4_audit.stdout"
- name: "17.5.4 | PATCH | Ensure Audit Logon is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Logon" /failure:enable
when: "'Failure' not in rule_17_5_4_audit.stdout"
when:
- win11cis_rule_17_5_4
tags:
- level1-corporate-enterprise-environment
- rule_17.5.4
- automated
- patch
- audit-logon
- name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure"
block:
- name: "17.5.5 | AUDIT | Ensure Audit Other LogonLogoff Events is set to Success and Failurr | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Other Logon/Logoff Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_5_5_audit
- name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /success:enable
when: "'Success' not in rule_17_5_5_audit.stdout"
- name: "17.5.5 | PATCH | Ensure Audit Other LogonLogoff Events is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Other Logon/Logoff Events" /failure:enable
when: "'Failure' not in rule_17_5_5_audit.stdout"
when:
- win11cis_rule_17_5_5
tags:
- level1-corporate-enterprise-environment
- rule_17.5.5
- automated
- patch
- other-logon-logoff
- name: "17.5.6 | PATCH | Ensure Audit Special Logon is set to include Success"
block:
- name: "17.5.6 | AUDIT | Ensure Audit Special Logon is set to include Success | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Special Logon" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_5_6_audit
- name: "17.5.6 | PATCH | Ensure Audit Special Logon is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Special Logon" /success:enable
when: "'Success' not in rule_17_5_6_audit.stdout"
when:
- win11cis_rule_17_5_6
tags:
- level1-corporate-enterprise-environment
- rule_17.5.6
- automated
- patch
- audit-special-logon
tasks/section_17/cis_17.6.x.yml
+79
View File
@@ -0,0 +1,79 @@
---
- name: "17.6.1 | PATCH | Ensure Audit Detailed File Share is set to include Failure"
block:
- name: "17.6.1 | AUDIT | Ensure Audit Detailed File Share is set to include Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Detailed File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_6_1_audit
- name: "17.6.1 | PATCH | Ensure Audit Detailed File Share is set to include Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Detailed File Share" /failure:enable
when: "'Failure' not in rule_17_6_1_audit.stdout"
when:
- win11cis_rule_17_6_1
tags:
- level1-corporate-enterprise-environment
- rule_17.6.1
- automated
- patch
- detailed-file-share
- name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure"
block:
- name: "17.6.2 | AUDIT | Ensure Audit File Share is set to Success and Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"File Share" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_6_2_audit
- name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"File Share" /success:enable
when: "'Success' not in rule_17_6_2_audit.stdout"
- name: "17.6.2 | PATCH | Ensure Audit File Share is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"File Share" /failure:enable
when: "'Failure' not in rule_17_6_2_audit.stdout"
when:
- win11cis_rule_17_6_2
tags:
- level1-corporate-enterprise-environment
- rule_17.6.2
- automated
- patch
- audit-file-share
- name: "17.6.3 | PATCH | Ensure Audit Other Object Access Events is set to Success and Failure"
community.windows.win_audit_policy_system:
subcategory: Other Object Access Events
audit_type: success, failure
when:
- win11cis_rule_17_6_3
- name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure"
block:
- name: "17.6.4 | AUDIT | Ensure Audit Removable Storage is set to Success and Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Removable Storage" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_6_4_audit
- name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /success:enable
when: "'Success' not in rule_17_6_4_audit.stdout"
- name: "17.6.4 | PATCH | Ensure Audit Removable Storage is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Removable Storage" /failure:enable
when: "'Failure' not in rule_17_6_4_audit.stdout"
when:
- win11cis_rule_17_6_4
tags:
- level1-corporate-enterprise-environment
- rule_17.6.4
- automated
- patch
- audit-removable-storage
tasks/section_17/cis_17.7.x.yml
+110
View File
@@ -0,0 +1,110 @@
---
- name: "17.7.1 | PATCH | Ensure Audit Audit Policy Change is set to include Success"
block:
- name: "17.7.1 | AUDIT | Ensure Audit Audit Policy Change is set to include Success | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Audit Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_7_1_audit
- name: "17.7.1 | PATCH | Ensure Audit Audit Policy Change is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Audit Policy Change" /success:enable
when: "'Success' not in rule_17_7_1_audit.stdout"
when:
- win11cis_rule_17_7_1
tags:
- level1-corporate-enterprise-environment
- rule_17.7.1
- automated
- patch
- audit-policy-change
- name: "17.7.2 | PATCH | Ensure Audit Authentication Policy Change is set to include Success"
block:
- name: "17.7.2 | AUDIT | Ensure Audit Authentication Policy Change is set to include Success | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Authentication Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_7_2_audit
- name: "17.7.2 | PATCH | Ensure Audit Authentication Policy Change is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Authentication Policy Change" /success:enable
when: "'Success' not in rule_17_7_2_audit.stdout"
when:
- win11cis_rule_17_7_2
tags:
- level1-corporate-enterprise-environment
- rule_17.7.2
- automated
- patch
- audit-authentication-policy-change
- name: "17.7.3 | PATCH | Ensure Audit Authorization Policy Change is set to include Success"
block:
- name: "17.7.3 | AUDIT | Ensure Audit Authorization Policy Change is set to include Success | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Authorization Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_7_3_audit
- name: "17.7.3 | PATCH | Ensure Audit Authorization Policy Change is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Authorization Policy Change" /success:enable
when: "'Success' not in rule_17_7_3_audit.stdout"
when:
- win11cis_rule_17_7_3
tags:
- level1-corporate-enterprise-environment
- rule_17.7.3
- automated
- patch
- audit-authorization-policy-change
- name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure"
block:
- name: "17.7.4 | AUDIT | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"MPSSVC Rule-Level Policy Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_7_4_audit
- name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable
when: "'Success' not in rule_17_7_4_audit.stdout"
- name: "17.7.4 | PATCH | Ensure Audit MPSSVC Rule-Level Policy Change is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"MPSSVC Rule-Level Policy Change" /failure:enable
when: "'Failure' not in rule_17_7_4_audit.stdout"
when:
- win11cis_rule_17_7_4
tags:
- level1-corporate-enterprise-environment
- rule_17.7.4
- automated
- patch
- mpssvc-rule-level-policy
- name: "17.7.5 | PATCH | Ensure Audit Other Policy Change Events is set to include Failure"
block:
- name: "17.7.5 | AUDIT | Ensure Audit Other Policy Change Events is set to include Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Other Policy Change Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_7_5_audit
- name: "17.7.5 | PATCH | Ensure Audit Other Policy Change Events is set to include Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Other Policy Change Events" /failure:enable
when: "'Failure' not in rule_17_7_5_audit.stdout"
when:
- win11cis_rule_17_7_5
tags:
- level1-corporate-enterprise-environment
- rule_17.7.5
- automated
- patch
- audit-other-policy-change
tasks/section_17/cis_17.8.x.yml
+26
View File
@@ -0,0 +1,26 @@
---
- name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure"
block:
- name: "17.8.1 | AUDIT | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Sensitive Privilege Use" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_8_1_audit
- name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /success:enable
when: "'Success' not in rule_17_8_1_audit.stdout"
- name: "17.8.1 | PATCH | Ensure Audit Sensitive Privilege Use is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Sensitive Privilege Use" /failure:enable
when: "'Failure' not in rule_17_8_1_audit.stdout"
when:
- win11cis_rule_17_8_1
tags:
- level1-corporate-enterprise-environment
- rule_17.8.1
- automated
- patch
- audit-sensitive-privilege
tasks/section_17/cis_17.9.x.yml
+120
View File
@@ -0,0 +1,120 @@
---
- name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure"
block:
- name: "17.9.1 | AUDIT | Ensure Audit IPsec Driver is set to Success and Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"IPsec Driver" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_9_1_audit
- name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /success:enable
when: "'Success' not in rule_17_9_1_audit.stdout"
- name: "17.9.1 | PATCH | Ensure Audit IPsec Driver is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"IPsec Driver" /failure:enable
when: "'Failure' not in rule_17_9_1_audit.stdout"
when:
- win11cis_rule_17_9_1
tags:
- level1-corporate-enterprise-environment
- rule_17.9.1
- automated
- patch
- ipsec-driver
- name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure"
block:
- name: "17.9.2 | AUDIT | Ensure Audit Other System Events is set to Success and Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Other System Events" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_9_2_audit
- name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /success:enable
when: "'Success' not in rule_17_9_2_audit.stdout"
- name: "17.9.2 | PATCH | Ensure Audit Other System Events is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"Other System Events" /failure:enable
when: "'Failure' not in rule_17_9_2_audit.stdout"
when:
- win11cis_rule_17_9_2
tags:
- level1-corporate-enterprise-environment
- rule_17.9.2
- automated
- patch
- other-system-events
- name: "17.9.3 | PATCH | Ensure Audit Security State Change is set to include Success"
block:
- name: "17.9.3 | AUDIT | Ensure Audit Security State Change is set to include Success | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Security State Change" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_9_3_audit
- name: "17.9.3 | PATCH | Ensure Audit Security State Change is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Security State Change" /success:enable
when: "'Success' not in rule_17_9_3_audit.stdout"
when:
- win11cis_rule_17_9_3
tags:
- level1-corporate-enterprise-environment
- rule_17.9.3
- automated
- patch
- security-state-change
- name: "17.9.4 | PATCH | Ensure Audit Security System Extension is set to include Success"
block:
- name: "17.9.4 | AUDIT | Ensure Audit Security System Extension is set to include Success | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"Security System Extension" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_9_4_audit
- name: "17.9.4 | PATCH | Ensure Audit Security System Extension is set to include Success | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"Security System Extension" /success:enable
when: "'Success' not in rule_17_9_4_audit.stdout"
when:
- win11cis_rule_17_9_4
tags:
- level1-corporate-enterprise-environment
- rule_17.9.4
- automated
- patch
- security-system-extension
- name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure"
block:
- name: "17.9.5 | AUDIT | Ensure Audit System Integrity is set to Success and Failure | Get current audit events."
ansible.windows.win_shell: AuditPol /get /subcategory:"System Integrity" -r | ConvertFrom-Csv | Select-Object -expand "Inclusion Setting"
changed_when: false
failed_when: false
check_mode: false
register: rule_17_9_5_audit
- name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure | Success"
ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /success:enable
changed_when: "'Success' not in rule_17_9_5_audit.stdout"
when: "'Success' not in rule_17_9_5_audit.stdout"
- name: "17.9.5 | PATCH | Ensure Audit System Integrity is set to Success and Failure | Failure"
ansible.windows.win_shell: AuditPol /set /subcategory:"System Integrity" /failure:enable
changed_when: "'Failure' not in rule_17_9_5_audit.stdout"
when: "'Failure' not in rule_17_9_5_audit.stdout"
when:
- win11cis_rule_17_9_5
tags:
- level1-corporate-enterprise-environment
- rule_17.9.5
- automated
- patch
- system-integrity
tasks/section_17/main.yml
+57
View File
@@ -0,0 +1,57 @@
---
- name: "SECTION | 17.1 | Account Logon"
ansible.builtin.import_tasks:
file: cis_17.1.x.yml
tags:
- advanced-audit-policy-configuration
- account-logon
- name: "SECTION | 17.2 | Account Management"
ansible.builtin.import_tasks:
file: cis_17.2.x.yml
tags:
- advanced-audit-policy-configuration
- account-management
- name: "SECTION | 17.3 | Detail Tracking"
ansible.builtin.import_tasks:
file: cis_17.3.x.yml
tags:
- advanced-audit-policy-configuration
- detailed-tracking
- name: "SECTION | 17.5 | Logon/Logoff"
ansible.builtin.import_tasks:
file: cis_17.5.x.yml
tags:
- advanced-audit-policy-configuration
- logon-logoff
- name: "SECTION | 17.6 | Object Access"
ansible.builtin.import_tasks:
file: cis_17.6.x.yml
tags:
- advanced-audit-policy-configuration
- object-access
- name: "SECTION | 17.7 | Policy Change"
ansible.builtin.import_tasks:
file: cis_17.7.x.yml
tags:
- advanced-audit-policy-configuration
- policy-access
- name: "SECTION | 17.8 | Privilege Use"
ansible.builtin.import_tasks:
file: cis_17.8.x.yml
tags:
- advanced-audit-policy-configuration
- privilege-use
- name: "SECTION | 17.9 | System"
ansible.builtin.import_tasks:
file: cis_17.9.x.yml
tags:
- advanced-audit-policy-configuration
- system
tasks/section_18/main.yml
+37
View File
@@ -0,0 +1,37 @@
---
- name: "SECTION | 18.1 | Control Panel"
ansible.builtin.import_tasks:
file: section_18.1/main.yml
- name: "SECTION | 18.3 | LAPS"
ansible.builtin.import_tasks:
file: section_18.3/main.yml
- name: "SECTION | 18.4 | MS Security Guide"
ansible.builtin.import_tasks:
file: section_18.4/main.yml
- name: "SECTION | 18.5 | MSS (Legacy)"
ansible.builtin.import_tasks:
file: section_18.5/main.yml
- name: "SECTION | 18.6 | Network"
ansible.builtin.import_tasks:
file: section_18.6/main.yml
- name: "SECTION | 18.7 | Printers"
ansible.builtin.import_tasks:
file: section_18.7/main.yml
- name: "SECTION | 18.8 | Start Menu & Task Bar"
ansible.builtin.import_tasks:
file: section_18.8/main.yml
- name: "SECTION | 18.9 | System"
ansible.builtin.import_tasks:
file: section_18.9/main.yml
- name: "SECTION | 18.10 | Windows Components"
ansible.builtin.import_tasks:
file: section_18.10/main.yml
tasks/section_18/section_18.1/cis_18.1.1.x.yml
+31
View File
@@ -0,0 +1,31 @@
---
- name: "18.1.1.1 | PATCH | Ensure Prevent enabling lock screen camera is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Personalization
name: NoLockScreenCamera
data: 1
type: dword
when:
- win11cis_rule_18_1_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.1.1.1
- automated
- patch
- lock-screen-camera
- name: "18.1.1.2 | PATCH | Ensure Prevent enabling lock screen slide show is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Personalization
name: NoLockScreenSlideshow
data: 1
type: dword
when:
- win11cis_rule_18_1_1_2
tags:
- level1-corporate-enterprise-environment
- rule_18.1.1.2
- automated
- patch
- lock-screen-slideshow
tasks/section_18/section_18.1/cis_18.1.2.x.yml
+17
View File
@@ -0,0 +1,17 @@
---
- name: "18.1.2.2 | PATCH | Ensure Allow users to enable online speech recognition services is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\InputPersonalization
name: AllowInputPersonalization
data: 0
type: dword
when:
- win11cis_rule_18_1_2_2
tags:
- level1-corporate-enterprise-environment
- rule_18.1.2.2
- automated
- patch
- administrative-templates-computer
- speech-recognition
tasks/section_18/section_18.1/cis_18.1.3.x.yml
+16
View File
@@ -0,0 +1,16 @@
---
- name: "18.1.3 | PATCH | Ensure Allow Online Tips is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
name: AllowOnlineTips
data: 0
type: dword
when:
- win11cis_rule_18_1_3
tags:
- level2-high-security-sensitive-data-environment
- rule_18.1.3
- automated
- patch
- online-tips
tasks/section_18/section_18.1/main.yml
+25
View File
@@ -0,0 +1,25 @@
---
- name: "SECTION | 18.1.1 | Personalization"
ansible.builtin.import_tasks:
file: cis_18.1.1.x.yml
tags:
- administrative-templates-computer
- control-panel
- personalization
- name: "SECTION | 18.1.2 | Regional And Language Options"
ansible.builtin.import_tasks:
file: cis_18.1.2.x.yml
tags:
- administrative-templates-computer
- control-panel
- regional-and-language-options
- name: "SECTION | 18.1.3 | Online Tips"
ansible.builtin.import_tasks:
file: cis_18.1.3.x.yml
tags:
- administrative-templates-computer
- control-panel
- regional-and-language-options
tasks/section_18/section_18.10/cis_18.10.10.x.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: "18.10.10.1 | PATCH | Ensure 'Allow Use of Camera' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Camera
name: AllowCamera
data: 0
type: dword
when:
- win11cis_rule_18_10_10_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.10.1
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.12.x.yml
+43
View File
@@ -0,0 +1,43 @@
---
- name: "18.10.12.1 | PATCH | Ensure Turn off cloud consumer account state content is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent
name: DisableConsumerAccountStateContent
data: 1
type: dword
when:
- win11cis_rule_18_10_12_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.12.1
- automated
- patch
- name: "18.10.12.2 | PATCH | Ensure 'Turn off cloud optimized content' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent
name: DisableCloudOptimizedContent
data: 1
type: dword
when:
- win11cis_rule_18_10_12_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.12.2
- automated
- patch
- name: "18.10.12.3 | PATCH | Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CloudContent
name: DisableWindowsConsumerFeatures
data: 1
type: dword
when:
- win11cis_rule_18_10_12_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.12.3
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.13.x.yml
+38
View File
@@ -0,0 +1,38 @@
---
- name: "18.10.13.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always"
block:
- name: "18.10.13.1 | AUDIT | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid setting for win11cis_require_pin_for_pairing. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_require_pin_for_pairing != 1
- win11cis_require_pin_for_pairing != 2
- name: "18.10.13.1 | AUDIT | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.13.1'
when:
- win11cis_require_pin_for_pairing != 1
- win11cis_require_pin_for_pairing != 2
- name: "18.10.13.1 | PATCH | Ensure Require pin for pairing is set to Enabled First Time OR Enabled Always | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect
name: RequirePinForPairing
data: "{{ win11cis_require_pin_for_pairing }}"
type: dword
when:
- win11cis_require_pin_for_pairing == 1 or win11cis_require_pin_for_pairing == 2
when:
- win11cis_rule_18_10_13_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.13.1
- automated
- patch
- pin
tasks/section_18/section_18.10/cis_18.10.14.x.yml
+46
View File
@@ -0,0 +1,46 @@
---
- name: "18.10.14.1 | PATCH | Ensure Do not display the password reveal button is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Credui
name: DisablePasswordReveal
data: 1
type: dword
when:
- win11cis_rule_18_10_14_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.14.1
- automated
- patch
- gui
- name: "18.10.14.2 | PATCH | Ensure Enumerate administrator accounts on elevation is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui
name: EnumerateAdministrators
data: 0
type: dword
when:
- win11cis_rule_18_10_14_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.14.2
- automated
- patch
- accounts
- name: "18.10.14.3 | PATCH | Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\System
name: NoLocalPasswordResetQuestions
data: 1
type: dword
when:
- win11cis_rule_18_10_14_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.14.3
- automated
- patch
- accounts
tasks/section_18/section_18.10/cis_18.10.15.x.yml
+143
View File
@@ -0,0 +1,143 @@
---
- name: "18.10.15.1 | PATCH | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data"
block:
- name: "18.10.15.1 | AUDIT | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid setting for win11cis_allow_telemetry. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_allow_telemetry != 0
- win11cis_allow_telemetry != 1
- name: "18.10.15.1 | AUDIT | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.15.1'
when:
- win11cis_allow_telemetry != 0
- win11cis_allow_telemetry != 1
- name: "18.10.15.1 | AUDIT | Ensure Allow Diagnostic Data is set to Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection
name: AllowTelemetry
data: "{{ win11cis_allow_telemetry }}"
type: dword
when:
- win11cis_allow_telemetry == 0 or win11cis_allow_telemetry == 1
when:
- win11cis_rule_18_10_15_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.1
- automated
- patch
- diagnostics
- name: "18.10.15.2 | PATCH | Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\DataCollection
name: DisableEnterpriseAuthProxy
data: 1
type: dword
when:
- win11cis_rule_18_10_15_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.15.2
- automated
- patch
- proxy
- name: "18.10.15.3 | PATCH | Ensure Disable OneSettings Downloads is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection
name: DisableOneSettingsDownloads
data: 1
type: dword
when:
- win11cis_rule_18_10_15_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.3
- automated
- patch
- one-settings
- name: "18.10.15.4 | PATCH | Ensure Do not show feedback notifications is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection
name: DoNotShowFeedbackNotifications
data: 1
type: dword
when:
- win11cis_rule_18_10_15_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.4
- automated
- patch
- notifications
- name: "18.10.15.5 | PATCH | Ensure Enable OneSettings Auditing' is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection
name: EnableOneSettingsAuditing
data: 1
type: dword
when:
- win11cis_rule_18_10_15_5
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.5
- automated
- patch
- one-settings
- name: "18.10.15.6 | PATCH | Ensure Limit Diagnostic Log Collection is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection
name: LimitDiagnosticLogCollection
data: 1
type: dword
when:
- win11cis_rule_18_10_15_6
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.6
- automated
- patch
- logs
- name: "18.10.15.7 | PATCH | Ensure Limit Dump Collection is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection
name: LimitDumpCollection
data: 1
type: dword
when:
- win11cis_rule_18_10_15_7
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.7
- automated
- patch
- dump-collection
- name: "18.10.15.8 | PATCH | Ensure Toggle user control over Insider builds is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds
name: AllowBuildPreview
data: 0
type: dword
when:
- win11cis_rule_18_10_15_8
tags:
- level1-corporate-enterprise-environment
- rule_18.10.15.8
- automated
- patch
- builds
tasks/section_18/section_18.10/cis_18.10.16.x.yml
+32
View File
@@ -0,0 +1,32 @@
---
- name: "18.10.16.1 | PATCH | Ensure 'Download Mode' is NOT set to 'Enabled: Internet'"
block:
- name: "18.10.16.1 | AUDIT | Ensure 'Download Mode' is NOT set to 'Enabled: Internet' | Warning Check For Bad Variable "
ansible.builtin.debug:
msg:
- "Warning!! You have an incorrect variable set for win11cis_do_download_mode. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_do_download_mode > 2 and win11cis_do_download_mode != 99 and win11cis_do_download_mode != 100
- name: "18.10.16.1 | AUDIT | Ensure 'Download Mode' is NOT set to 'Enabled: Internet' | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.16.1'
when: win11cis_do_download_mode > 2 and win11cis_do_download_mode != 99 and win11cis_do_download_mode != 100
- name: "18.10.16.1 | PATCH | Ensure 'Download Mode' is NOT set to 'Enabled: Internet' | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization
value: DODownloadMode
data: "{{ win11cis_do_download_mode }}"
datatype: dword
when: win11cis_do_download_mode <= 2 or win11cis_do_download_mode == 99 or win11cis_do_download_mode == 100
when:
- win11cis_rule_18_10_16_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.16.1
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.17.x.yml
+60
View File
@@ -0,0 +1,60 @@
---
- name: "18.10.17.1 | PATCH | Ensure 'Enable App Installer' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller
name: EnableAppInstaller
data: 0
type: dword
when:
- win11cis_rule_18_10_17_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.17.1
- automated
- patch
- name: "18.10.17.2 | PATCH | Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller
name: EnableExperimentalFeatures
data: 0
type: dword
when:
- win11cis_rule_18_10_17_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.17.2
- automated
- patch
- experimental
- name: "18.10.17.3 | PATCH | Ensure 'Enable App Installer Hash Override' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller
name: EnableHashOverride
data: 0
type: dword
when:
- win11cis_rule_18_10_17_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.17.3
- automated
- patch
- hash
- name: "18.10.17.4 | PATCH | Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\AppInstaller
name: EnableMSAppInstallerProtocol
data: 0
type: dword
when:
- win11cis_rule_18_10_17_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.17.4
- automated
- patch
- hash
tasks/section_18/section_18.10/cis_18.10.26.x.yml
+197
View File
@@ -0,0 +1,197 @@
---
- name: "18.10.26.1.1 | PATCH | Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application
name: Retention
data: 0
type: string
when:
- win11cis_rule_18_10_26_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.1.1
- automated
- patch
- application
- logs
- name: "18.10.26.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater"
block:
- name: "18.10.26.1.2 | AUDIT | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid file size set for win11cis_application_max_log_file_size. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_application_max_log_file_size < 32768
- name: "18.10.26.1.2 | AUDIT | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.26.1.2'
when: win11cis_application_max_log_file_size < 32768
- name: "18.10.26.1.2 | PATCH | Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater | Set File Size."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application
name: MaxSize
data: "{{ win11cis_application_max_log_file_size }}"
type: dword
when: win11cis_application_max_log_file_size >= 32768
when:
- win11cis_rule_18_10_26_1_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.1.2
- automated
- patch
- application
- application-log-size
- name: "18.10.26.2.1 | PATCH | Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security
name: Retention
data: 0
type: string
when:
- win11cis_rule_18_10_26_2_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.2.1
- automated
- patch
- security
- logs
- name: "18.10.26.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater"
block:
- name: "18.10.26.2.2 | AUDIT | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid file size set for win11cis_security_max_log_file_size. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_security_max_log_file_size < 196608
- name: "18.10.26.2.2 | AUDIT | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.9.27.2.2'
when: win11cis_security_max_log_file_size < 196608
- name: "18.10.26.2.2 | PATCH | Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security
name: MaxSize
data: "{{ win11cis_security_max_log_file_size }}"
type: dword
when: win11cis_security_max_log_file_size >= 196608
when:
- win11cis_rule_18_10_26_2_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.2.2
- automated
- patch
- security
- security-log-size
- name: "18.10.26.3.1 | PATCH | Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup
name: Retention
data: 0
type: string
when:
- win11cis_rule_18_10_26_3_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.3.1
- automated
- patch
- setup
- logs
- name: "18.10.26.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater"
block:
- name: "18.10.26.3.2 | AUDIT | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid file size set for win11cis_setup_max_log_file_size. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_setup_max_log_file_size < 32768
- name: "18.10.26.3.2 | AUDIT | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.26.3.2'
when: win11cis_setup_max_log_file_size < 32768
- name: "18.10.26.3.2 | PATCH | Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup
name: MaxSize
data: "{{ win11cis_setup_max_log_file_size }}"
type: dword
when: win11cis_setup_max_log_file_size >= 32768
when:
- win11cis_rule_18_10_26_3_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.3.2
- automated
- patch
- setup
- setup-log-size
- name: "18.10.26.4.1 | PATCH | Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System
name: Retention
data: 0
type: string
when:
- win11cis_rule_18_10_26_4_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.4.1
- automated
- patch
- system
- logs
- name: "18.10.26.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater"
block:
- name: "18.10.26.4.2 | AUDIT | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid file size set for win11cis_system_max_log_file_size. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_system_max_log_file_size < 32768
- name: "18.10.26.4.2 | AUDIT | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.26.4.2'
when: win11cis_system_max_log_file_size < 32768
- name: "18.10.26.4.2 | PATCH | Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System
name: MaxSize
data: "{{ win11cis_system_max_log_file_size }}"
type: dword
when: win11cis_system_max_log_file_size >= 32768
when:
- win11cis_rule_18_10_26_4_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.26.4.2
- automated
- patch
- system
- system-log-size
tasks/section_18/section_18.10/cis_18.10.29.x.yml
+60
View File
@@ -0,0 +1,60 @@
---
- name: "18.10.29.2 | PATCH | Ensure Turn off Data Execution Prevention for Explorer is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Explorer
name: NoDataExecutionPrevention
data: 0
type: dword
when:
- win11cis_rule_18_10_29_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.29.2
- automated
- patch
- data-execution-prevention
- name: "18.10.29.3 | PATCH | Ensure 'Turn off files from Office.com in Quick access view' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Explorer
name: DisableGraphRecentItems
data: 1
type: dword
when:
- win11cis_rule_18_10_29_3
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.29.3
- automated
- patch
- name: "18.10.29.4 | PATCH | Ensure Turn off heap termination on corruption is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Explorer
name: NoHeapTerminationOnCorruption
data: 0
type: dword
when:
- win11cis_rule_18_10_29_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.29.4
- automated
- patch
- heap-termination
- name: "18.10.29.5 | PATCH | Ensure Turn off shell protocol protected mode is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer
name: PreXPSP2ShellProtocolBehavior
data: 0
type: dword
when:
- win11cis_rule_18_10_29_5
tags:
- level1-corporate-enterprise-environment
- rule_18.10.29.5
- automated
- patch
- shell
tasks/section_18/section_18.10/cis_18.10.3.x.yml
+29
View File
@@ -0,0 +1,29 @@
---
- name: "18.10.3.1 | PATCH | Ensure Allow a Windows app to share application data between users is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager
name: AllowSharedLocalAppData
data: 0
type: dword
when:
- win11cis_rule_18_10_3_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.3.1
- automated
- patch
- name: "18.10.3.2 | PATCH | Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Appx
name: BlockNonAdminUserInstall
data: 1
type: dword
when:
- win11cis_rule_18_10_3_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.3.2
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.33.x.yml
+17
View File
@@ -0,0 +1,17 @@
---
- name: "18.10.33.1 | PATCH | Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\HomeGroup
name: DisableHomeGroup
data: 1
type: dword
when:
- win11cis_rule_18_10_33_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.33.1
- automated
- patch
- administrative-templates-computer
- windows-components
tasks/section_18/section_18.10/cis_18.10.37.x.yml
+16
View File
@@ -0,0 +1,16 @@
---
- name: "18.10.37.2 | PATCH | Ensure Turn off location is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors
name: DisableLocation
data: 1
type: dword
when:
- win11cis_rule_18_10_37_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.37.2
- automated
- patch
- location
tasks/section_18/section_18.10/cis_18.10.4.x.yml
+16
View File
@@ -0,0 +1,16 @@
---
- name: "18.10.4.1 | PATCH | Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy
name: LetAppsActivateWithVoiceAboveLock
data: 1
type: dword
when:
- win11cis_rule_18_10_4_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.4.1
- automated
- patch
- voice
tasks/section_18/section_18.10/cis_18.10.41.x.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: "18.10.41.1 | PATCH | Ensure Allow Message Service Cloud Sync is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Messaging
name: AllowMessageSync
data: 0
type: dword
when:
- win11cis_rule_18_10_41_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.41.1
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.42.x.yml
+16
View File
@@ -0,0 +1,16 @@
---
- name: "18.10.42.1 | PATCH | Ensure Block all consumer Microsoft account user authentication is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\MicrosoftAccount
name: DisableUserAuth
data: 1
type: dword
when:
- win11cis_rule_18_10_42_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.42.1
- automated
- patch
- account
tasks/section_18/section_18.10/cis_18.10.43.x.yml
+253
View File
@@ -0,0 +1,253 @@
---
- name: "18.10.43.5.1 | PATCH | Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet
name: LocalSettingOverrideSpynetReporting
data: 0
type: dword
when:
- win11cis_rule_18_10_43_5_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.5.1
- automated
- patch
- maps
- name: "18.10.43.5.2 | PATCH | Ensure Join Microsoft MAPS is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet
name: SpynetReporting
data: 0
type: dword
when:
- win11cis_rule_18_10_43_5_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.43.5.2
- automated
- patch
- maps
- name: "18.10.43.6.1.1 | PATCH | Ensure Configure Attack Surface Reduction rules is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR
name: ExploitGuard_ASR_Rules
data: 1
type: dword
when:
- win11cis_rule_18_10_43_6_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.6.1.1
- automated
- patch
- microsoft-defender-exploit-guard
- attack-surface-reduction
- defender
- name: "18.10.43.6.1.2 | PATCH | Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules
name: "{{ item }}"
data: 1
type: string
loop:
- 26190899-1602-49e8-8b27-eb1d0a1ce869
- 3b576869-a4ec-4529-8536-b80a7769e899
- 56a863a9-875e-4185-98a7-b882c64b5ce5
- 5beb7efe-fd9a-4556-801d-275e5ffc04cc
- 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84
- 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
- 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b
- 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
- b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
- be9ba2d9-53ea-4cdc-84e5-9b1eeee46550
- d3e037e1-3eb8-44c8-a917-57927947596d
- d4f940ab-401b-4efc-aadc-ad5f3c50688a
- e6db77e5-3df2-4cf1-b95a-636979351e5b
when:
- win11cis_rule_18_10_43_6_1_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.6.1.2
- automated
- patch
- microsoft-defender-exploit-guard
- attack-surface-reduction
- defender
- name: "18.10.43.6.3.1 | PATCH | Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection
name: EnableNetworkProtection
data: 1
type: dword
when:
- win11cis_rule_18_10_43_6_3_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.6.3.1
- automated
- patch
- administrative-templates-computer
- windows-components
- microsoft-defender-antivirus
- microsoft-defender-exploit-guard
- network-protection
- name: "18.10.43.7.1 | PATCH | (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine
name: EnableFileHashComputation
data: 1
type: dword
when:
- win11cis_rule_18_10_43_7_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.43.7.1
- automated
- patch
- mpengine
- hash
- name: "18.10.43.10.1 | PATCH | Ensure Scan all downloaded files and attachments is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
name: DisableIOAVProtection
data: 0
type: dword
when:
- win11cis_rule_18_10_43_10_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.10.1
- automated
- patch
- real-time-protection
- downloads
- name: "18.10.43.10.2 | PATCH | Ensure 'Turn off real-time protection' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
name: DisableRealtimeMonitoring
data: 1
datatype: dword
when:
- win11cis_rule_18_10_43_10_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.10.2
- automated
- patch
- real-time-protection
- name: "18.10.43.10.3 | PATCH | Ensure Turn on behavior monitoring is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection
name: DisableBehaviorMonitoring
data: 0
type: dword
when:
- win11cis_rule_18_10_43_10_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.10.3
- automated
- patch
- real-time-protection
- behavior-monitoring
- name: "18.10.43.10.4 | PATCH | Ensure 'Turn on script scanning' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
name: DisableScriptScanning
data: 0
type: dword
when:
- win11cis_rule_18_10_43_10_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.10.4
- automated
- patch
- real-time-protection
- script-scanning
- name: "18.10.43.12.1 | PATCH | Ensure Configure Watson events is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting
name: DisableGenericRePorts
data: 1
type: dword
when:
- win11cis_rule_18_10_43_12_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.43.12.1
- automated
- patch
- reporting
- watson
- name: "18.10.43.13.1 | PATCH | Ensure Scan removable drives is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan
name: DisableRemovableDriveScanning
data: 0
type: dword
when:
- win11cis_rule_18_10_43_13_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.13.1
- automated
- patch
- scan
- name: "18.10.43.13.2 | PATCH | Ensure Turn on e-mail scanning is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender\Scan
name: DisableEmailScanning
data: 0
type: dword
when:
- win11cis_rule_18_10_43_13_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.13.2
- automated
- patch
- email-scanning
- name: "18.10.43.16 | PATCH | Ensure Configure detection for potentially unwanted applications is set to Enabled Block"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender
name: PUAProtection
data: 1
type: dword
when:
- win11cis_rule_18_10_43_16
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.16
- automated
- patch
- defender
- name: "18.10.43.17 | PATCH | Ensure Turn off Windows Defender AntiVirus is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender
name: DisableAntiSpyware
data: 0
type: dword
when:
- win11cis_rule_18_10_43_17
tags:
- level1-corporate-enterprise-environment
- rule_18.10.43.17
- automated
- patch
- defender
tasks/section_18/section_18.10/cis_18.10.44.x.yml
+88
View File
@@ -0,0 +1,88 @@
---
- name: "18.10.44.1 | PATCH | Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AuditApplicationGuard
data: 1
type: dword
when:
- win11cis_rule_18_10_44_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.44.1
- automated
- patch
- auditing
- name: "18.10.44.2 | PATCH | Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AllowCameraMicrophoneRedirection
data: 0
type: dword
when:
- win11cis_rule_18_10_44_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.44.2
- automated
- patch
- camera
- name: "18.10.44.3 | PATCH | Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AllowPersistence
data: 0
type: dword
when:
- win11cis_rule_18_10_44_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.44.3
- automated
- patch
- data-persistence
- name: "18.10.44.4 | PATCH | Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: SaveFilesToHost
data: 0
type: dword
when:
- win11cis_rule_18_10_44_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.44.4
- automated
- patch
- name: "18.10.44.5 | PATCH | Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AppHVSIClipboardSettings
data: 1
type: dword
when:
- win11cis_rule_18_10_44_5
tags:
- level1-corporate-enterprise-environment
- rule_18.10.44.5
- automated
- patch
- name: "18.10.44.6 | PATCH | Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\AppHVSI
name: AllowAppHVSI_ProviderSet
data: 1
type: dword
when:
- win11cis_rule_18_10_44_6
tags:
- level1-corporate-enterprise-environment
- rule_18.10.44.6
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.5.x.yml
+30
View File
@@ -0,0 +1,30 @@
---
- name: "18.10.5.1 | PATCH | Ensure Allow Microsoft accounts to be optional is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System
name: MSAOptional
data: 1
type: dword
when:
- win11cis_rule_18_10_5_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.5.1
- automated
- patch
- name: "18.10.5.2 | PATCH | Ensure Allow Microsoft accounts to be optional is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System
name: BlockHostedAppAccessWinRT
data: 1
type: dword
when:
- win11cis_rule_18_10_5_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.5.2
- automated
- patch
- api
tasks/section_18/section_18.10/cis_18.10.50.x.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: "18.10.50.1 | PATCH | Ensure 'Enable news and interests on the taskbar' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Feeds
name: EnableFeeds
data: 0
type: dword
when:
- win11cis_rule_18_10_50_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.50.1
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.51.x.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: "18.10.51.1 | PATCH | Ensure Prevent the usage of OneDrive for file storage is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive
name: DisableFileSyncNGSC
data: 1
type: dword
when:
- win11cis_rule_18_10_51_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.51.1
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.56.x.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: "18.10.56.1 | PATCH | (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall
name: DisablePushToInstall
data: 1
type: dword
when:
- win11cis_rule_18_10_56_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.56.1
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.57.x.yml
+312
View File
@@ -0,0 +1,312 @@
---
- name: "18.10.57.2.2 | PATCH | Ensure 'Disable Cloud Clipboard integration for server-to-client data transfer' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client
name: DisableCloudClipboardIntegration
data: 1
type: dword
when:
- win11cis_rule_18_10_57_2_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.2.2
- automated
- patch
- remote-desktop-connection-client
- name: "18.10.57.2.3 | PATCH | Ensure Do not allow passwords to be saved is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: DisablePasswordSaving
data: 1
type: dword
when:
- win11cis_rule_18_10_57_2_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.2.3
- automated
- patch
- remote-desktop-connection-client
- name: "18.10.57.3.2.1 | PATCH | Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDenyTSConnections
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_2_1
- not win_skip_for_test
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.2.1
- automated
- patch
- remote-desktop-session-host
- connections
- rdp
- name: "18.10.57.3.3.1 | PATCH | Ensure 'Allow UI Automation redirection' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: EnableUiaRedirection
data: 0
type: dword
when:
- win11cis_rule_18_10_57_3_3_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.3.1
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.3.2 | PATCH | Ensure Do not allow COM port redirection is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableCcm
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_3_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.3.2
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.3.3 | PATCH | Ensure Do not allow drive redirection is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableCdm
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_3_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.3.3
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.3.4 | PATCH | Ensure 'Do not allow location redirection' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableLocationRedir
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_3_4
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.3.4
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.3.5 | PATCH | Ensure 'Do not allow LPT port redirection' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableLPT
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_3_5
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.3.5
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.3.6 | PATCH | Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisablePNPRedir
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_3_6
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.3.6
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.3.7 | PATCH | Ensure 'Do not allow WebAuthn redirection' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services
name: fDisableWebAuthn
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_3_7
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.3.7
- automated
- patch
- remote-desktop-session-host
- device-and-resource-redirection
- name: "18.10.57.3.9.1 | PATCH | Ensure Always prompt for password upon connection is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: fPromptForPassword
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_9_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.9.1
- automated
- patch
- remote-desktop-session-host
- security
- name: "18.10.57.3.9.2 | PATCH | Ensure Require secure RPC communication is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: fEncryptRPCTraffic
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_9_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.9.2
- automated
- patch
- remote-desktop-session-host
- security
- name: "18.10.57.3.9.3 | PATCH | Ensure Require use of specific security layer for remote RDP connections is set to Enabled SSL"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: SecurityLayer
data: 2
type: dword
when:
- win11cis_rule_18_10_57_3_9_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.9.3
- automated
- patch
- remote-desktop-session-host
- security
- name: "18.10.57.3.9.4 | PATCH | Ensure Require user authentication for remote connections by using Network Level Authentication is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: UserAuthentication
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_9_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.9.4
- automated
- patch
- remote-desktop-session-host
- security
- name: "18.10.57.3.9.5 | PATCH | Ensure Set client connection encryption level is set to Enabled High Level"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: MinEncryptionLevel
data: 3
type: dword
when:
- win11cis_rule_18_10_57_3_9_5
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.9.5
- automated
- patch
- remote-desktop-session-host
- security
- name: "18.10.57.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less, but not Never (0)"
block:
- name: "18.10.57.3.10.1 | AUDIT | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less, but not Never (0) | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid time set for win11cis_idle_rdp_session_disconnect_time. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_idle_rdp_session_disconnect_time == 0 or
win11cis_idle_rdp_session_disconnect_time > 900000
- name: "18.10.57.3.10.1 | AUDIT | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less, but not Never (0) | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.57.3.10.1'
when:
- win11cis_idle_rdp_session_disconnect_time == 0 or
win11cis_idle_rdp_session_disconnect_time > 900000
- name: "18.10.57.3.10.1 | PATCH | Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less, but not Never (0) | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: MaxIdleTime
data: "{{ win11cis_idle_rdp_session_disconnect_time }}"
type: dword
when:
- win11cis_idle_rdp_session_disconnect_time <= 900000
- win11cis_idle_rdp_session_disconnect_time != 0
when:
- win11cis_rule_18_10_57_3_10_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.10.1
- automated
- patch
- remote-desktop-session-host
- session-time-limits
- name: "18.10.57.3.10.2 | PATCH | Ensure Set time limit for disconnected sessions is set to Enabled 1 minute"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: MaxDisconnectionTime
data: 60000
type: dword
when:
- win11cis_rule_18_10_57_3_10_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.57.3.10.2
- automated
- patch
- remote-desktop-session-host
- session-time-limits
- name: "18.10.57.3.11.1 | PATCH | Ensure Do not delete temp folders upon exit is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services
name: DeleteTempDirsOnExit
data: 1
type: dword
when:
- win11cis_rule_18_10_57_3_11_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.57.3.11.1
- automated
- patch
- remote-desktop-session-host
- temporary-folders
tasks/section_18/section_18.10/cis_18.10.58.x.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: "18.10.58.1 | PATCH | Ensure Prevent downloading of enclosures is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds
name: DisableEnclosureDownload
data: 1
type: dword
when:
- win11cis_rule_18_10_58_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.58.1
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.59.x.yml
+90
View File
@@ -0,0 +1,90 @@
---
- name: "18.10.59.2 | PATCH | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowCloudSearch
data: 0
type: dword
when:
- win11cis_rule_18_10_59_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.59.2
- automated
- patch
- cloud-search
- name: "18.10.59.3 | PATCH | Ensure Allow Cloud Search is set to Enabled Disable Cloud Search"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowCortana
data: 0
type: dword
when:
- win11cis_rule_18_10_59_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.59.3
- automated
- patch
- cortana
- name: "18.10.59.4 | PATCH | Ensure 'Allow Cortana above lock screen' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowCortanaAboveLock
data: 0
type: dword
when:
- win11cis_rule_18_10_59_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.59.4
- automated
- patch
- cortana
- name: "18.10.59.5 | PATCH | Ensure Allow indexing of encrypted files is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowIndexingEncryptedStoresOrItems
data: 0
type: dword
when:
- win11cis_rule_18_10_59_5
tags:
- level1-corporate-enterprise-environment
- rule_18.10.59.5
- automated
- patch
- indexing
- name: "18.10.59.6 | PATCH | Ensure 'Allow search and Cortana to use location' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: AllowSearchToUseLocation
data: 0
type: dword
when:
- win11cis_rule_18_10_59_6
tags:
- level1-corporate-enterprise-environment
- rule_18.10.59.6
- automated
- patch
- cortana
- name: "18.10.59.7 | PATCH | Ensure 'Allow search highlights' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search
name: EnableDynamicContentInWSB
data: 0
type: dword
when:
- win11cis_rule_18_10_59_7
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.59.7
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.63.x.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: "18.10.63.1 | PATCH | Ensure Turn off KMS Client Online AVS Validation is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform
name: NoGenTicket
data: 1
type: dword
when:
- win11cis_rule_18_10_63_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.63.1
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.66.x.yml
+71
View File
@@ -0,0 +1,71 @@
---
- name: "18.10.66.1 | PATCH | Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\WindowsStore
name: DisableStoreApps
data: 1
type: dword
when:
- win11cis_rule_18_10_66_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.66.1
- automated
- patch
- name: "18.10.66.2 | PATCH | Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\WindowsStore
name: RequirePrivateStoreOnly
data: 1
type: dword
when:
- win11cis_rule_18_10_66_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.66.2
- automated
- patch
- name: "18.10.66.3 | PATCH | Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\WindowsStore
name: AutoDownload
data: 4
type: dword
when:
- win11cis_rule_18_10_66_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.66.3
- automated
- patch
- name: "18.10.66.4 | PATCH | Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\WindowsStore
name: DisableOSUpgrade
data: 1
type: dword
when:
- win11cis_rule_18_10_66_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.66.4
- automated
- patch
- name: "18.10.66.5 | PATCH | Ensure 'Turn off the Store application' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\WindowsStore
name: DisableOSUpgrade
data: 1
type: dword
when:
- win11cis_rule_18_10_66_5
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.66.5
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.7.x.yml
+46
View File
@@ -0,0 +1,46 @@
---
- name: "18.10.7.1 | PATCH | Ensure Disallow Autoplay for non-volume devices is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Explorer
name: NoAutoplayfornonVolume
data: 1
type: dword
when:
- win11cis_rule_18_10_7_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.7.1
- automated
- patch
- autoplay
- name: "18.10.7.2 | PATCH | Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer
name: NoAutorun
data: 1
type: dword
when:
- win11cis_rule_18_10_7_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.7.2
- automated
- patch
- autoplay
- name: "18.10.7.3 | PATCH | Ensure Turn off Autoplay is set to Enabled All drives"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer
name: NoDriveTypeAutoRun
data: 255
type: dword
when:
- win11cis_rule_18_10_7_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.7.3
- automated
- patch
- autoplay
tasks/section_18/section_18.10/cis_18.10.72.x.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: "18.10.72.1 | PATCH | Ensure 'Allow widgets' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Dsh
name: AllowNewsAndInterests
data: 0
type: dword
when:
- win11cis_rule_18_10_72_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.72.1
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.76.x.yml
+115
View File
@@ -0,0 +1,115 @@
---
- name: "18.10.76.1.1 | PATCH | Ensure 'Notify Malicious' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components
name: NotifyMalicious
data: 1
type: dword
when:
- win11cis_rule_18_10_76_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.1.1
- automated
- patch
- enhanced-phishing-protection
- name: "18.10.76.1.2 | PATCH | Ensure 'Notify Password Reuse' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components
name: NotifyPasswordReuse
data: 1
type: dword
when:
- win11cis_rule_18_10_76_1_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.1.2
- automated
- patch
- enhanced-phishing-protection
- name: "18.10.76.1.3 | PATCH | Ensure 'Notify Unsafe App' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components
name: NotifyUnsafeApp
data: 1
type: dword
when:
- win11cis_rule_18_10_76_1_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.1.3
- automated
- patch
- enhanced-phishing-protection
- name: "18.10.76.1.4 | PATCH | Ensure 'Service Enabled' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components
name: ServiceEnabled
data: 1
type: dword
when:
- win11cis_rule_18_10_76_1_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.1.4
- automated
- patch
- enhanced-phishing-protection
- name: "18.10.76.2.1 | PATCH | Ensure 'Service Enabled' is set to 'Enabled'"
block:
- name: "18.10.76.2.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | EnableSmartScreen"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\System
name: EnableSmartScreen
data: 1
type: dword
- name: "18.10.76.2.1 | PATCH | Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass | ShellSmartScreenLevel"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\System
name: ShellSmartScreenLevel
data: Block
type: string
when:
- win11cis_rule_18_10_76_2_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.2.1
- automated
- patch
- explorer
- name: "18.10.76.3.1 | PATCH | Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter
name: EnabledV9
data: 1
type: dword
when:
- win11cis_rule_18_10_76_3_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.3.1
- automated
- patch
- microsoft-edge
- name: "18.10.76.3.2 | PATCH | Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter
name: PreventOverride
data: 1
type: dword
when:
- win11cis_rule_18_10_76_3_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.76.3.2
- automated
- patch
- microsoft-edge
tasks/section_18/section_18.10/cis_18.10.78.x.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: "18.10.78.1 | PATCH | Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\GameDVR
name: AllowGameDVR
data: 0
type: dword
when:
- win11cis_rule_18_10_78_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.78.1
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.79.x.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: "18.10.79.1 | PATCH | Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1'"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Policies\PassportForWork\Biometrics
name: EnableESSwithSupportedPeripherals
data: 1
type: dword
when:
- win11cis_rule_18_10_79_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.79.1
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.8.x.yml
+17
View File
@@ -0,0 +1,17 @@
---
- name: "18.10.8.1.1 | PATCH | Ensure Configure enhanced anti-spoofing is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures
name: EnhancedAntiSpoofing
data: 1
type: dword
when:
- win11cis_rule_18_10_8_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.8.1.1
- automated
- patch
- facial-features
- antispoofing
tasks/section_18/section_18.10/cis_18.10.80.x.yml
+51
View File
@@ -0,0 +1,51 @@
---
- name: "18.10.80.1 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Policies\Microsoft\WindowsInkWorkspace
name: AllowSuggestedAppsInWindowsInkWorkspace
data: 0
type: dword
when:
- win11cis_rule_18_10_80_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.80.1
- automated
- patch
- name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'"
block:
- name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid setting for win11cis_allow_windows_ink_workspace. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_allow_windows_ink_workspace != 0
- win11cis_allow_windows_ink_workspace != 1
- name: "18.10.80.2 | AUDIT | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.80.2'
when:
- win11cis_allow_windows_ink_workspace != 0
- win11cis_allow_windows_ink_workspace != 1
- name: "18.10.80.2 | PATCH | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Policies\Microsoft\WindowsInkWorkspace
name: AllowWindowsInkWorkspace
data: "{{ win11cis_allow_windows_ink_workspace }}"
type: dword
when:
- win11cis_allow_windows_ink_workspace == 0 or win11cis_allow_windows_ink_workspace == 1
when:
- win11cis_rule_18_10_80_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.80.2
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.81.x.yml
+43
View File
@@ -0,0 +1,43 @@
---
- name: "18.10.81.1 | PATCH | Ensure 'Allow user control over installs' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Installer
name: EnableUserControl
data: 0
type: dword
when:
- win11cis_rule_18_10_81_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.81.1
- automated
- patch
- name: "18.10.81.2 | PATCH | Ensure Always install with elevated privileges is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Installer
name: AlwaysInstallElevated
data: 0
type: dword
when:
- win11cis_rule_18_10_81_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.81.2
- automated
- patch
- name: "18.10.81.3 | PATCH | Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Installer
name: SafeForScripting
data: 0
type: dword
when:
- win11cis_rule_18_10_81_3
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.81.3
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.82.x.yml
+29
View File
@@ -0,0 +1,29 @@
---
- name: "18.10.82.1 | PATCH | Ensure 'Enable MPR notifications for the system' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System
name: EnableMPR
data: 0
type: dword
when:
- win11cis_rule_18_10_82_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.82.1
- automated
- patch
- name: "18.10.82.2 | PATCH | Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System
name: DisableAutomaticRestartSignOn
data: 1
type: dword
when:
- win11cis_rule_18_10_82_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.82.2
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.87.x.yml
+46
View File
@@ -0,0 +1,46 @@
---
- name: "18.10.87.1 | PATCH | Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
name: EnableScriptBlockLogging
data: 1
type: dword
when:
- win11cis_rule_18_10_87_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.87.1
- automated
- patch
- name: "18.10.87.2 | PATCH | Ensure 'Turn on PowerShell Transcription' is set to 'Enabled'"
block:
- name: "18.10.87.2 | PATCH | Ensure 'Turn on PowerShell Transcription' is set to 'Enabled | Turn on PowerShell Transcription."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription
name: EnableTranscripting
data: 1
type: dword
- name: "18.10.87.2 | PATCH | Ensure 'Turn on PowerShell Transcription' is set to 'Enabled | Set Log Directory"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription
name: OutputDirectory
data: "{{ win11cis_powershell_transcription_dir }}"
type: string
when: "'Default' not in win11cis_powershell_transcription_dir"
- name: "18.10.87.2 | PATCH | Ensure 'Turn on PowerShell Transcription' is set to 'Enabled | Remove Custom Log Directory"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription
name: OutputDirectory
state: absent
when: "'Default' in win11cis_powershell_transcription_dir"
when:
- win11cis_rule_18_10_87_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.87.2
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.89.x.yml
+112
View File
@@ -0,0 +1,112 @@
---
- name: "18.10.89.1.1 | PATCH | Ensure Allow Basic authentication is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client
name: AllowBasic
data: 0
type: dword
when:
- win11cis_rule_18_10_89_1_1
- not win_skip_for_test
tags:
- level1-corporate-enterprise-environment
- rule_18.10.89.1.1
- automated
- patch
- winrm-client
- name: "18.10.89.1.2 | PATCH | Ensure Allow unencrypted traffic is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client
name: AllowUnencryptedTraffic
data: 0
type: dword
when:
- win11cis_rule_18_10_89_1_2
- not win_skip_for_test
tags:
- level1-corporate-enterprise-environment
- rule_18.10.89.1.2
- automated
- patch
- winrm-client
- name: "18.10.89.1.3 | PATCH | Ensure Disallow Digest authentication is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client
name: AllowDigest
data: 0
type: dword
when:
- win11cis_rule_18_10_89_1_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.89.1.3
- automated
- patch
- winrm-client
- name: "18.10.89.2.1 | PATCH | Ensure Allow Basic authentication is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service
name: AllowBasic
data: 0
type: dword
when:
- win11cis_rule_18_10_89_2_1
- not win_skip_for_test
tags:
- level1-corporate-enterprise-environment
- rule_18.10.89.2.1
- automated
- patch
- winrm-service
# This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart
- name: "18.10.89.2.2 | PATCH | Ensure Allow remote server management through WinRM is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service
name: AllowAutoConfig
data: 0
type: dword
when:
- win11cis_rule_18_10_89_2_2
- not win_skip_for_test
tags:
- level2-high-security-sensitive-data-environment
- rule_18.10.89.2.2
- automated
- patch
- winrm-service
- name: "18.10.89.2.3 | PATCH | Ensure Allow unencrypted traffic is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service
name: AllowUnencryptedTraffic
data: 0
type: dword
when:
- win11cis_rule_18_10_89_2_3
- not win_skip_for_test
tags:
- level1-corporate-enterprise-environment
- rule_18.10.89.2.3
- automated
- patch
- winrm-service
- name: "18.9.102.2.4 | PATCH | Ensure Disallow WinRM from storing RunAs credentials is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service
name: DisableRunAs
data: 1
type: dword
when:
- win11cis_rule_18_10_89_2_4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.89.2.4
- automated
- patch
- winrm-service
tasks/section_18/section_18.10/cis_18.10.9.x.yml
+769
View File
@@ -0,0 +1,769 @@
---
- name: "18.10.9.1.1 | PATCH | Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVDiscoveryVolumeType
data: <none>
type: string
when:
- win11cis_rule_18_10_9_1_1
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.1
- automated
- patch
- fixed-data-drives
- volume-type
- name: "18.10.9.1.2 | PATCH | Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVRecovery
data: 1
type: dword
when:
- win11cis_rule_18_10_9_1_2
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.2
- automated
- patch
- fixed-data-drives
- recovery
- name: "18.10.9.1.3 | PATCH | Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVManageDRA
data: 1
type: dword
when:
- win11cis_rule_18_10_9_1_3
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.3
- automated
- patch
- fixed-data-drives
- recovery-agent
- name: "18.10.9.1.4 | PATCH | Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVRecoveryPassword
data: 2
type: dword
when:
- win11cis_rule_18_10_9_1_4
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.4
- automated
- patch
- fixed-data-drives
- recovery-password
- name: "18.10.9.1.5 | PATCH | Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVRecoveryKey
data: 2
type: dword
when:
- win11cis_rule_18_10_9_1_5
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.5
- automated
- patch
- fixed-data-drives
- recovery-key
- name: "18.10.9.1.6 | PATCH | Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True''"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVHideRecoveryPage
data: 1
type: dword
when:
- win11cis_rule_18_10_9_1_6
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.6
- automated
- patch
- fixed-data-drives
- recovery-options
- name: "18.10.9.1.7 | PATCH | Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVHideRecoveryPage
data: 0
type: dword
when:
- win11cis_rule_18_10_9_1_7
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.7
- automated
- patch
- fixed-data-drives
- recovery-options
- name: "18.10.9.1.8 | PATCH | Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVActiveDirectoryInfoToStore
data: 1
type: dword
when:
- win11cis_rule_18_10_9_1_8
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.8
- automated
- patch
- fixed-data-drives
- recovery-options
- name: "18.10.9.1.9 | PATCH | Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVRequireActiveDirectoryBackup
data: 0
type: dword
when:
- win11cis_rule_18_10_9_1_9
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.9
- automated
- patch
- fixed-data-drives
- recovery-options
- name: "18.10.9.1.10 | PATCH | Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVHardwareEncryption
data: 0
type: dword
when:
- win11cis_rule_18_10_9_1_10
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.10
- automated
- patch
- fixed-data-drives
- encryption
- name: "18.10.9.1.11 | PATCH | Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVPassphrase
data: 0
type: dword
when:
- win11cis_rule_18_10_9_1_11
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.11
- automated
- patch
- fixed-data-drives
- passwords
- name: "18.10.9.1.12 | PATCH | Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVAllowUserCert
data: 1
type: dword
when:
- win11cis_rule_18_10_9_1_12
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.12
- automated
- patch
- fixed-data-drives
- smart-cards
- name: "18.10.9.1.13 | PATCH | Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: FDVEnforceUserCert
data: 1
type: dword
when:
- win11cis_rule_18_10_9_1_13
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.1.13
- automated
- patch
- fixed-data-drives
- smart-cards
- name: "18.10.9.2.1 | PATCH | Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: UseEnhancedPin
data: 1
type: dword
when:
- win11cis_rule_18_10_9_2_1
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.1
- automated
- patch
- operating-system-drives
- startup
- name: "18.10.9.2.2 | PATCH | Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: OSAllowSecureBootForIntegrity
data: 1
type: dword
when:
- win11cis_rule_18_10_9_2_2
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.2
- automated
- patch
- operating-system-drives
- secure-boot
- name: "18.10.9.2.3 | PATCH | Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: OSRecovery
data: 1
type: dword
when:
- win11cis_rule_18_10_9_2_3
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.3
- automated
- patch
- operating-system-drives
- recovery
- name: "18.10.9.2.4 | PATCH | Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: OSManageDRA
data: 0
type: dword
when:
- win11cis_rule_18_10_9_2_4
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.4
- automated
- patch
- operating-system-drives
- recovery
- name: "18.10.9.2.5 | PATCH | Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: OSRecoveryPassword
data: 1
type: dword
when:
- win11cis_rule_18_10_9_2_5
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.5
- automated
- patch
- operating-system-drives
- recovery
- name: "18.10.9.2.6 | PATCH | Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: OSRecoveryKey
data: 0
type: dword
when:
- win11cis_rule_18_10_9_2_6
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.6
- automated
- patch
- operating-system-drives
- recovery
- name: "18.10.9.2.7 | PATCH | Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: OSHideRecoveryPage
data: 1
type: dword
when:
- win11cis_rule_18_10_9_2_7
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.7
- automated
- patch
- operating-system-drives
- recovery
- name: "18.10.9.2.8 | PATCH | Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: OSActiveDirectoryBackup
data: 1
type: dword
when:
- win11cis_rule_18_10_9_2_8
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.8
- automated
- patch
- operating-system-drives
- recovery
- name: "18.10.9.2.9 | PATCH | Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: OSActiveDirectoryInfoToStore
data: 1
type: dword
when:
- win11cis_rule_18_10_9_2_9
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.9
- automated
- patch
- operating-system-drives
- recovery
- name: "18.10.9.2.10 | PATCH | Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: OSRequireActiveDirectoryBackup
data: 1
type: dword
when:
- win11cis_rule_18_10_9_2_10
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.10
- automated
- patch
- operating-system-drives
- recovery
- name: "18.10.9.2.11 | PATCH | Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: OSHardwareEncryption
data: 0
type: dword
when:
- win11cis_rule_18_10_9_2_11
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.11
- automated
- patch
- operating-system-drives
- passwords
- name: "18.10.9.2.12 | PATCH | Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: OSPassphrase
data: 0
type: dword
when:
- win11cis_rule_18_10_9_2_12
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.12
- automated
- patch
- operating-system-drives
- name: "18.10.9.2.13 | PATCH | Ensure 'Require additional authentication at startup' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: UseAdvancedStartup
data: 1
type: dword
when:
- win11cis_rule_18_10_9_2_13
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.13
- automated
- patch
- operating-system-drives
- name: "18.10.9.2.14 | PATCH | Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: EnableBDEWithNoTPM
data: 0
type: dword
when:
- win11cis_rule_18_10_9_2_14
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.2.14
- automated
- patch
- operating-system-drives
- tpm
- name: "18.10.9.3.1 | PATCH | Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVDiscoveryVolumeType
data: <none>
type: string
when:
- win11cis_rule_18_10_9_3_1
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.1
- automated
- patch
- removable-data-drives
- name: "18.10.9.3.2 | PATCH | Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVRecovery
data: 1
type: dword
when:
- win11cis_rule_18_10_9_3_2
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.2
- automated
- patch
- removable-data-drives
- recovery
- name: "18.10.9.3.3 | PATCH | Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVManageDRA
data: 1
type: dword
when:
- win11cis_rule_18_10_9_3_3
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.3
- automated
- patch
- removable-data-drives
- recovery
- name: "18.10.9.3.4 | PATCH | Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVManageDRA
data: 0
type: dword
when:
- win11cis_rule_18_10_9_3_4
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.4
- automated
- patch
- removable-data-drives
- recovery
- name: "18.10.9.3.5 | PATCH | Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVRecoveryKey
data: 0
type: dword
when:
- win11cis_rule_18_10_9_3_5
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.5
- automated
- patch
- removable-data-drives
- recovery
- name: "18.10.9.3.6 | PATCH | Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVHideRecoveryPage
data: 1
type: dword
when:
- win11cis_rule_18_10_9_3_6
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.6
- automated
- patch
- removable-data-drives
- recovery
- name: "18.10.9.3.7 | PATCH | Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVActiveDirectoryBackup
data: 0
type: dword
when:
- win11cis_rule_18_10_9_3_7
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.7
- automated
- patch
- removable-data-drives
- recovery
- name: "18.10.9.3.8 | PATCH | Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVActiveDirectoryInfoToStore
data: 1
type: dword
when:
- win11cis_rule_18_10_9_3_8
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.8
- automated
- patch
- removable-data-drives
- recovery
- name: "18.10.9.3.9 | PATCH | Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVRequireActiveDirectoryBackup
data: 0
type: dword
when:
- win11cis_rule_18_10_9_3_9
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.9
- automated
- patch
- removable-data-drives
- recovery
- name: "18.10.9.3.10 | PATCH | Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVHardwareEncryption
data: 0
type: dword
when:
- win11cis_rule_18_10_9_3_10
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.10
- automated
- patch
- removable-data-drives
- encryption
- name: "18.10.9.3.11 | PATCH | Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVPassphrase
data: 0
type: dword
when:
- win11cis_rule_18_10_9_3_11
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.11
- automated
- patch
- removable-data-drives
- passwords
- name: "18.10.9.3.12 | PATCH | Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVAllowUserCert
data: 1
type: dword
when:
- win11cis_rule_18_10_9_3_12
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.12
- automated
- patch
- removable-data-drives
- passwords
- name: "18.10.9.3.13 | PATCH | Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVEnforceUserCert
data: 1
type: dword
when:
- win11cis_rule_18_10_9_3_13
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.13
- automated
- patch
- removable-data-drives
- smart-cards
- name: "18.10.9.3.14 | PATCH | Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVDenyWriteAccess
data: 1
type: dword
when:
- win11cis_rule_18_10_9_3_14
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.14
- automated
- patch
- removable-data-drives
- name: "18.10.9.3.15 | PATCH | Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: RDVDenyCrossOrg
data: 0
type: dword
when:
- win11cis_rule_18_10_9_3_15
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.3.15
- automated
- patch
- removable-data-drives
- name: "18.10.9.4 | PATCH | Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\FVE
name: DisableExternalDMAUnderLock
data: 1
type: dword
when:
- win11cis_rule_18_10_9_4
tags:
- level1-bitlocker
- level2-bitlocker
- bitlocker
- rule_18.10.9.4
- automated
- patch
- dma
tasks/section_18/section_18.10/cis_18.10.90.x.yml
+16
View File
@@ -0,0 +1,16 @@
---
- name: "18.1.90.1 | PATCH | Ensure Allow Remote Shell Access is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs
name: AllowRemoteShellAccess
data: 0
type: dword
when:
- win11cis_rule_18_1_90_1
- not win_skip_for_test
tags:
- level2-high-security-sensitive-data-environment
- rule_18.1.90.1
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.91.x.yml
+29
View File
@@ -0,0 +1,29 @@
---
- name: "18.1.91.1 | PATCH | Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Sandbox
name: AllowClipboardRedirection
data: 0
type: dword
when:
- win11cis_rule_18_1_91_1
tags:
- level1-corporate-enterprise-environment
- rule_18.1.91.1
- automated
- patch
- name: "18.1.91.2 | PATCH | Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Sandbox
name: AllowNetworking
data: 0
type: dword
when:
- win11cis_rule_18_1_91_2
tags:
- level1-corporate-enterprise-environment
- rule_18.1.91.2
- automated
- patch
tasks/section_18/section_18.10/cis_18.10.92.x.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: "18.10.92.2.1 | PATCH | Ensure Prevent users from modifying settings is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows Defender Security Center\App and Browser protection
name: DisallowExploitProtectionOverride
data: 1
type: dword
when:
- win11cis_rule_18_10_92_2_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.92.2.1
- automated
- patch
- app-and-browser-protection
tasks/section_18/section_18.10/cis_18.10.93.x.yml
+174
View File
@@ -0,0 +1,174 @@
---
- name: "18.10.93.1.1 | PATCH | Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au
name: NoAutoRebootWithLoggedOnUsers
data: 0
type: dword
when:
- win11cis_rule_18_10_93_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.1.1
- automated
- patch
- legacy-policies
- name: "18.10.93.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled"
block:
- name: "18.10.93.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled | Set Auto Update."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au
name: NoAutoUpdate
data: 0
type: dword
- name: "18.10.93.2.1 | AUDIT | Ensure Configure Automatic Updates is set to Enabled | Warning Message Bad Variable."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid setting for win11cis_au_options. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_au_options < 2 or win11cis_au_options > 5
- name: "18.10.93.2.1 | AUDIT | Ensure Configure Automatic Updates is set to Enabled | Warning Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.93.2.1'
when:
- win11cis_au_options < 2 or win11cis_au_options > 5
- name: "18.10.93.2.1 | PATCH | Ensure Configure Automatic Updates is set to Enabled | Set Properties For Updates."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au
name: AUOptions
data: "{{ win11cis_au_options }}"
type: dword
when:
- win11cis_au_options >= 2
- win11cis_au_options <= 5
when:
- win11cis_rule_18_10_93_2_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.2.1
- automated
- patch
- manage-end-user-experience
- updates
- name: "18.10.93.2.2 | PATCH | Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' "
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au
name: ScheduledInstallDay
data: 0
type: dword
when:
- win11cis_rule_18_10_93_2_2
- win11cis_au_options == 4
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.2.2
- automated
- patch
- manage-end-user-experience
- updates
- name: "18.10.93.2.3 | PATCH | Ensure 'Remove access to “Pause updates” feature' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\PPolicies\Microsoft\Windows\WindowsUpdate
name: SetDisablePauseUXAccess
data: 1
type: dword
when:
- win11cis_rule_18_10_93_2_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.2.3
- automated
- patch
- manage-end-user-experience
- updates
- name: "18.10.93.4.1 | PATCH | Ensure 'Manage preview builds' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
name: ManagePreviewBuildsPolicyValue
data: 0
type: dword
when:
- win11cis_rule_18_10_93_4_1
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.4.1
- automated
- patch
- manage-updates-offered-from-windows-update
- preview
- name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'"
block:
- name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdates"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
name: DeferFeatureUpdates
data: 1
type: dword
- name: "18.10.93.4.2 | AUDIT | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | Variable Warning."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid number of days for win11cis_defer_feature_updates_period_in_days. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_defer_feature_updates_period_in_days < 180
- name: "18.10.93.4.2 | AUDIT | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | Warning Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.10.93.4.2'
when: win11cis_defer_feature_updates_period_in_days < 180
- name: "18.10.93.4.2 | PATCH | Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' | DeferFeatureUpdatesPeriodInDays"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate
name: DeferFeatureUpdatesPeriodInDays
data: "{{ win11cis_defer_feature_updates_period_in_days }}"
type: dword
when: win11cis_defer_feature_updates_period_in_days >= 180
when:
- win11cis_rule_18_10_93_4_2
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.4.2
- automated
- patch
- manage-updates-offered-from-windows-update
- preview
- name: "18.10.93.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days"
block:
- name: "18.10.93.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdates"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
name: DeferQualityUpdates
data: 1
type: dword
- name: "18.10.93.4.3 | PATCH | Ensure Select when Quality Updates are received is set to Enabled 0 days | DeferQualityUpdatesPeriodInDays"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
name: DeferQualityUpdatesPeriodInDays
data: 0
type: dword
when:
- win11cis_rule_18_10_93_4_3
tags:
- level1-corporate-enterprise-environment
- rule_18.10.93.4.3
- automated
- patch
- manage-updates-offered-from-windows-update
- updates
tasks/section_18/section_18.10/main.yml
+337
View File
@@ -0,0 +1,337 @@
---
- name: "SECTION | 18.10.3 | App Package Deployment"
ansible.builtin.import_tasks:
file: cis_18.10.3.x.yml
tags:
- administrative-templates-computer
- windows-components
- app-package-deployment
- name: "SECTION | 18.10.4 | App Privacy"
ansible.builtin.import_tasks:
file: cis_18.10.4.x.yml
tags:
- administrative-templates-computer
- windows-components
- app-privacy
- name: "SECTION | 18.10.5 | App Runtime"
ansible.builtin.import_tasks:
file: cis_18.10.5.x.yml
tags:
- administrative-templates-computer
- windows-components
- app-runtime
- name: "SECTION | 18.10.7 | Autoplay Policies"
ansible.builtin.import_tasks:
file: cis_18.10.7.x.yml
tags:
- administrative-templates-computer
- windows-components
- autoplay-policies
- name: "SECTION | 18.10.8 | Biometrics"
ansible.builtin.import_tasks:
file: cis_18.10.8.x.yml
tags:
- administrative-templates-computer
- windows-components
- biometrics
- name: "SECTION | 18.10.9 | Bitlocker Drive Encryption"
ansible.builtin.import_tasks:
file: cis_18.10.9.x.yml
tags:
- administrative-templates-computer
- windows-components
- bitlocker-drive-encryption
- name: "SECTION | 18.10.10 | Camera"
ansible.builtin.import_tasks:
file: cis_18.10.10.x.yml
tags:
- administrative-templates-computer
- windows-components
- camera
- name: "SECTION | 18.10.12 | Cloud Content"
ansible.builtin.import_tasks:
file: cis_18.10.12.x.yml
tags:
- administrative-templates-computer
- windows-components
- cloud-content
- name: "SECTION | 18.10.13 | Connect"
ansible.builtin.import_tasks:
file: cis_18.10.13.x.yml
tags:
- administrative-templates-computer
- windows-components
- connect
- name: "SECTION | 18.10.14 | Credential User Interface"
ansible.builtin.import_tasks:
file: cis_18.10.14.x.yml
tags:
- administrative-templates-computer
- windows-components
- credential-user-interface
- name: "SECTION | 18.10.15 | Data Collection And Preview Builds"
ansible.builtin.import_tasks:
file: cis_18.10.15.x.yml
tags:
- administrative-templates-computer
- windows-components
- data-collection-and-preview-builds
- name: "SECTION | 18.10.16 | Delivery Optimization"
ansible.builtin.import_tasks:
file: cis_18.10.16.x.yml
tags:
- administrative-templates-computer
- windows-components
- delivery-optimization
- name: "SECTION | 18.10.17 | Desktop App Installer"
ansible.builtin.import_tasks:
file: cis_18.10.17.x.yml
tags:
- administrative-templates-computer
- windows-components
- desktop-app-installer
- name: "SECTION | 18.10.26 | Event Log Service"
ansible.builtin.import_tasks:
file: cis_18.10.26.x.yml
tags:
- administrative-templates-computer
- windows-components
- event-log-service
- name: "SECTION | 18.10.29 | File Explorer (Formerly Windows Explorer)"
ansible.builtin.import_tasks:
file: cis_18.10.29.x.yml
tags:
- administrative-templates-computer
- windows-components
- file-explorer
- name: "SECTION | 18.10.33 | Homegroup"
ansible.builtin.import_tasks:
file: cis_18.10.33.x.yml
tags:
- administrative-templates-computer
- windows-components
- homegroup
- name: "SECTION | 18.10.37 | Location And Sensors"
ansible.builtin.import_tasks:
file: cis_18.10.37.x.yml
tags:
- administrative-templates-computer
- windows-components
- location-and-sensors
- name: "SECTION | 18.10.41 | Messaging"
ansible.builtin.import_tasks:
file: cis_18.10.41.x.yml
tags:
- administrative-templates-computer
- windows-components
- messaging
- name: "SECTION | 18.10.42 | Microsoft Account"
ansible.builtin.import_tasks:
file: cis_18.10.42.x.yml
tags:
- administrative-templates-computer
- windows-components
- microsoft-account
- name: "SECTION | 18.10.43 | Microsoft Defender Antivirus (formerly Windows Defender and Windows Defender Antivirus)"
ansible.builtin.import_tasks:
file: cis_18.10.43.x.yml
tags:
- administrative-templates-computer
- windows-components
- microsoft-defender-antivirus
- name: "SECTION | 18.10.44 | Microsoft Defender Application Guard (formerly Windows Defender Application Guard)"
ansible.builtin.import_tasks:
file: cis_18.10.44.x.yml
tags:
- administrative-templates-computer
- windows-components
- microsoft-defender-application-guard
- name: "SECTION | 18.10.50 | News And Interests"
ansible.builtin.import_tasks:
file: cis_18.10.50.x.yml
tags:
- administrative-templates-computer
- windows-components
- news-and-interests
- name: "SECTION | 18.10.51 | OneDrive (Formerly SkyDrive)"
ansible.builtin.import_tasks:
file: cis_18.10.51.x.yml
tags:
- administrative-templates-computer
- windows-components
- onedrive
- name: "SECTION | 18.10.56 | Push To Install"
ansible.builtin.import_tasks:
file: cis_18.10.56.x.yml
tags:
- administrative-templates-computer
- windows-components
- push-to-install
- name: "SECTION | 18.10.57 | Remote Desktop Services (formerly Terminal Services)"
ansible.builtin.import_tasks:
file: cis_18.10.57.x.yml
tags:
- administrative-templates-computer
- windows-components
- remote-desktop-services
- name: "SECTION | 18.10.58 | RSS Feeds"
ansible.builtin.import_tasks:
file: cis_18.10.58.x.yml
tags:
- administrative-templates-computer
- windows-components
- rss-feeds
- name: "SECTION | 18.10.59 | Search"
ansible.builtin.import_tasks:
file: cis_18.10.59.x.yml
tags:
- administrative-templates-computer
- windows-components
- search
- name: "SECTION | 18.10.63 | Software Protection Platform"
ansible.builtin.import_tasks:
file: cis_18.10.63.x.yml
tags:
- administrative-templates-computer
- windows-components
- software-protection-platform
- name: "SECTION | 18.10.66 | Store"
ansible.builtin.import_tasks:
file: cis_18.10.66.x.yml
tags:
- administrative-templates-computer
- windows-components
- store
- name: "SECTION | 18.10.72 | Widgets"
ansible.builtin.import_tasks:
file: cis_18.10.72.x.yml
tags:
- administrative-templates-computer
- windows-components
- widgets
- name: "SECTION | 18.10.76 | Windows Defender SmartScreen"
ansible.builtin.import_tasks:
file: cis_18.10.76.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-defender-smartscreen
- name: "SECTION | 18.10.78 | Windows Game Recording and Broadcasting"
ansible.builtin.import_tasks:
file: cis_18.10.78.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-game-recording-and-broadcasting
- name: "SECTION | 18.10.79 | Windows Hello for Business (formerly Microsoft Passport for Work)"
ansible.builtin.import_tasks:
file: cis_18.10.79.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-hello-for-business
- name: "SECTION | 18.10.80 | Windows Ink Workspace"
ansible.builtin.import_tasks:
file: cis_18.10.80.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-ink-workspace
- name: "SECTION | 18.10.81 | Windows Installer"
ansible.builtin.import_tasks:
file: cis_18.10.81.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-installer
- name: "SECTION | 18.10.82 | Windows Logon Options"
ansible.builtin.import_tasks:
file: cis_18.10.82.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-logon-options
- name: "SECTION | 18.10.87 | Windows Powershell"
ansible.builtin.import_tasks:
file: cis_18.10.87.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-powershell
- name: "SECTION | 18.10.89 | Windows Remote Management (WinRM)"
ansible.builtin.import_tasks:
file: cis_18.10.89.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-remote-management
- name: "SECTION | 18.10.90 | Windows Remote Shell"
ansible.builtin.import_tasks:
file: cis_18.10.90.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-remote-shell
- name: "SECTION | 18.10.91 | Windows Sandbox"
ansible.builtin.import_tasks:
file: cis_18.10.91.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-sandbox
- name: "SECTION | 18.10.92 | Windows Security (formerly Windows Defender Security Center)"
ansible.builtin.import_tasks:
file: cis_18.10.92.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-security
- name: "SECTION | 18.10.93 | Windows Update"
ansible.builtin.import_tasks:
file: cis_18.10.93.x.yml
tags:
- administrative-templates-computer
- windows-components
- windows-update
tasks/section_18/section_18.3/cis_18.3.x.yml
+124
View File
@@ -0,0 +1,124 @@
---
- name: "18.3.1 | PATCH | Ensure LAPS AdmPwd GPO Extension CSE is installed."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}
name: DllName
data: C:\Program Files\LAPS\CSE\AdmPwd.dll
type: string
when:
- win11cis_rule_18_3_1
tags:
- level1-corporate-enterprise-environment
- rule_18.3.1
- automated
- patch
- gpo
- name: "18.3.2 | PATCH | Ensure Do not allow password expiration time longer than required by policy is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd
name: PwdExpirationProtectionEnabled
data: 1
type: dword
when:
- win11cis_rule_18_3_2
tags:
- level1-corporate-enterprise-environment
- rule_18.3.2
- automated
- patch
- password
- name: "18.3.3 | PATCH | Ensure Enable Local Admin Password Management is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd
name: AdmPwdEnabled
data: 1
type: dword
when:
- win11cis_rule_18_3_3
tags:
- level1-corporate-enterprise-environment
- rule_18.3.3
- automated
- patch
- administrator-password
- name: "18.3.4 | PATCH | Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd
name: PasswordComplexity
data: 4
type: dword
when:
- win11cis_rule_18_3_4
tags:
- level1-corporate-enterprise-environment
- rule_18.3.4
- automated
- patch
- password
- name: "18.3.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more."
block:
- name: "18.3.5 | AUDIT | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have a invalid password length set for win11cis_laps_password_length please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_laps_password_length < 15
- name: "18.3.5 | AUDIT | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.3.5'
when: win11cis_laps_password_length < 15
- name: "18.3.5 | PATCH | Ensure Password Settings Password Length is set to Enabled 15 or more MS only. | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd
name: PasswordLength
data: "{{ win11cis_laps_password_length }}"
type: dword
when: win11cis_laps_password_length >= 15
when:
- win11cis_rule_18_3_5
tags:
- level1-corporate-enterprise-environment
- rule_18.3.5
- patch
- password
- name: "18.3.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer."
block:
- name: "18.3.6 | AUDIT | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have a invalid password length set for win11cis_laps_password_length please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_laps_password_age_days > 30
- name: "18.3.6 | AUDIT | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.3.6'
when: win11cis_laps_password_age_days > 30
- name: "18.3.6 | PATCH | Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd
name: PasswordAgeDays
data: "{{ win11cis_laps_password_age_days }}"
type: dword
when: win11cis_laps_password_age_days <= 30
when:
- win11cis_rule_18_3_6
tags:
- level1-corporate-enterprise-environment
- rule_18.3.6
- automated
- patch
- password
tasks/section_18/section_18.3/main.yml
+8
View File
@@ -0,0 +1,8 @@
---
- name: "SECTION | 18.3 | LAPS"
ansible.builtin.import_tasks:
file: cis_18.3.x.yml
tags:
- administrative-templates-computer
- laps
tasks/section_18/section_18.4/cis_18.4.x.yml
+111
View File
@@ -0,0 +1,111 @@
---
- name: "18.4.1 | PATCH | Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled."
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System
name: LocalAccountTokenFilterPolicy
data: 0
type: dword
when:
- win11cis_rule_18_4_1
tags:
- level1-corporate-enterprise-environment
- rule_18.4.1
- automated
- patch
- uac
- name: "18.4.2 | PATCH | 18.4.2 | Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\Print
name: RpcAuthnLevelPrivacyEnabled
data: 1
type: dword
when:
- win11cis_rule_18_4_2
tags:
- level1-corporate-enterprise-environment
- rule_18.4.2
- automated
- patch
- rpc
- name: "18.4.3 | PATCH | Ensure Configure SMB v1 client driver is set to Enabled Disable driver recommended"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10
name: Start
data: 4
type: dword
when:
- win11cis_rule_18_4_3
tags:
- level1-corporate-enterprise-environment
- rule_18.4.3
- automated
- patch
- smb
- name: "18.4.4 | PATCH | Ensure Configure SMB v1 server is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
name: SMB1
data: 0
type: dword
state: present
notify: change_requires_reboot
when:
- win11cis_rule_18_4_4
tags:
- level1-corporate-enterprise-environment
- rule_18.4.4
- automated
- patch
- smb
- name: "18.4.5 | PATCH | Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
name: DisableExceptionChainValidation
data: 0
type: dword
state: present
when:
- win11cis_rule_18_4_5
tags:
- level1-corporate-enterprise-environment
- rule_18.4.5
- automated
- patch
- sehop
- name: "18.4.6 | PATCH | Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node recommended'"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
state: present
value: NodeType
data: "{{ win11cis_netbt_nodetype }}"
datatype: dword
when:
- win11cis_rule_18_4_6
tags:
- level1-corporate-enterprise-environment
- rule_18.4.6
- automated
- patch
- sehop
- name: "18.4.7 | PATCH | Ensure WDigest Authentication is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest
state: present
value: UseLogonCredential
data: 0
datatype: dword
when:
- win11cis_rule_18_4_7
tags:
- level1-corporate-enterprise-environment
- rule_18.4.7
- automated
- patch
- wdigest
tasks/section_18/section_18.4/main.yml
+8
View File
@@ -0,0 +1,8 @@
---
- name: "SECTION | 18.4 | MS Security Guide"
ansible.builtin.import_tasks:
file: cis_18.4.x.yml
tags:
- administrative-templates-computer
- ms-security-guide
tasks/section_18/section_18.5/cis_18.5.x.yml
+240
View File
@@ -0,0 +1,240 @@
---
- name: "18.5.1 | PATCH | Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
state: present
value: AutoAdminLogon
data: 0
datatype: string
when:
- win11cis_rule_18_5_1
tags:
- level1-corporate-enterprise-environment
- rule_18.5.1
- automated
- patch
- mss-auto-logon
- name: "18.5.2 | PATCH | Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
state: present
value: DisableIPSourceRouting
data: 2
datatype: dword
when:
- win11cis_rule_18_5_2
tags:
- level1-corporate-enterprise-environment
- rule_18.5.2
- automated
- patch
- iprouting
- name: "18.5.3 | PATCH | Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
state: present
value: DisableIPSourceRouting
data: 2
datatype: dword
when:
- win11cis_rule_18_5_3
tags:
- level1-corporate-enterprise-environment
- rule_18.5.3
- automated
- patch
- iprouting
- name: "18.5.4 | PATCH | Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
state: present
value: DisableSavePassword
data: 1
datatype: dword
when:
- win11cis_rule_18_5_4
tags:
- level2-high-security-sensitive-data-environment
- rule_18.5.4
- automated
- patch
- dial-up-password
- name: "18.5.5 | PATCH | Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
state: present
value: EnableICMPRedirect
data: 0
datatype: dword
when:
- win11cis_rule_18_5_5
tags:
- level1-corporate-enterprise-environment
- rule_18.5.5
- automated
- patch
- icmp
- name: "18.5.6 | PATCH | Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended"
ansible.windows.win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
state: present
value: KeepAliveTime
data: 300000
datatype: dword
when:
- win11cis_rule_18_5_6
tags:
- level2-high-security-sensitive-data-environment
- rule_18.5.6
- automated
- patch
- keepalivetime
- name: "18.5.7 | PATCH | Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters
state: present
name: NoNameReleaseOnDemand
data: 1
type: dword
when:
- win11cis_rule_18_5_7
tags:
- level1-corporate-enterprise-environment
- rule_18.5.7
- automated
- patch
- nonamereleaseondemand
- name: "18.5.8 | PATCH | Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters
state: present
name: PerformRouterDiscovery
data: 0
type: dword
when:
- win11cis_rule_18_5_8
tags:
- level2-high-security-sensitive-data-environment
- rule_18.5.8
- automated
- patch
- irdp
- name: "18.5.9 | PATCH | Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Control\Session Manager
name: SafeDllSearchMode
data: 1
type: dword
state: present
when:
- win11cis_rule_18_5_9
tags:
- level1-corporate-enterprise-environment
- rule_18.5.9
- automated
- patch
- safedllsearchmode
- name: "18.5.10 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds"
block:
- name: "18.5.10 | AUDIT | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid time set for win11cis_screen_saver_grace_period. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_screen_saver_grace_period > 5
- name: "18.5.10 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Set Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.5.10'
when: win11cis_screen_saver_grace_period > 5
- name: "18.5.10 | PATCH | Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon
name: ScreenSaverGracePeriod
data: "{{ win11cis_screen_saver_grace_period }}"
type: string
state: present
when: win11cis_screen_saver_grace_period <= 5
when:
- win11cis_rule_18_5_10
tags:
- level1-corporate-enterprise-environment
- rule_18.5.10
- automated
- patch
- screen-saver
- name: "18.5.11 | PATCH | Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3"
ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters
name: TcpMaxDataRetransmissions
data: 3
type: dword
when:
- win11cis_rule_18_5_11
tags:
- level2-high-security-sensitive-data-environment
- rule_18.5.11
- automated
- patch
- tcp-max-data-retransmissions
- name: "18.5.12 | PATCH | Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3"
ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters
name: TcpMaxDataRetransmissions
data: 3
type: dword
when:
- win11cis_rule_18_5_12
tags:
- level2-high-security-sensitive-data-environment
- rule_18.5.12
- automated
- patch
- tcp-max-data-retransmissions
- name: "18.5.13 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less"
block:
- name: "18.5.13 | AUDIT | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid percentage set for win11cis_log_threshold_audit_event. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when: win11cis_log_threshold_audit_event > 90
- name: "18.5.13 | AUDIT | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.5.13'
when: win11cis_log_threshold_audit_event > 90
- name: "18.5.13 | PATCH | Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security
name: WarningLevel
data: "{{ win11cis_log_threshold_audit_event }}"
type: dword
when: win11cis_log_threshold_audit_event <= 90
when:
- win11cis_rule_18_5_13
tags:
- level1-corporate-enterprise-environment
- rule_18.5.13
- automated
- patch
- mss-warning-level
tasks/section_18/section_18.5/main.yml
+8
View File
@@ -0,0 +1,8 @@
---
- name: "SECTION | 18.5 | MSS (Legacy)"
ansible.builtin.import_tasks:
file: cis_18.5.x.yml
tags:
- administrative-templates-computer
- mss-legacy
tasks/section_18/section_18.6/cis_18.6.10.x.yml
+16
View File
@@ -0,0 +1,16 @@
---
- name: "18.6.10.2 | PATCH | Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Peernet
name: Disabled
data: 1
type: dword
when:
- win11cis_rule_18_6_10_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.6.10.2
- automated
- patch
- networking-services
tasks/section_18/section_18.6/cis_18.6.11.x.yml
+46
View File
@@ -0,0 +1,46 @@
---
- name: "18.6.11.2 | PATCH | Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections
name: NC_AllowNetBridge_NLA
data: 0
type: dword
when:
- win11cis_rule_18_6_11_2
tags:
- level1-corporate-enterprise-environment
- rule_18.6.11.2
- automated
- patch
- network-bridge
- name: "18.6.11.3 | PATCH | Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections
name: NC_ShowSharedAccessUI
data: 0
type: dword
when:
- win11cis_rule_18_6_11_3
tags:
- level1-corporate-enterprise-environment
- rule_18.6.11.3
- automated
- patch
- ics
- name: "18.6.11.4 | PATCH | Ensure Require domain users to elevate when setting a networks location is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections
name: NC_StdDomainUserSetLocation
data: 1
type: dword
when:
- win11cis_rule_18_6_11_4
tags:
- level1-corporate-enterprise-environment
- rule_18.6.11.4
- automated
- patch
- domain-users
tasks/section_18/section_18.6/cis_18.6.14.x.yml
+25
View File
@@ -0,0 +1,25 @@
---
- name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares"
block:
- name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON shares"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths
name: "\\\\*\\NETLOGON"
data: "RequireMutualAuthentication=1, RequireIntegrity=1"
type: string
- name: "18.6.14.1 | PATCH | Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all SYSVOL shares"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths
name: "\\\\*\\SYSVOL"
data: "RequireMutualAuthentication=1, RequireIntegrity=1"
type: string
when:
- win11cis_rule_18_6_14_1
tags:
- level1-corporate-enterprise-environment
- rule_18.6.14.1
- automated
- patch
- unc
tasks/section_18/section_18.6/cis_18.6.19.2.x.yml
+17
View File
@@ -0,0 +1,17 @@
---
- name: "18.6.19.2.1 | PATCH | Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255"
ansible.windows.win_regedit:
path: HKLM:\System\CurrentControlSet\Services\TCPIP6\Parameters
name: DisabledComponents
data: 255
type: dword
when:
- win11cis_rule_18_6_19_2_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.6.19.2.1
- automated
- patch
- parameters
- ipv6
tasks/section_18/section_18.6/cis_18.6.20.x.yml
+60
View File
@@ -0,0 +1,60 @@
---
- name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled"
block:
- name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | EnableRegistrars"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars
name: EnableRegistrars
data: 0
type: dword
- name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableUPnPRegistrar"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars
name: DisableUPnPRegistrar
data: 0
type: dword
- name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableInBand802DOT11Registrar"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars
name: DisableInBand802DOT11Registrar
data: 0
type: dword
- name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableFlashConfigRegistrar"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars
name: DisableFlashConfigRegistrar
data: 0
type: dword
- name: "18.6.20.1 | PATCH | Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled | DisableWPDRegistrar"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars
name: DisableWPDRegistrar
data: 0
type: dword
when:
- win11cis_rule_18_6_20_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.6.20.1
- automated
- patch
- wireless
- name: "18.6.20.2 | PATCH | Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui
name: DisableWcnUi
data: 1
type: dword
when:
- win11cis_rule_18_6_20_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.6.20.2
- automated
- windows-connect-now
tasks/section_18/section_18.6/cis_18.6.21.x.yml
+29
View File
@@ -0,0 +1,29 @@
---
- name: "18.6.21.1 | PATCH | Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy
name: fMinimizeConnections
data: 3
type: dword
when:
- win11cis_rule_18_6_21_1
tags:
- level1-corporate-enterprise-environment
- rule_18.6.21.1
- automated
- patch
- name: "18.6.21.2 | PATCH | Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy
name: fBlockNonDomain
data: 1
type: dword
when:
- win11cis_rule_18_6_21_2
tags:
- level1-corporate-enterprise-environment
- rule_18.6.21.2
- automated
- patch
tasks/section_18/section_18.6/cis_18.6.23.2.x.yml
+17
View File
@@ -0,0 +1,17 @@
---
- name: "18.6.23.2.1 | PATCH | Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config
name: AutoConnectAllowedOEM
data: 0
type: dword
when:
- win11cis_rule_18_6_23_2_1
tags:
- level1-corporate-enterprise-environment
- rule_18.6.23.2.1
- automated
- patch
- wlan-settings
- autoconnect
tasks/section_18/section_18.6/cis_18.6.4.x.yml
+88
View File
@@ -0,0 +1,88 @@
---
- name: "18.6.4.1 | PATCH | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher"
block:
- name: "18.6.4.1 | AUDIT | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher. | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid setting for win11cis_doh_policy. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_doh_policy != 2
- win11cis_doh_policy != 3
- name: "18.6.4.1 | AUDIT | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher. | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.6.4.1'
when:
- win11cis_doh_policy != 2
- win11cis_doh_policy != 3
- name: "18.6.4.1 | AUDIT | Ensure Configure DNS over HTTPS (DoH) name resolution is set to Enabled: Allow DoH or higher. | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
name: DoHPolicy
data: "{{ win11cis_doh_policy }}"
type: dword
when: win11cis_doh_policy == 2 or win11cis_doh_policy == 3
when:
- win11cis_rule_18_6_4_1
tags:
- level1-corporate-enterprise-environment
- rule_18.6.4.1
- automated
- patch
- dns-over-https
- name: "18.6.4.2 | PATCH | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'"
block:
- name: "18.6.4.2 | AUDIT | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid setting for win11cis_enable_netbios_policy. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_enable_netbios_policy != 2
- win11cis_enable_netbios_policy != 0
- name: "18.6.4.2 | AUDIT | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.6.4.2'
when:
- win11cis_enable_netbios_policy != 2
- win11cis_enable_netbios_policy != 0
- name: "18.6.4.2 | PATCH | Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'. | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
name: EnableNetbios
data: "{{ win11cis_enable_netbios_policy }}"
type: dword
when: win11cis_enable_netbios_policy == 2 or win11cis_enable_netbios_policy == 0
when:
- win11cis_rule_18_6_4_2
tags:
- level1-corporate-enterprise-environment
- rule_18.6.4.2
- automated
- patch
- netbios
- name: "18.6.4.3 | PATCH | Ensure Turn off multicast name resolution is set to Enabled."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient
name: EnableMulticast
data: 0
type: dword
when:
- win11cis_rule_18_6_4_3
tags:
- level1-corporate-enterprise-environment
- rule_18.6.4.3
- automated
- patch
- multicast
tasks/section_18/section_18.6/cis_18.6.5.x.yml
+16
View File
@@ -0,0 +1,16 @@
---
- name: "18.6.5.1 | PATCH | Ensure Enable Font Providers is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System
name: EnableFontProviders
data: 0
type: dword
when:
- win11cis_rule_18_6_5_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.6.5.1
- automated
- patch
- font-providers
tasks/section_18/section_18.6/cis_18.6.8.x.yml
+16
View File
@@ -0,0 +1,16 @@
---
- name: "18.6.8.1 | PATCH | Ensure Enable insecure guest logons is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation
name: AllowInsecureGuestAuth
data: 0
type: dword
when:
- win11cis_rule_18_6_8_1
tags:
- level1-corporate-enterprise-environment
- rule_18.6.8.1
- automated
- patch
- guest
tasks/section_18/section_18.6/cis_18.6.9.x.yml
+77
View File
@@ -0,0 +1,77 @@
---
- name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled"
block:
- name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOndomain"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Lltd
name: AllowLLTDIOOndomain
data: 0
type: dword
- name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | AllowLLTDIOOnPublicNet"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Lltd
name: AllowLLTDIOOnPublicNet
data: 0
type: dword
- name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | EnableLLTDIO"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Lltd
name: EnableLLTDIO
data: 0
type: dword
- name: "18.6.9.1 | PATCH | Ensure Turn on Mapper IO LLTDIO driver is set to Disabled | ProhibitLLTDIOOnPrivateNet"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Lltd
name: ProhibitLLTDIOOnPrivateNet
data: 0
type: dword
when:
- win11cis_rule_18_6_9_1
tags:
- level2-high-security-sensitive-data-environment
- rule_18.6.9.1
- automated
- patch
- mapper
- name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled"
block:
- name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnDomain"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Lltd
name: AllowRspndrOnDomain
data: 0
type: dword
- name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | AllowRspndrOnPublicNet"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Lltd
name: AllowRspndrOnPublicNet
data: 0
type: dword
- name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | EnableRspndr"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Lltd
name: EnableRspndr
data: 0
type: dword
- name: "18.6.9.2 | PATCH | Ensure Turn on Responder RSPNDR driver is set to Disabled | ProhibitRspndrOnPrivateNet"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\Lltd
name: ProhibitRspndrOnPrivateNet
data: 0
type: dword
when:
- win11cis_rule_18_6_9_2
tags:
- level2-high-security-sensitive-data-environment
- rule_18.6.9.2
- automated
- patch
- responder
tasks/section_18/section_18.6/main.yml
+89
View File
@@ -0,0 +1,89 @@
---
- name: "SECTION | 18.6.4 | DNS Client"
ansible.builtin.import_tasks:
file: cis_18.6.4.x.yml
tags:
- administrative-templates-computer
- network
- dns-client
- name: "SECTION | 18.6.5 | Fonts"
ansible.builtin.import_tasks:
file: cis_18.6.5.x.yml
tags:
- administrative-templates-computer
- network
- fonts
- name: "SECTION | 18.6.8 | Lanman Workstation"
ansible.builtin.import_tasks:
file: cis_18.6.8.x.yml
tags:
- administrative-templates-computer
- network
- lanman-workstation
- name: "SECTION | 18.6.9 | Link-Layer Topology Discovery"
ansible.builtin.import_tasks:
file: cis_18.6.9.x.yml
tags:
- administrative-templates-computer
- network
- link-layer-topology-discovery
- name: "SECTION | 18.6.10 | Microsoft Peer-to-Peer Networking Services"
ansible.builtin.import_tasks:
file: cis_18.6.10.x.yml
tags:
- administrative-templates-computer
- network
- microsoft-peer-to-peer-networking-services
- name: "SECTION | 18.6.11 | Network Connections"
ansible.builtin.import_tasks:
file: cis_18.6.11.x.yml
tags:
- administrative-templates-computer
- network
- network-connections
- name: "SECTION | 18.6.14 | Network Provider"
ansible.builtin.import_tasks:
file: cis_18.6.14.x.yml
tags:
- administrative-templates-computer
- network
- network-provider
- name: "SECTION | 18.6.19.2 | TCP/IP Settings"
ansible.builtin.import_tasks:
file: cis_18.6.19.2.x.yml
tags:
- administrative-templates-computer
- network
- tcpip-settings
- name: "SECTION | 18.6.20 | Windows Connect Now"
ansible.builtin.import_tasks:
file: cis_18.6.20.x.yml
tags:
- administrative-templates-computer
- network
- windows-connect-now
- name: "SECTION | 18.6.21 | Windows Connection Manager"
ansible.builtin.import_tasks:
file: cis_18.6.21.x.yml
tags:
- administrative-templates-computer
- network
- windows-connection-manager
- name: "SECTION | 18.6.23.2 | WLAN Service"
ansible.builtin.import_tasks:
file: cis_18.6.23.2.x.yml
tags:
- administrative-templates-computer
- network
- wlan-service
tasks/section_18/section_18.7/cis_18.7.x.yml
+188
View File
@@ -0,0 +1,188 @@
---
- name: "18.7.1 | PATCH | Ensure Allow Print Spooler to accept client connections is set to Disabled"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers
name: RegisterSpoolerRemoteRpcEndPoint
data: 2
type: dword
when:
- win11cis_rule_18_7_1
tags:
- level1-corporate-enterprise-environment
- rule_18.7.1
- automated
- patch
- spooler
- name: "18.7.2 | PATCH | Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers
name: RedirectionguardPolicy
data: 1
type: dword
when:
- win11cis_rule_18_7_2
tags:
- level1-corporate-enterprise-environment
- rule_18.7.2
- automated
- patch
- spooler
- name: "18.7.3 | PATCH | Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC
name: RpcUseNamedPipeProtocol
data: 0
type: dword
when:
- win11cis_rule_18_7_3
tags:
- level1-corporate-enterprise-environment
- rule_18.7.3
- automated
- patch
- rpc
- name: "18.7.4 | PATCH | Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC
name: RpcAuthentication
data: 0
type: dword
when:
- win11cis_rule_18_7_4
tags:
- level1-corporate-enterprise-environment
- rule_18.7.4
- automated
- patch
- rpc
- name: "18.7.5 | PATCH | Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC
name: RpcProtocols
data: 5
type: dword
when:
- win11cis_rule_18_7_5
tags:
- level1-corporate-enterprise-environment
- rule_18.7.5
- automated
- patch
- rpc
- name: "18.7.6 | PATCH | Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher."
block:
- name: "18.7.6 | AUDIT | Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher. | Warning Check For Variable Standards."
ansible.builtin.debug:
msg:
- "Warning!! You have an invalid setting for win11cis_force_kerberos_for_rpc. Please read"
- "the notes for the variable and make the necessary change to the variable to be in compliance."
when:
- win11cis_force_kerberos_for_rpc != 0
- win11cis_force_kerberos_for_rpc != 1
- name: "18.7.6 | AUDIT | Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher. | Warn Count."
ansible.builtin.import_tasks:
file: warning_facts.yml
vars:
warn_control_id: '18.7.6'
when:
- win11cis_force_kerberos_for_rpc != 0
- win11cis_force_kerberos_for_rpc != 1
- name: "18.7.6 | PATCH | Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher. | Set Variable."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC
name: ForceKerberosForRpc
data: "{{ win11cis_force_kerberos_for_rpc }}"
type: dword
when:
- win11cis_force_kerberos_for_rpc == 0 or win11cis_force_kerberos_for_rpc == 1
when:
- win11cis_rule_18_7_6
tags:
- level1-corporate-enterprise-environment
- rule_18.7.6
- automated
- patch
- rpc
- name: "18.7.7 | PATCH | Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'."
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC
name: RpcTcpPort
data: 0
type: dword
when:
- win11cis_rule_18_7_7
tags:
- level1-corporate-enterprise-environment
- rule_18.7.7
- automated
- patch
- rpc
- name: "18.7.8 | PATCH | Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
name: RestrictDriverInstallationToAdministrators
data: 1
type: dword
when:
- win11cis_rule_18_7_8
tags:
- level1-corporate-enterprise-environment
- rule_18.7.8
- automated
- patch
- driver
- name: "18.7.9 | PATCH | Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers
name: CopyFilesPolicy
data: 1
type: dword
when:
- win11cis_rule_18_7_9
tags:
- level1-corporate-enterprise-environment
- rule_18.7.9
- automated
- patch
- queue
- name: "18.7.10 | PATCH | Ensure Point and Print Restrictions: When installing drivers for a new connection is set to Enabled: Show warning and elevation prompt"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
name: NoWarningNoElevationOnInstall
data: 0
type: dword
when:
- win11cis_rule_18_7_10
tags:
- level1-corporate-enterprise-environment
- rule_18.7.10
- automated
- patch
- point-and-print
- name: "18.7.11 | PATCH | Ensure Point and Print Restrictions: When updating drivers for an existing connection is set to Enabled: Show warning and elevation prompt"
ansible.windows.win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint
name: UpdatePromptSettings
data: 0
type: dword
when:
- win11cis_rule_18_7_11
tags:
- level1-corporate-enterprise-environment
- rule_18.7.11
- automated
- patch
- point-and-print
tasks/section_18/section_18.7/main.yml
+8
View File
@@ -0,0 +1,8 @@
---
- name: "SECTION | 18.7 | Printers"
ansible.builtin.import_tasks:
file: cis_18.7.x.yml
tags:
- administrative-templates-computer
- printers
tasks/section_18/section_18.8/cis_18.8.1.x.yml
+16
View File
@@ -0,0 +1,16 @@
---
- name: "18.8.1.1 | PATCH | Ensure Turn off notifications network usage is set to Enabled"
ansible.windows.win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications
name: NoCloudApplicationNotification
data: 1
type: dword
when:
- win11cis_rule_18_8_1_1
tags:
- level1-corporate-enterprise-environment
- rule_18.8.1.1
- automated
- patch
- notifications
tasks/section_18/section_18.8/main.yml
+9
View File
@@ -0,0 +1,9 @@
---
- name: "SECTION | 18.8.1 | Notifications"
ansible.builtin.import_tasks:
file: cis_18.8.1.x.yml
tags:
- administrative-templates-computer
- start-menu-and-taskbar
- notifications
tasks/section_18/section_18.9/cis_18.9.13.x.yml
+16
View File
@@ -0,0 +1,16 @@
---
- name: "18.9.13.1 | PATCH | Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical"
ansible.windows.win_regedit:
path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch
name: DriverLoadPolicy
data: 3
type: dword
when:
- win11cis_rule_18_9_13_1
tags:
- level1-corporate-enterprise-environment
- rule_18.9.13.1
- automated
- patch
- drivers

Some files were not shown because too many files have changed in this diff Show More