This role sets up Cis-windows-level1

Created for and tested on Windows 2012R2

Should work for Windows 2016 (untested)

There's plenty of room for optimizing and consolidating regedits, etc.

Requires Ansible 2.5+ as the win_audit_policy_system module is required and it's new in 2.5

My testing was done on a Windows 2012R2 Vagrant box I built using this

Inspec controls taken from Chef Automate's CIS Windows Level 1 profile.

• some of inspec 'describe' statements were modified (read as: fixed). I've left the original rule in the control commented out (and my modified/corrected one underneath it)

• 2.3.1.5 Administrator account was not renamed; changed to disabled

• 2.3.1.6 Guest account was not renamed; changed disabled

• 18.6.1: LocalAccountTokenFilterPolicy was not set to 0 as I use a local user to WinRM into run the ansible role so if that gets set to 1 then the role breaks

• 2.2.x: User Rights rules moved to the end as setting them early will prevent some of the other changes in the "later" rules sets from being applied due to stripped rights

Rules for 19.x.x aren't run as they modify HKEY_USERS and that's apparently not allowed :( And as such, the Inspec controls for 19.x.x are in files/ folder for now rather than in controls/ (easier than commenting out the rules)

Rules 2.3.10.7 and 2.3.10.8's lists were done in YAML format rather than JSON like all the other rules. The main reason is for better readability in this case where as JSON format took up less lines.

Glen Yu

[email protected]

MIT