Giter Site home page Giter Site logo

ansible-lockdown / windows-2016-cis Goto Github PK

View Code? Open in Web Editor NEW
23.0 8.0 31.0 340 KB

CIS Baseline Ansible Role for Windows 2016

Home Page: http://www.lockdownenterprise.com

License: MIT License

YAML 86.50% Jinja 13.50%
ansible ansible-playbook ansible-role benchmark benchmark-framework cis cis-benchmark cis-compliant cis-standards compliance-as-code

windows-2016-cis's Introduction

Windows 2016 CIS

Configure a Windows 2016 machine to be CIS compliant

Based on Microsoft Windows Server 2016 RTM Benchmark v1.2.0 - 04-21-2022

Org Stars Stars Forks followers Twitter URL

Discord Badge

Release Branch Release Tag Main Release Date

Main Pipeline Status

Devel Pipeline Status Devel Commits

Issues Open Issues Closed Pull Requests

License

Looking for support?

Lockdown Enterprise

Ansible Support

Community

On our Discord Server to ask questions, discuss features, or just chat with other Ansible-Lockdown users

Caution(s)

This role will make changes to the system which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.

Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution.

This role was developed against a clean install of the Windows 2016 Operating System. If you are implementing this role on an existing system, please review this role for any site specific changes that are needed.

To use release version please point to main branch and relevant release for the CIS benchmark you wish to work with.

Matching a security Level for CIS

It is possible to only run level 1 or level 2 controls for CIS. This is managed using tags:

  • level1-domaincontroller
  • level1-memberserver
  • level2-domaincontroller
  • level2-memberserver

The controls found in defaults/main also need to reflect those control numbers due to aligning every control to the audit component.

Coming from a previous release

CIS releases routinely contain changes, so it is highly recommended to review the new references and available variables. This has changed significantly since the initial release of ansible-lockdown. This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites that configure the system accordingly.

Further details can be seen in the Changelog

Auditing (new)

Currently this release does not have a auditing tool that is up to date.

Documentation

Requirements

General:

  • Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible

  • Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.

  • Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also, familiarize yourself with the variables in the defaults/main.yml file.

Technical Dependencies:

  • Windows 2016 - Other versions are not supported
  • Running Ansible/Tower setup (this role is tested against Ansible version 2.9.1 and newer)
  • Python3 Ansible run environment
  • passlib (or python2-passlib, if using python2)
  • python-lxml
  • python-xmltodict
  • python-jmespath
  • pywinrm

Package 'python-xmltodict' is required if you enable the OpenSCAP tool installation and run a report. Packages python(2)-passlib and python-jmespath are required for tasks with custom filters or modules. These are all required on the controller host that executes Ansible.

Role Variables

This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc.

Tags

There are many tags available for added control precision. Each control has its own set of tags noting what level, what OS element it relates to if it's a patch or audit, and the rule number.

Below is an example of the tag section from a control within this role. Using this example if you set your run to skip all controls with the tag smb, this task will be skipped. The opposite can also happen where you run only controls tagged with smb.

  tags:
      - level1-domaincontroller
      - level1-memberserver
      - win16cis_rule_18.3.3
      - patch
      - smb

Community Contribution

We encourage you (the community) to contribute to this role. Please read the rules below.

  • Your work is done in your own individual branch. Make sure to Signed-off-by and GPG sign all commits you intend to merge.
  • All community Pull Requests are pulled into the devel branch
  • Pull Requests into devel will confirm your commits have a GPG signature, Signed-off-by, and a functional test before being approved
  • Once your changes are merged and a more detailed review is complete, an authorized member will merge your changes into the main branch for a new release

Pipeline Testing

uses:

  • ansible-core 2.12
  • ansible collections - pulls in the latest version based on the requirements file
  • runs the audit using the devel branch
  • This is an automated test that occurs on pull requests into devel

windows-2016-cis's People

Contributors

frederickw082922 avatar georgenalen avatar mfortin avatar mrsteve81 avatar uk-bolly avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

mh2ict jamesallen-atx pechuk julieeeen ccdev-labs gombee spreeoadmin tem-hth rama-iyer star3am satish5555555 rameshvahini durblave georgenalen ardita-ops vermyndax oatakan chip-dub yashvanthkumar94 mountainbyte echolit gberginc anzoman thomascurrie suwitinjinda yogehsbhilare grabx thanhtut-llops bizzy211 mfortin

windows-2016-cis's Issues

wrong control check for 19.7.4.1

name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled"
block:
name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled"
win_regedit:
path: HKU:.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
name: SaveZoneInformation
data: 2
type: dword

name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled"
win_regedit:
path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
name: SaveZoneInformation
data: 2
type: dword
when:

rule_19_7_4_1
tags:

level1-domaincontroller

level1-memberserver

rule_19.7.4.1

patch

Wrong check for the control 18.9.95.1

  • name: "SCORED | 18.9.95.1 | PATCH | (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'"
    win_regedit:
    path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging
    name: EnableScriptBlockLogging
    data: 0
    type: dword
    when: rule_18_9_95_1
    tags:
    • level1-domaincontroller
    • level1-memberserver
    • rule_18.9.95.1
    • patch

rule_18.5.4.1

Rule 18.5.4.1 is tagged as rule_18.5.4.2. The when statement is incorrect as well.

2.3.10.9 - Configure Network access Remotely accessible registry paths and sub-paths always includes CertSvc and WINS

Describe the Issue
2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths always includes the CertSvc and WINS paths, but these paths should only be included when the corresponding roles are present on the server.

The recommended state for this setting is:
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog

The recommended state for servers that hold the Active Directory Certificate ServicesRole with Certification AuthorityRole Service includes the above list and:
System\CurrentControlSet\Services\CertSvc

The recommended state for servers that have the WINS ServerFeature installed includes the above list and:
System\CurrentControlSet\Services\WINS

Expected Behavior
The CertSvc and WINS path are only included in the remotely accessible registry paths and sub-paths when the corresponding features are installed

Actual Behavior
The CertSvc and WINS path are always included

Control(s) Affected
2.3.10.9

Possible Solution

- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
  block:
      - name: 2.3.10.9 | Set value for Configure Network access Remotely accessible registry paths and sub-paths"
        ansible.builtin.set_fact:
            remote_registry_paths: [
                'System\CurrentControlSet\Control\Print\Printers',
                'System\CurrentControlSet\Services\Eventlog',
                'Software\Microsoft\OLAP Server',
                'Software\Microsoft\Windows NT\CurrentVersion\Print',
                'Software\Microsoft\Windows NT\CurrentVersion\Windows',
                'System\CurrentControlSet\Control\ContentIndex',
                'System\CurrentControlSet\Control\Terminal Server',
                'System\CurrentControlSet\Control\Terminal Server\UserConfig',
                'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration',
                'Software\Microsoft\Windows NT\CurrentVersion\Perflib',
                'System\CurrentControlSet\Services\SysmonLog'
            ]

      - name: 2.3.10.9 | Check if AD Certificate Services feature is installed
        community.windows.win_feature_info:
            name: AD-Certificate
        register: adcs_feature

      - name: 2.3.10.9 | Add CertSvc to paths
        ansible.builtin.set_fact:
            remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\CertSvc'] }}"
        when: adcs_feature.features[0].installed

      - name: 2.3.10.9 | Check if WINS feature is installed
        community.windows.win_feature_info:
            name: WINS
        register: wins_feature

      - name: 2.3.10.9 | Add WINS to paths
        ansible.builtin.set_fact:
            remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\WINS'] }}"
        when: wins_feature.features[0].installed

      - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
        ansible.windows.win_regedit:
            path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths
            name: "Machine"
            data: '{{ remote_registry_paths }}'
            type: multistring
  when: win16cis_rule_2_3_10_9
  tags:
      - level1-domaincontroller
      - level1-memberserver
      - rule_2.3.10.9
      - patch

Wrong check for the control 2.3.6.4

The data check should be 0 not 1

name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled"
win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters
name: disablepasswordchange
data: 0
type: dword
when:
rule_2_3_6_4
not ansible_windows_domain_role == "Primary domain controller"
tags:
level1-domaincontroller
level1-memberserver
rule_2.3.6.4
patch

wrong control check for 2.3.17.3

data: value should be 0 not 2

  • name: "SCORED | 2.3.17.3 | PATCH | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'"
    win_regedit:
    path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System
    name: ConsentPromptBehaviorUser
    data: 0
    type: dword
    when: rule_2_3_17_3
    tags:
    • level1-domaincontroller
    • level1-memberserver
    • rule_2.3.17.3
    • patch

Post task not executed

Describe the Issue
Post task (reboot) is not included in main task, so it is skipped and the handler doesn't run when expected to.

Expected Behavior
Post task included, flush handlers executed

Actual Behavior
Post task skipped, handlers not executed at end of role execution.

Control(s) Affected
None

Environment (please complete the following information):

  • branch being used: [e.g. devel]
  • Ansible Version: [e.g. 2.10]
  • Host Python Version: [e.g. Python 3.7.6]
  • Ansible Server Python Version: [e.g. Python 3.7.6]
  • Additional Details:

Additional Notes
None

Possible Solution
Include task post in main.yml

wrong control check for 9.1.4 / 9.2.4 / 9.3.4

name: "SCORED | 9.1.4 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
name: DisableNotifications
data: 1
type: dword
when:
rule_9_1_4
tags:
level1-domaincontroller
level1
rule_9.1.4
patch

wrong control check for 2.3.11.4

name: "SCORED | 2.3.11.4 | PATCH | (L1) Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types"
win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters
name: SupportedEncryptionTypes
data: 2147483640
type: dword
when:
rule_2_3_11_4
tags:
level1-domaincontroller
level1-memberserver
rule_2.3.11.4
patch

Wrong control check for 18.4.1

The datatype should be string not dword

name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled"
win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
state: present
value: AutoAdminLogon
data: 0
datatype: string
when:
rule_18_4_1
tags:
level1-domaincontroller
level1-memberserver
rule_18.4.1
patch

Wrong check in the control : 18.3.4

In the control the value need to be 0 not 1

name: "SCORED | 18.3.4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled"
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
name: DisableExceptionChainValidation
data: 0
type: dword
state: present
when:
rule_18_3_4
tags:
level1-domaincontroller
level1-memberserver
rule_18.3.4
patch

Wrong tag value for 19.7.41.1

  • name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'"
    block:

    • name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'"
      win_regedit:
      path: HKU:.DEFAULT\Software\Policies\Microsoft\Windows\Installer
      name: AlwaysInstallElevated
      data: 0
      type: dword

    • name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'"
      win_regedit:
      path: HKCU:\Software\Policies\Microsoft\Windows\Installer
      name: AlwaysInstallElevated
      data: 0
      type: dword
      when: rule_19_7_41_1
      tags:

    • level1

    • level2

    • rule_19.7.41.1

    • patch

Wrong check for the control 18.9.26.1.1

name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application
name: Retention
data: 0
type: string
when:
rule_18_9_26_1_1
tags:
level1-domaincontroller
level1-memberserver
rule_18.9.26.1.1
patch

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.