Giter Site home page Giter Site logo

ansible-lockdown / windows-2016-cis Goto Github PK

View Code? Open in Web Editor NEW
23.0 8.0 31.0 340 KB

CIS Baseline Ansible Role for Windows 2016

Home Page: http://www.lockdownenterprise.com

License: MIT License

YAML 86.50% Jinja 13.50%
ansible ansible-playbook ansible-role benchmark benchmark-framework cis cis-benchmark cis-compliant cis-standards compliance-as-code

windows-2016-cis's Issues

Wrong tag value for 19.7.41.1

  • name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'"
    block:

    • name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'"
      win_regedit:
      path: HKU:.DEFAULT\Software\Policies\Microsoft\Windows\Installer
      name: AlwaysInstallElevated
      data: 0
      type: dword

    • name: "SCORED | 19.7.41.1 | PATCH | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'"
      win_regedit:
      path: HKCU:\Software\Policies\Microsoft\Windows\Installer
      name: AlwaysInstallElevated
      data: 0
      type: dword
      when: rule_19_7_41_1
      tags:

    • level1

    • level2

    • rule_19.7.41.1

    • patch

Wrong check for the control 18.9.95.1

  • name: "SCORED | 18.9.95.1 | PATCH | (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled'"
    win_regedit:
    path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging
    name: EnableScriptBlockLogging
    data: 0
    type: dword
    when: rule_18_9_95_1
    tags:
    • level1-domaincontroller
    • level1-memberserver
    • rule_18.9.95.1
    • patch

Wrong check for the control 18.9.26.1.1

name: "SCORED | 18.9.26.1.1 | PATCH | L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled"
win_regedit:
path: HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application
name: Retention
data: 0
type: string
when:
rule_18_9_26_1_1
tags:
level1-domaincontroller
level1-memberserver
rule_18.9.26.1.1
patch

wrong control check for 2.3.11.4

name: "SCORED | 2.3.11.4 | PATCH | (L1) Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types"
win_regedit:
path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters
name: SupportedEncryptionTypes
data: 2147483640
type: dword
when:
rule_2_3_11_4
tags:
level1-domaincontroller
level1-memberserver
rule_2.3.11.4
patch

rule_18.5.4.1

Rule 18.5.4.1 is tagged as rule_18.5.4.2. The when statement is incorrect as well.

wrong control check for 9.1.4 / 9.2.4 / 9.3.4

name: "SCORED | 9.1.4 | PATCH | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'"
win_regedit:
path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
name: DisableNotifications
data: 1
type: dword
when:
rule_9_1_4
tags:
level1-domaincontroller
level1
rule_9.1.4
patch

Post task not executed

Describe the Issue
Post task (reboot) is not included in main task, so it is skipped and the handler doesn't run when expected to.

Expected Behavior
Post task included, flush handlers executed

Actual Behavior
Post task skipped, handlers not executed at end of role execution.

Control(s) Affected
None

Environment (please complete the following information):

  • branch being used: [e.g. devel]
  • Ansible Version: [e.g. 2.10]
  • Host Python Version: [e.g. Python 3.7.6]
  • Ansible Server Python Version: [e.g. Python 3.7.6]
  • Additional Details:

Additional Notes
None

Possible Solution
Include task post in main.yml

2.3.10.9 - Configure Network access Remotely accessible registry paths and sub-paths always includes CertSvc and WINS

Describe the Issue
2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths always includes the CertSvc and WINS paths, but these paths should only be included when the corresponding roles are present on the server.

The recommended state for this setting is:
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog

The recommended state for servers that hold the Active Directory Certificate ServicesRole with Certification AuthorityRole Service includes the above list and:
System\CurrentControlSet\Services\CertSvc

The recommended state for servers that have the WINS ServerFeature installed includes the above list and:
System\CurrentControlSet\Services\WINS

Expected Behavior
The CertSvc and WINS path are only included in the remotely accessible registry paths and sub-paths when the corresponding features are installed

Actual Behavior
The CertSvc and WINS path are always included

Control(s) Affected
2.3.10.9

Possible Solution

- name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
  block:
      - name: 2.3.10.9 | Set value for Configure Network access Remotely accessible registry paths and sub-paths"
        ansible.builtin.set_fact:
            remote_registry_paths: [
                'System\CurrentControlSet\Control\Print\Printers',
                'System\CurrentControlSet\Services\Eventlog',
                'Software\Microsoft\OLAP Server',
                'Software\Microsoft\Windows NT\CurrentVersion\Print',
                'Software\Microsoft\Windows NT\CurrentVersion\Windows',
                'System\CurrentControlSet\Control\ContentIndex',
                'System\CurrentControlSet\Control\Terminal Server',
                'System\CurrentControlSet\Control\Terminal Server\UserConfig',
                'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration',
                'Software\Microsoft\Windows NT\CurrentVersion\Perflib',
                'System\CurrentControlSet\Services\SysmonLog'
            ]

      - name: 2.3.10.9 | Check if AD Certificate Services feature is installed
        community.windows.win_feature_info:
            name: AD-Certificate
        register: adcs_feature

      - name: 2.3.10.9 | Add CertSvc to paths
        ansible.builtin.set_fact:
            remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\CertSvc'] }}"
        when: adcs_feature.features[0].installed

      - name: 2.3.10.9 | Check if WINS feature is installed
        community.windows.win_feature_info:
            name: WINS
        register: wins_feature

      - name: 2.3.10.9 | Add WINS to paths
        ansible.builtin.set_fact:
            remote_registry_paths: "{{ remote_registry_paths + ['System\\CurrentControlSet\\Services\\WINS'] }}"
        when: wins_feature.features[0].installed

      - name: "2.3.10.9 | PATCH | Configure Network access Remotely accessible registry paths and sub-paths"
        ansible.windows.win_regedit:
            path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths
            name: "Machine"
            data: '{{ remote_registry_paths }}'
            type: multistring
  when: win16cis_rule_2_3_10_9
  tags:
      - level1-domaincontroller
      - level1-memberserver
      - rule_2.3.10.9
      - patch

Wrong check in the control : 18.3.4

In the control the value need to be 0 not 1

name: "SCORED | 18.3.4 | PATCH | L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled"
win_regedit:
path: HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel
name: DisableExceptionChainValidation
data: 0
type: dword
state: present
when:
rule_18_3_4
tags:
level1-domaincontroller
level1-memberserver
rule_18.3.4
patch

Wrong control check for 18.4.1

The datatype should be string not dword

name: "SCORED | 18.4.1 | PATCH | L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled"
win_regedit:
path: HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
state: present
value: AutoAdminLogon
data: 0
datatype: string
when:
rule_18_4_1
tags:
level1-domaincontroller
level1-memberserver
rule_18.4.1
patch

wrong control check for 19.7.4.1

name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled"
block:
name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled"
win_regedit:
path: HKU:.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
name: SaveZoneInformation
data: 2
type: dword

name: "SCORED | 19.7.4.1 | PATCH | L1 Ensure Do not preserve zone information in file attachments is set to Disabled"
win_regedit:
path: HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
name: SaveZoneInformation
data: 2
type: dword
when:

rule_19_7_4_1
tags:

level1-domaincontroller

level1-memberserver

rule_19.7.4.1

patch

Wrong check for the control 2.3.6.4

The data check should be 0 not 1

name: "SCORED | 2.3.6.4 | PATCH | L1 Ensure Domain member Disable machine account password changes is set to Disabled"
win_regedit:
path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters
name: disablepasswordchange
data: 0
type: dword
when:
rule_2_3_6_4
not ansible_windows_domain_role == "Primary domain controller"
tags:
level1-domaincontroller
level1-memberserver
rule_2.3.6.4
patch

wrong control check for 2.3.17.3

data: value should be 0 not 2

  • name: "SCORED | 2.3.17.3 | PATCH | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'"
    win_regedit:
    path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System
    name: ConsentPromptBehaviorUser
    data: 0
    type: dword
    when: rule_2_3_17_3
    tags:
    • level1-domaincontroller
    • level1-memberserver
    • rule_2.3.17.3
    • patch

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.