├── .gitignore ├── README.md ├── defaults └── main.yml ├── meta └── main.yml └── tasks ├── main.yml ├── section01.yml ├── section02.yml ├── section09.yml ├── section17.yml ├── section18.yml └── section19.yml /.gitignore: -------------------------------------------------------------------------------- 1 | *.retry 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Windows Server 2016 GSA Benchmark 2 | ================================= 3 | 4 | This Ansible content will configure a Windows Server 2016 machine to be GSA compliant. 5 | 6 | This role **will make changes to the system** that could impact its performance and/or availability. 7 | 8 | For configuration compliance auditing, use a tool such as [Nessus](https://www.tenable.com/products/nessus-vulnerability-scanner) or [CIS-CAT](https://learn.cisecurity.org/cis-cat-landing-page) 9 | 10 | This hardening content is based on the GSA Microsoft Windows Server 2016 Security Benchmark v1.0 and the [CIS Microsoft Windows Server 2016 Benchmark v1.0.0 ](https://www.cisecurity.org/cis-benchmarks/). 11 | 12 | Important Information 13 | --------------------- 14 | 15 | Before executing, you should carefully review the playbook tasks to make sure your systems will not be negatively impacted. 16 | 17 | Please thoroughly review to ensure your organizational requirements are met. 18 | 19 | ##### The current default configuration will: 20 | * Configure all Windows Firewall controls except for "Ensure 'Windows Firewall - Public - Inbound connections' is set to 'Block (default)'" 21 | * Configure Windows Update controls 22 | 23 | ##### The configuration will not: 24 | * Set the 'Minimum password length' to 16 or more characters 25 | * Configure 'Deny access to this computer from the network' to include local accounts 26 | * Configure 'Deny log on through Remote Desktop Services' to include local accounts 27 | 28 | 29 | Dependencies 30 | ------------ 31 | Ansible > 2.4 32 | 33 | 34 | Example Playbook 35 | ------------------------- 36 | ``` 37 | --- 38 | - name: Harden Server 39 | hosts: all 40 | roles: 41 | - ansible-os-win-2016 42 | tasks: 43 | ``` 44 | How to test locally 45 | -------------------------- 46 | ``` 47 | ansible-playbook main.yml --connection=local 48 | ``` 49 | 50 | License 51 | ------- 52 | MIT 53 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | # defaults file for Win2016 2 | win2016gsa_section01: true 3 | win2016gsa_section02: true 4 | win2016gsa_section09: true 5 | win2016gsa_section17: true 6 | win2016gsa_section18: true 7 | win2016gsa_section19: true 8 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: "GSA and ISE" 3 | description: "Ansible role to apply Windows Server 2016 GSA Baseline" 4 | company: GSA 5 | license: MIT 6 | min_ansible_version: 2.4 7 | 8 | platforms: 9 | - name: WIN 10 | versions: 11 | - 2016 12 | 13 | dependencies: [] 14 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | - import_playbook: section01.yml 2 | 3 | - import_playbook: section02.yml 4 | 5 | - import_playbook: section09.yml 6 | 7 | - import_playbook: section17.yml 8 | 9 | - import_playbook: section18.yml 10 | 11 | - import_playbook: section19.yml 12 | -------------------------------------------------------------------------------- /tasks/section01.yml: -------------------------------------------------------------------------------- 1 | ########################## 2 | ########################## 3 | ## CIS LEVEL 1 SETTINGS ## 4 | ########################## 5 | ########################## 6 | 7 | - name: "1.1.1,CCE-37166-6 | Ensure 'Enforce password history' is set to '24 or more password(s)'" 8 | win_security_policy: 9 | section: System Access 10 | key: PasswordHistorySize 11 | value: 24 12 | tags: 13 | - rule_1.1.1 14 | 15 | - name: "1.1.2,CCE-37167-4 | Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' [GSA-90]" 16 | win_security_policy: 17 | section: System Access 18 | key: MaximumPasswordAge 19 | value: 90 20 | tags: 21 | - rule_1.1.2 22 | 23 | - name: "1.1.3,CCE-37073-4 | Ensure 'Minimum password age' is set to '1 or more day(s)' [GSA-0]" 24 | win_security_policy: 25 | section: System Access 26 | key: MinimumPasswordAge 27 | value: 0 28 | tags: 29 | - rule_1.1.3 30 | 31 | #Local Security Policy limited to 14 chars at most for 'Minimum password length'; 16 chars (GSA Policy) implemented via Default Domain Policy Attribute for domain-joined nodes 32 | - name: "1.1.4,CCE-36534-6 | Ensure 'Minimum password length' is set to '14 or more character(s)' [GSA-16]" 33 | win_security_policy: 34 | section: System Access 35 | key: MinimumPasswordLength 36 | value: 14 #16 37 | tags: 38 | - rule_1.1.4 39 | 40 | #CIS-CAT unable to audit this control for non-domain-joined nodes 41 | - name: "1.1.5,CCE-37063-5 | Ensure 'Password must meet complexity requirements' is set to 'Enabled' [GSA-Disabled]" 42 | win_security_policy: 43 | section: System Access 44 | key: PasswordComplexity 45 | value: 0 46 | tags: 47 | - rule_1.1.5 48 | 49 | #CIS-CAT unable to audit this control for non-domain-joined nodes 50 | - name: "1.1.6,CCE-36286-3 | Ensure 'Store passwords using reversible encryption' is set to 'Disabled'" 51 | win_security_policy: 52 | section: System Access 53 | key: ClearTextPassword 54 | value: 0 55 | tags: 56 | - rule_1.1.6 57 | 58 | #This rule must be applied first to make rule_1.2.1 and rule_1.2.3 applicable 59 | - name: "1.2.2,CCE-36008-1 | Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' [GSA-5]" 60 | win_security_policy: 61 | section: System Access 62 | key: LockoutBadCount 63 | value: 5 64 | tags: 65 | - rule_1.2.2 66 | 67 | - name: "1.2.1,CCE-37034-6 | Ensure 'Account lockout duration' is set to '15 or more minute(s)' [GSA-30]" 68 | win_security_policy: 69 | section: System Access 70 | key: LockoutDuration 71 | value: 1800 72 | tags: 73 | - rule_1.2.1 74 | 75 | - name: "1.2.3,CCE-36883-7 | Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' [GSA-30]" 76 | win_security_policy: 77 | section: System Access 78 | key: ResetLockoutCount 79 | value: 1800 80 | tags: 81 | - rule_1.2.3 82 | 83 | ######### 84 | ## EOF ## 85 | ######### 86 | -------------------------------------------------------------------------------- /tasks/section02.yml: -------------------------------------------------------------------------------- 1 | ########################## 2 | ########################## 3 | ## CIS LEVEL 1 SETTINGS ## 4 | ########################## 5 | ########################## 6 | 7 | - name: "2.2.1,CCE-37056-9 | Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'" 8 | win_user_right: 9 | name: SeTrustedCredManAccessPrivilege 10 | users: 11 | action: set 12 | 13 | - name: "2.2.2,CCE-35818-4 | Configure 'Access this computer from the network'" 14 | win_user_right: 15 | name: SeNetworkLogonRight 16 | users: 17 | - Administrators 18 | - Authenticated Users 19 | action: set 20 | 21 | - name: "2.2.3,CCE-36876-1 | Ensure 'Act as part of the operating system' is set to 'No One'" 22 | win_user_right: 23 | name: SeTcbPrivilege 24 | users: 25 | action: set 26 | 27 | - name: "2.2.5,CCE-37071-8 | Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'" 28 | win_user_right: 29 | name: SeIncreaseQuotaPrivilege 30 | users: 31 | - Administrators 32 | - Local Service 33 | - Network Service 34 | action: set 35 | 36 | - name: "2.2.6,CCE-37659-0 | Configure 'Allow log on locally'" 37 | win_user_right: 38 | name: SeInteractiveLogonRight 39 | users: 40 | - Administrators 41 | action: set 42 | 43 | - name: "2.2.7,CCE-37072-6 | Configure 'Allow log on through Remote Desktop Services'" 44 | win_user_right: 45 | name: SeRemoteInteractiveLogonRight 46 | users: 47 | - Administrators 48 | - Remote Desktop Users 49 | action: set 50 | 51 | - name: "2.2.8,CCE-35912-5 | Ensure 'Back up files and directories' is set to 'Administrators'" 52 | win_user_right: 53 | name: SeBackupPrivilege 54 | users: 55 | - Administrators 56 | action: set 57 | 58 | - name: "2.2.9,CCE-37452-0 | Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'" 59 | win_user_right: 60 | name: SeSystemTimePrivilege 61 | users: 62 | - Administrators 63 | - Local Service 64 | action: set 65 | 66 | - name: "2.2.10,CCE-37700-2 | Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE'" 67 | win_user_right: 68 | name: SeTimeZonePrivilege 69 | users: 70 | - Administrators 71 | - Local Service 72 | action: set 73 | 74 | - name: "2.2.11,CCE-35821-8 | Ensure 'Create a pagefile' is set to 'Administrators'" 75 | win_user_right: 76 | name: SeCreatePagefilePrivilege 77 | users: 78 | - Administrators 79 | action: set 80 | 81 | - name: "2.2.12,CCE-36861-3 | Ensure 'Create a token object' is set to 'No One'" 82 | win_user_right: 83 | name: SeCreateTokenPrivilege 84 | users: 85 | action: set 86 | 87 | - name: "2.2.13,CCE-37453-8 | Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'" 88 | win_user_right: 89 | name: SeCreateGlobalPrivilege 90 | users: 91 | - Administrators 92 | - Local Service 93 | - Network Service 94 | - Service 95 | action: set 96 | 97 | - name: "2.2.14,CCE-36532-0 | Ensure 'Create permanent shared objects' is set to 'No One'" 98 | win_user_right: 99 | name: SeCreatePermanentPrivilege 100 | users: 101 | action: set 102 | 103 | - name: "2.2.15,CCE-35823-4 | Configure 'Create symbolic links'" 104 | win_user_right: 105 | name: SeCreateSymbolicLinkPrivilege 106 | users: 107 | - Administrators 108 | action: set 109 | 110 | - name: "2.2.16,CCE-37075-9 | Ensure 'Debug programs' is set to 'Administrators'" 111 | win_user_right: 112 | name: SeDebugPrivilege 113 | users: 114 | - Administrators 115 | action: set 116 | 117 | #Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes 118 | - name: "2.2.17,CCE-37954-5 | Configure 'Deny access to this computer from the network' [GSA-Guests, Local account]" 119 | win_user_right: 120 | name: SeDenyNetworkLogonRight 121 | users: 122 | - Guests 123 | #- Local Account 124 | action: set 125 | 126 | - name: "2.2.18,CCE-36923-1 | Ensure 'Deny log on as a batch job' to include 'Guests'" 127 | win_user_right: 128 | name: SeDenyBatchLogonRight 129 | users: 130 | - Guests 131 | action: set 132 | 133 | - name: "2.2.19,CCE-36877-9 | Ensure 'Deny log on as a service' to include 'Guests'" 134 | win_user_right: 135 | name: SeDenyServiceLogonRight 136 | users: 137 | - Guests 138 | action: set 139 | 140 | - name: "2.2.20,CCE-37146-8 | Ensure 'Deny log on locally' to include 'Guests'" 141 | win_user_right: 142 | name: SeDenyInteractiveLogonRight 143 | users: 144 | - Guests 145 | action: set 146 | 147 | #Limiting hardening to only include the Guests group, since Local Account access will still be needed for non-domain-joined nodes 148 | - name: "2.2.21,CCE-36867-0 | Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account'" 149 | win_user_right: 150 | name: SeDenyRemoteInteractiveLogonRight 151 | users: 152 | - Guests 153 | #- Local Account 154 | action: set 155 | 156 | - name: "2.2.22,CCE-36860-5 | Configure 'Enable computer and user accounts to be trusted for delegation'" 157 | win_user_right: 158 | name: SeEnableDelegationPrivilege 159 | users: 160 | action: set 161 | 162 | - name: "2.2.23,CCE-37877-8 | Ensure 'Force shutdown from a remote system' is set to 'Administrators'" 163 | win_user_right: 164 | name: SeRemoteShutdownPrivilege 165 | users: 166 | - Administrators 167 | action: set 168 | 169 | - name: "2.2.24,CCE-37639-2 | Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'" 170 | win_user_right: 171 | name: SeAuditPrivilege 172 | users: 173 | - Local Service 174 | - Network Service 175 | action: set 176 | 177 | - name: "2.2.25,CCE-37106-2 | Configure 'Impersonate a client after authentication'" 178 | win_user_right: 179 | name: SeImpersonatePrivilege 180 | users: 181 | - Administrators 182 | - IIS_IUSRS 183 | - Local Service 184 | - Network Service 185 | - Service 186 | action: set 187 | 188 | - name: "2.2.26,CCE-38326-5 | Ensure 'Increase scheduling priority' is set to 'Administrators'" 189 | win_user_right: 190 | name: SeIncreaseBasePriorityPrivilege 191 | users: 192 | - Administrators 193 | action: set 194 | 195 | - name: "2.2.27,CCE-36318-4 | Ensure 'Load and unload device drivers' is set to 'Administrators'" 196 | win_user_right: 197 | name: SeLoadDriverPrivilege 198 | users: 199 | - Administrators 200 | action: set 201 | 202 | - name: "2.2.28,CCE-36495-0 | Ensure 'Lock pages in memory' is set to 'No One'" 203 | win_user_right: 204 | name: SeLockMemoryPrivilege 205 | users: 206 | action: set 207 | 208 | - name: "2.2.30,CCE-35906-7 | Configure 'Manage auditing and security log'" 209 | win_user_right: 210 | name: SeSecurityPrivilege 211 | users: 212 | - Administrators 213 | action: set 214 | 215 | - name: "2.2.31,CCE-36054-5 | Ensure 'Modify an object label' is set to 'No One'" 216 | win_user_right: 217 | name: SeReLabelPrivilege 218 | users: 219 | action: set 220 | 221 | - name: "2.2.32,CCE-38113-7 | Ensure 'Modify firmware environment values' is set to 'Administrators'" 222 | win_user_right: 223 | name: SeSystemEnvironmentPrivilege 224 | users: 225 | - Administrators 226 | action: set 227 | 228 | - name: "2.2.33,CCE-36143-6 | Ensure 'Perform volume maintenance tasks' is set to 'Administrators'" 229 | win_user_right: 230 | name: SeManageVolumePrivilege 231 | users: 232 | - Administrators 233 | action: set 234 | 235 | - name: "2.2.34,CCE-37131-0 | Ensure 'Profile single process' is set to 'Administrators'" 236 | win_user_right: 237 | name: SeProfileSingleProcessPrivilege 238 | users: 239 | - Administrators 240 | action: set 241 | 242 | - name: "2.2.35,CCE-36052-9 | Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\\WdiServiceHost'" 243 | win_user_right: 244 | name: SeSystemProfilePrivilege 245 | users: 246 | - Administrators 247 | - NT SERVICE\WdiServiceHost 248 | action: set 249 | 250 | - name: "2.2.36,CCE-37430-6 | Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'" 251 | win_user_right: 252 | name: SeAssignPrimaryTokenPrivilege 253 | users: 254 | - LOCAL SERVICE 255 | - NETWORK SERVICE 256 | action: set 257 | 258 | - name: "2.2.37,CCE-37613-7 | Ensure 'Restore files and directories' is set to 'Administrators'" 259 | win_user_right: 260 | name: SeRestorePrivilege 261 | users: 262 | - Administrators 263 | action: set 264 | 265 | - name: "2.2.38,CCE-38328-1 | Ensure 'Shut down the system' is set to 'Administrators'" 266 | win_user_right: 267 | name: SeShutdownPrivilege 268 | users: 269 | - Administrators 270 | action: set 271 | 272 | - name: "2.2.40,CCE-38325-7 | Ensure 'Take ownership of files or other objects' is set to 'Administrators'" 273 | win_user_right: 274 | name: SeTakeOwnershipPrivilege 275 | users: 276 | - Administrators 277 | action: set 278 | 279 | ########################## 280 | ## ## 281 | ########################## 282 | 283 | - name: "2.3.1.1,CCE-37953-7 | Ensure 'Accounts - Administrator account status' is set to 'Disabled'" 284 | win_security_policy: 285 | section: System Access 286 | key: EnableAdminAccount 287 | value: 0 288 | 289 | - name: "2.3.1.2,CCE-36147-7 | Ensure 'Accounts - Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'" 290 | win_regedit: 291 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 292 | name: "NoConnectedUser" 293 | data: "3" 294 | type: dword 295 | 296 | - name: "2.3.1.3,CCE-37432-2 | Ensure 'Accounts - Guest account status' is set to 'Disabled'" 297 | win_security_policy: 298 | section: System Access 299 | key: EnableGuestAccount 300 | value: 0 301 | 302 | - name: "2.3.1.4,CCE-37615-2 | Ensure 'Accounts - Limit local account use of blank passwords to console logon only' is set to 'Enabled'" 303 | win_regedit: 304 | path: HKLM:\System\Currentcontrolset\Control\Lsa 305 | name: "LimitBlankPasswordUse" 306 | data: "1" 307 | type: dword 308 | 309 | - name: "2.3.1.5,CCE-38233-3 | Configure 'Accounts - Rename administrator account'" 310 | win_security_policy: 311 | section: System Access 312 | key: NewAdministratorName 313 | value: GeorgeSharp 314 | 315 | - name: "2.3.1.6,CCE-38027-9 | Configure 'Accounts - Rename guest account'" 316 | win_security_policy: 317 | section: System Access 318 | key: NewGuestName 319 | value: BobCooper 320 | 321 | - name: "2.3.2.1,CCE-37850-5 | Ensure 'Audit - Force audit policy subcategory settings to override audit policy category settings' is set to 'Enabled'" 322 | win_regedit: 323 | path: HKLM:\System\Currentcontrolset\Control\Lsa 324 | name: "SCENoApplyLegacyAuditPolicy" 325 | data: "1" 326 | type: dword 327 | 328 | - name: "2.3.2.2,CCE-35907-5 | Ensure 'Audit - Shut down system immediately if unable to log security audits' is set to 'Disabled'" 329 | win_regedit: 330 | path: HKLM:\System\Currentcontrolset\Control\Lsa 331 | name: "CrashOnAuditFail" 332 | data: "0" 333 | type: dword 334 | 335 | - name: "2.3.4.1,CCE-37701-0 | Ensure 'Devices - Allowed to format and eject removable media' is set to 'Administrators'" 336 | win_regedit: 337 | path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon 338 | name: "AllocateDASD" 339 | data: "0" 340 | type: string 341 | 342 | - name: "2.3.4.2,CCE-37942-0 | Ensure 'Devices - Prevent users from installing printer drivers' is set to 'Enabled'" 343 | win_regedit: 344 | path: HKLM:\System\Currentcontrolset\Control\Print\Providers\Lanman Print Services\Servers 345 | name: "AddPrinterDrivers" 346 | data: "1" 347 | type: dword 348 | 349 | - name: "2.3.6.1,CCE-36142-8 | Ensure 'Domain member - Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'" 350 | win_regedit: 351 | path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters 352 | name: "RequireSignOrSeal" 353 | data: "1" 354 | type: dword 355 | 356 | - name: "2.3.6.2,CCE-37130-2 | Ensure 'Domain member - Digitally encrypt secure channel data (when possible)' is set to 'Enabled'" 357 | win_regedit: 358 | path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters 359 | name: "sealsecurechannel" 360 | data: "1" 361 | type: dword 362 | 363 | - name: "2.3.6.3,CCE-37222-7 | Ensure 'Domain member - Digitally sign secure channel data (when possible)' is set to 'Enabled'" 364 | win_regedit: 365 | path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters 366 | name: "signsecurechannel" 367 | data: "1" 368 | type: dword 369 | 370 | - name: "2.3.6.4,CCE-37508-9 | Ensure 'Domain member - Disable machine account password changes' is set to 'Disabled'" 371 | win_regedit: 372 | path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters 373 | name: "disablepasswordchange" 374 | data: "0" 375 | type: dword 376 | 377 | - name: "2.3.6.5,CCE-37431-4 | Ensure 'Domain member - Maximum machine account password age' is set to '30 or fewer days, but not 0'" 378 | win_regedit: 379 | path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters 380 | name: "MaximumPasswordAge" 381 | data: "30" 382 | type: dword 383 | 384 | - name: "2.3.6.6,CCE-37614-5 | Ensure 'Domain member - Require strong (Windows 2000 or later) session key' is set to 'Enabled'" 385 | win_regedit: 386 | path: HKLM:\System\Currentcontrolset\Services\Netlogon\Parameters 387 | name: "RequireStrongKey" 388 | data: "1" 389 | type: dword 390 | 391 | - name: "2.3.7.1,CCE-36056-0 | Ensure 'Interactive logon - Do not display last user name' is set to 'Enabled'" 392 | win_regedit: 393 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 394 | name: "DontDisplayLastUserName" 395 | data: "1" 396 | type: dword 397 | 398 | - name: "2.3.7.2,CCE-37637-6 | Ensure 'Interactive logon - Do not require CTRL+ALT+DEL' is set to 'Disabled'" 399 | win_regedit: 400 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 401 | name: "DisableCAD" 402 | data: "0" 403 | type: dword 404 | 405 | - name: "2.3.7.3,CCE-38235-8 | Ensure 'Interactive logon - Machine inactivity limit' is set to '900 or fewer second(s), but not 0'" 406 | win_regedit: 407 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 408 | name: "InactivityTimeoutSecs" 409 | data: "900" 410 | type: dword 411 | 412 | - name: "2.3.7.4,CCE-37226-8 | Configure 'Interactive logon - Message text for users attempting to log on'" 413 | win_regedit: 414 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 415 | name: "LegalNoticeText" 416 | data: "This is a U.S. General Services Administration Federal Government computer system that is FOR OFFICIAL USE ONLY. This system is subject to monitoring. Therefore, no expectation of privacy is to be assumed. Individuals found performing unauthorized activities are subject to disciplinary action including criminal prosecution." 417 | type: string 418 | 419 | - name: "2.3.7.5,CCE-37512-1 | Configure 'Interactive logon - Message title for users attempting to log on'" 420 | win_regedit: 421 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 422 | name: "LegalNoticeCaption" 423 | data: "IT SECURITY WARNING" 424 | type: string 425 | 426 | - name: "2.3.7.7,CCE-37622-8 | Ensure 'Interactive logon - Prompt user to change password before expiration' is set to 'between 5 and 14 days'" 427 | win_regedit: 428 | path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon 429 | name: "PasswordExpiryWarning" 430 | data: "14" 431 | type: dword 432 | 433 | - name: "2.3.7.8,CCE-38240-8 | Ensure 'Interactive logon - Require Domain Controller Authentication to unlock workstation' is set to 'Enabled'" 434 | win_regedit: 435 | path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon 436 | name: "ForceUnlockLogon" 437 | data: "1" 438 | type: dword 439 | 440 | - name: "2.3.7.9,CCE-38333-1 | Ensure 'Interactive logon - Smart card removal behavior' is set to 'Lock Workstation' or higher" 441 | win_regedit: 442 | path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon 443 | name: "scremoveoption" 444 | data: "1" 445 | type: string 446 | 447 | - name: "2.3.8.1,CCE-36325-9 | Ensure 'Microsoft network client - Digitally sign communications (always)' is set to 'Enabled'" 448 | win_regedit: 449 | path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters 450 | name: "RequireSecuritySignature" 451 | data: "1" 452 | type: dword 453 | 454 | - name: "2.3.8.2,CCE-36269-9 | Ensure 'Microsoft network client - Digitally sign communications (if server agrees)' is set to 'Enabled'" 455 | win_regedit: 456 | path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters 457 | name: "EnableSecuritySignature" 458 | data: "1" 459 | type: dword 460 | 461 | - name: "2.3.8.3,CCE-37863-8 | Ensure 'Microsoft network client - Send unencrypted password to third-party SMB servers' is set to 'Disabled'" 462 | win_regedit: 463 | path: HKLM:\System\Currentcontrolset\Services\Lanmanworkstation\Parameters 464 | name: "EnablePlainTextPassword" 465 | data: "0" 466 | type: dword 467 | 468 | - name: "2.3.9.1,CCE-38046-9 | Ensure 'Microsoft network server - Amount of idle time required before suspending session' is set to '15 or fewer, but not 0'" 469 | win_regedit: 470 | path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters 471 | name: "autodisconnect" 472 | data: "15" 473 | type: dword 474 | 475 | - name: "2.3.9.2,CCE-37864-6 | Ensure 'Microsoft network server - Digitally sign communications (always)' is set to 'Enabled'" 476 | win_regedit: 477 | path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters 478 | name: "requiresecuritysignature" 479 | data: "1" 480 | type: dword 481 | 482 | - name: "2.3.9.3,CCE-35988-5 | Ensure 'Microsoft network server - Digitally sign communications (if client agrees)' is set to 'Enabled'" 483 | win_regedit: 484 | path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters 485 | name: "enablesecuritysignature" 486 | data: "1" 487 | type: dword 488 | 489 | - name: "2.3.9.4,CCE-37972-7 | Ensure 'Microsoft network server - Disconnect clients when logon hours expire' is set to 'Enabled'" 490 | win_regedit: 491 | path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters 492 | name: "enableforcedlogoff" 493 | data: "1" 494 | type: dword 495 | 496 | - name: "2.3.9.5,CCE-36170-9 | Ensure 'Microsoft network server - Server SPN target name validation level' is set to 'Accept if provided by client' or higher" 497 | win_regedit: 498 | path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters 499 | name: "SMBServerNameHardeningLevel" 500 | data: "1" 501 | type: dword 502 | 503 | #CIS-CAT unable to audit this control for non-domain-joined nodes 504 | - name: "2.3.10.1,CCE-36065-1 | Ensure 'Network access - Allow anonymous SID/Name translation' is set to 'Disabled'" 505 | win_security_policy: 506 | section: System Access 507 | key: LSAAnonymousNameLookup 508 | value: 0 509 | 510 | - name: "2.3.10.2,CCE-36316-8 | Ensure 'Network access - Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'" 511 | win_regedit: 512 | path: HKLM:\System\Currentcontrolset\Control\Lsa 513 | name: "RestrictAnonymousSAM" 514 | data: "1" 515 | type: dword 516 | 517 | - name: "2.3.10.3,CCE-36077-6 | Ensure 'Network access - Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'" 518 | win_regedit: 519 | path: HKLM:\System\Currentcontrolset\Control\Lsa 520 | name: "RestrictAnonymous" 521 | data: "1" 522 | type: dword 523 | 524 | - name: "2.3.10.5,CCE-36148-5 | Ensure 'Network access - Let Everyone permissions apply to anonymous users' is set to 'Disabled'" 525 | win_regedit: 526 | path: HKLM:\System\Currentcontrolset\Control\Lsa 527 | name: "EveryoneIncludesAnonymous" 528 | data: "0" 529 | type: dword 530 | 531 | - name: "2.3.10.6,CCE-38258-0 | Configure 'Network access - Named Pipes that can be accessed anonymously'" 532 | win_regedit: 533 | path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters 534 | name: "NullSessionPipes" 535 | data: "" 536 | type: multistring 537 | 538 | - name: "2.3.10.7,CCE-37194-8 | Configure 'Network access - Remotely accessible registry paths'" 539 | win_regedit: 540 | path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\AllowedExactpaths 541 | name: "Machine" 542 | data: ['System\CurrentControlSet\Control\ProductOptions', 'System\CurrentControlSet\Control\Server Applications', 'Software\Microsoft\Windows NT\CurrentVersion'] 543 | type: multistring 544 | 545 | - name: "2.3.10.8,CCE-36347-3 | Configure 'Network access - Remotely accessible registry paths and sub-paths'" 546 | win_regedit: 547 | path: HKLM:\System\Currentcontrolset\Control\Securepipeservers\Winreg\Allowedpaths 548 | name: "Machine" 549 | data: ['System\CurrentControlSet\Control\Print\Printers', 'System\CurrentControlSet\Services\Eventlog', 'Software\Microsoft\OLAP Server', 'Software\Microsoft\Windows NT\CurrentVersion\Print', 'Software\Microsoft\Windows NT\CurrentVersion\Windows', 'System\CurrentControlSet\Control\ContentIndex', 'System\CurrentControlSet\Control\Terminal Server', 'System\CurrentControlSet\Control\Terminal Server\UserConfig', 'System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration', 'Software\Microsoft\Windows NT\CurrentVersion\Perflib', 'System\CurrentControlSet\Services\WINS', 'System\CurrentControlSet\Services\CertSvc'] 550 | type: multistring 551 | 552 | - name: "2.3.10.9,CCE-36021-4 | Ensure 'Network access - Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'" 553 | win_regedit: 554 | path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters 555 | name: "RestrictNullSessAccess" 556 | data: "1" 557 | type: dword 558 | 559 | - name: "2.3.10.10,CCE-Null | Ensure 'Network access - Restrict clients allowed to make remote calls to SAM' is set to 'Administrators - Remote Access - Allow'" 560 | win_regedit: 561 | path: HKLM:\System\CurrentControlSet\Control\Lsa 562 | name: "RestrictRemoteSAM" 563 | data: "O:BAG:BAD:(A;;RC;;;BA)" 564 | type: string 565 | 566 | - name: "2.3.10.11,CCE-38095-6 | Ensure 'Network access - Shares that can be accessed anonymously' is set to 'None'" 567 | win_regedit: 568 | path: HKLM:\System\Currentcontrolset\Services\Lanmanserver\Parameters 569 | name: "NullSessionShares" 570 | data: "" 571 | type: multistring 572 | 573 | - name: "2.3.10.12,CCE-37623-6 | Ensure 'Network access - Sharing and security model for local accounts' is 'Classic - local users authenticate as themselves'" 574 | win_regedit: 575 | path: HKLM:\System\Currentcontrolset\Control\Lsa 576 | name: "ForceGuest" 577 | data: "0" 578 | type: dword 579 | 580 | - name: "2.3.11.1,CCE-38341-4 | Ensure 'Network security - Allow Local System to use computer identity for NTLM' is set to 'Enabled'" 581 | win_regedit: 582 | path: HKLM:\System\Currentcontrolset\Control\Lsa 583 | name: "UseMachineId" 584 | data: "1" 585 | type: dword 586 | 587 | - name: "2.3.11.2,CCE-37035-3 | Ensure 'Network security - Allow LocalSystem NULL session fallback' is set to 'Disabled'" 588 | win_regedit: 589 | path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 590 | name: "allownullsessionfallback" 591 | data: "0" 592 | type: dword 593 | 594 | - name: "2.3.11.3,CCE-38047-7 | Ensure 'Network Security - Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'" 595 | win_regedit: 596 | path: HKLM:\System\Currentcontrolset\Control\Lsa\Pku2U 597 | name: "AllowOnlineID" 598 | data: "0" 599 | type: dword 600 | 601 | - name: "2.3.11.4,CCE-37755-6 | Ensure 'Network security - Configure encryption types allowed for Kerberos' is set" 602 | win_regedit: 603 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Kerberos\Parameters 604 | name: "SupportedEncryptionTypes" 605 | data: "2147483644" 606 | type: dword 607 | 608 | - name: "2.3.11.5,CCE-36326-7 | Ensure 'Network security - Do not store LAN Manager hash value on next password change' is set to 'Enabled'" 609 | win_regedit: 610 | path: HKLM:\System\Currentcontrolset\Control\Lsa 611 | name: "NoLMHash" 612 | data: "1" 613 | type: dword 614 | 615 | - name: "2.3.11.6,CCE-36270-7 | Ensure 'Network security - Force logoff when logon hours expire' is set to 'Enabled'" 616 | win_regedit: 617 | path: HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters 618 | name: "EnableForcedLogOff" 619 | data: "1" 620 | type: dword 621 | 622 | - name: "2.3.11.7,CCE-36173-3 | Ensure 'Network security - LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM'" 623 | win_regedit: 624 | path: HKLM:\System\Currentcontrolset\Control\Lsa 625 | name: "LMCompatibilityLevel" 626 | data: "5" 627 | type: dword 628 | 629 | - name: "2.3.11.8,CCE-36858-9 | Ensure 'Network security - LDAP client signing requirements' is set to 'Negotiate signing' or higher" 630 | win_regedit: 631 | path: HKLM:\System\Currentcontrolset\Services\Ldap 632 | name: "LDAPClientIntegrity" 633 | data: "1" 634 | type: dword 635 | 636 | - name: "2.3.11.9,CCE-37553-5 | Ensure 'Network security - Minimum session security for NTLM SSP based (including secure RPC) clients' is set" 637 | win_regedit: 638 | path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 639 | name: "NTLMMinClientSec" 640 | data: "537395200" 641 | type: dword 642 | 643 | - name: "2.3.11.10,CCE-37835-6 | Ensure 'Network security - Minimum session security for NTLM SSP based (including secure RPC) servers' is set" 644 | win_regedit: 645 | path: HKLM:\System\Currentcontrolset\Control\Lsa\Msv1_0 646 | name: "NTLMMinServerSec" 647 | data: "537395200" 648 | type: dword 649 | 650 | - name: "2.3.13.1,CCE-36788-8 | Ensure 'Shutdown - Allow system to be shut down without having to log on' is set to 'Disabled'" 651 | win_regedit: 652 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 653 | name: "ShutdownWithoutLogon" 654 | data: "0" 655 | type: dword 656 | 657 | - name: "2.3.15.1,CCE-37885-1 | Ensure 'System objects - Require case insensitivity for non-Windows subsystems' is set to 'Enabled'" 658 | win_regedit: 659 | path: HKLM:\System\Currentcontrolset\Control\Session Manager\Kernel 660 | name: "ObCaseInsensitive" 661 | data: "1" 662 | type: dword 663 | 664 | - name: "2.3.15.2,CCE-37644-2 | Ensure 'System objects - Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'" 665 | win_regedit: 666 | path: HKLM:\System\Currentcontrolset\Control\Session Manager 667 | name: "ProtectionMode" 668 | data: "1" 669 | type: dword 670 | 671 | ################## 672 | ## UAC SETTINGS ## 673 | ################## 674 | 675 | - name: "2.3.17.1,CCE-36494-3 | Ensure 'User Account Control - Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'" 676 | win_regedit: 677 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 678 | name: "FilterAdministratorToken" 679 | data: "1" 680 | type: dword 681 | 682 | - name: "2.3.17.2,CCE-36863-9 | Ensure 'User Account Control - Allow UIAccess applications to prompt for elevation without using the secure desktop' is set" 683 | win_regedit: 684 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 685 | name: "EnableUIADesktopToggle" 686 | data: "0" 687 | type: dword 688 | 689 | - name: "2.3.17.3,CCE-37029-6 | Ensure 'User Account Control - Behavior of the elevation prompt for administrators in Admin Approval Mode' is set" 690 | win_regedit: 691 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 692 | name: "ConsentPromptBehaviorAdmin" 693 | data: "2" 694 | type: dword 695 | 696 | - name: "2.3.17.4,CCE-36864-7 | Ensure 'User Account Control - Behavior of the elevation prompt for standard users' is 'Automatically deny elevation requests'" 697 | win_regedit: 698 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 699 | name: "ConsentPromptBehaviorUser" 700 | data: "0" 701 | type: dword 702 | 703 | - name: "2.3.17.5,CCE-36533-8 | Ensure 'User Account Control - Detect application installations and prompt for elevation' is set to 'Enabled'" 704 | win_regedit: 705 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 706 | name: "EnableInstallerDetection" 707 | data: "1" 708 | type: dword 709 | 710 | - name: "2.3.17.6,CCE-37057-7 | Ensure 'User Account Control - Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'" 711 | win_regedit: 712 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 713 | name: "EnableSecureUIAPaths" 714 | data: "1" 715 | type: dword 716 | 717 | - name: "2.3.17.7,CCE-36869-6 | Ensure 'User Account Control - Run all administrators in Admin Approval Mode' is set to 'Enabled'" 718 | win_regedit: 719 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 720 | name: "EnableLUA" 721 | data: "1" 722 | type: dword 723 | 724 | - name: "2.3.17.8,CCE-36866-2 | Ensure 'User Account Control - Switch to the secure desktop when prompting for elevation' is set to 'Enabled'" 725 | win_regedit: 726 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 727 | name: "PromptOnSecureDesktop" 728 | data: "1" 729 | type: dword 730 | 731 | - name: "2.3.17.9,CCE-37064-3 | Ensure 'User Account Control - Virtualize file and registry write failures to per-user locations' is set to 'Enabled'" 732 | win_regedit: 733 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 734 | name: "EnableVirtualization" 735 | data: "1" 736 | type: dword 737 | 738 | ########################## 739 | ########################## 740 | ## CIS LEVEL 2 SETTINGS ## 741 | ########################## 742 | ########################## 743 | 744 | - name: "2.3.7.6,CCE-37439-7 | Ensure 'Interactive logon - Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer' [GSA-1 or fewer]" 745 | win_regedit: 746 | path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon 747 | name: "cachedlogonscount" 748 | data: "1" 749 | type: string 750 | 751 | - name: "2.3.10.4,CCE-38119-4 | Ensure 'Network access - Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'" 752 | win_regedit: 753 | path: HKLM:\System\Currentcontrolset\Control\Lsa 754 | name: "DisableDomainCreds" 755 | data: "1" 756 | type: dword 757 | 758 | ######### 759 | ## EOF ## 760 | ######### 761 | -------------------------------------------------------------------------------- /tasks/section09.yml: -------------------------------------------------------------------------------- 1 | ########################## 2 | ########################## 3 | ## CIS LEVEL 1 SETTINGS ## 4 | ########################## 5 | ########################## 6 | 7 | ############################### 8 | ## WINDOWS FIREWALL SETTINGS ## 9 | ############################### 10 | 11 | - name: "9.1.1,CCE-36062-8 | Ensure 'Windows Firewall - Domain - Firewall state' is set to 'On (recommended)'" 12 | win_regedit: 13 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile 14 | name: "EnableFirewall" 15 | data: "1" 16 | type: dword 17 | 18 | - name: "9.1.2,CCE-38117-8 | Ensure 'Windows Firewall - Domain - Inbound connections' is set to 'Block (default)'" 19 | win_regedit: 20 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile 21 | name: "DefaultInboundAction" 22 | data: "1" 23 | type: dword 24 | 25 | - name: "9.1.3,CCE-36146-9 | Ensure 'Windows Firewall - Domain - Outbound connections' is set to 'Allow (default)'" 26 | win_regedit: 27 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile 28 | name: "DefaultOutboundAction" 29 | data: "0" 30 | type: dword 31 | 32 | - name: "9.1.4,CCE-38041-0 | Ensure 'Windows Firewall - Domain - Settings - Display a notification' is set to 'No'" 33 | win_regedit: 34 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile 35 | name: "DisableNotifications" 36 | data: "1" 37 | type: dword 38 | 39 | - name: "9.1.5,CCE-37860-4 | Ensure 'Windows Firewall - Domain - Settings - Apply local firewall rules' is set to 'Yes (default)'" 40 | win_regedit: 41 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile 42 | name: "AllowLocalPolicyMerge" 43 | data: "1" 44 | type: dword 45 | 46 | - name: "9.1.6,CCE-38040-2 | Ensure 'Windows Firewall - Domain - Settings - Apply local connection security rules' is set to 'Yes (default)'" 47 | win_regedit: 48 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile 49 | name: "AllowLocalIPsecPolicyMerge" 50 | data: "1" 51 | type: dword 52 | 53 | - name: "9.1.7,CCE-37482-7 | Ensure 'Windows Firewall - Domain - Logging - Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'" 54 | win_regedit: 55 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile\Logging 56 | name: "LogFilePath" 57 | data: "%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log" 58 | type: string 59 | 60 | - name: "9.1.8,CCE-36088-3 | Ensure 'Windows Firewall - Domain - Logging - Size limit (KB)' is set to '16,384 KB or greater'" 61 | win_regedit: 62 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile\Logging 63 | name: "LogFileSize" 64 | data: "16384" 65 | type: dword 66 | 67 | - name: "9.1.9,CCE-37523-8 | Ensure 'Windows Firewall - Domain - Logging - Log dropped packets' is set to 'Yes'" 68 | win_regedit: 69 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile\Logging 70 | name: "LogDroppedPackets" 71 | data: "1" 72 | type: dword 73 | 74 | - name: "9.1.10,CCE-36393-7 | Ensure 'Windows Firewall - Domain - Logging - Log successful connections' is set to 'Yes'" 75 | win_regedit: 76 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Domainprofile\Logging 77 | name: "LogSuccessfulConnections" 78 | data: "1" 79 | type: dword 80 | 81 | - name: "9.2.1,CCE-38239-0 | Ensure 'Windows Firewall - Private - Firewall state' is set to 'On (recommended)'" 82 | win_regedit: 83 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Privateprofile 84 | name: "EnableFirewall" 85 | data: "1" 86 | type: dword 87 | 88 | - name: "9.2.2,CCE-38042-8 | Ensure 'Windows Firewall - Private - Inbound connections' is set to 'Block (default)'" 89 | win_regedit: 90 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Privateprofile 91 | name: "DefaultInboundAction" 92 | data: "1" 93 | type: dword 94 | 95 | - name: "9.2.3,CCE-38332-3 | Ensure 'Windows Firewall - Private - Outbound connections' is set to 'Allow (default)'" 96 | win_regedit: 97 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Privateprofile 98 | name: "DefaultOutboundAction" 99 | data: "0" 100 | type: dword 101 | 102 | - name: "9.2.4,CCE-37621-0 | Ensure 'Windows Firewall - Private - Settings - Display a notification' is set to 'No'" 103 | win_regedit: 104 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Privateprofile 105 | name: "DisableNotifications" 106 | data: "1" 107 | type: dword 108 | 109 | - name: "9.2.5,CCE-37438-9 | Ensure 'Windows Firewall - Private - Settings - Apply local firewall rules' is set to 'Yes (default)'" 110 | win_regedit: 111 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Privateprofile 112 | name: "AllowLocalPolicyMerge" 113 | data: "1" 114 | type: dword 115 | 116 | - name: "9.2.6,CCE-36063-6 | Ensure 'Windows Firewall - Private - Settings - Apply local connection security rules' is set to 'Yes (default)'" 117 | win_regedit: 118 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Privateprofile 119 | name: "AllowLocalIPsecPolicyMerge" 120 | data: "1" 121 | type: dword 122 | 123 | - name: "9.2.7,CCE-37569-1 | Ensure 'Windows Firewall - Private - Logging - Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'" 124 | win_regedit: 125 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Privateprofile\Logging 126 | name: "LogFilePath" 127 | data: "%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log" 128 | type: string 129 | 130 | - name: "9.2.8,CCE-38178-0 | Ensure 'Windows Firewall - Private - Logging - Size limit (KB)' is set to '16,384 KB or greater'" 131 | win_regedit: 132 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Privateprofile\Logging 133 | name: "LogFileSize" 134 | data: "16384" 135 | type: dword 136 | 137 | - name: "9.2.9,CCE-35972-9 | Ensure 'Windows Firewall - Private - Logging - Log dropped packets' is set to 'Yes'" 138 | win_regedit: 139 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Privateprofile\Logging 140 | name: "LogDroppedPackets" 141 | data: "1" 142 | type: dword 143 | 144 | - name: "9.2.10,CCE-37387-8 | Ensure 'Windows Firewall - Private - Logging - Log successful connections' is set to 'Yes'" 145 | win_regedit: 146 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Privateprofile\Logging 147 | name: "LogSuccessfulConnections" 148 | data: "1" 149 | type: dword 150 | 151 | - name: "9.3.1,CCE-37862-0 | Ensure 'Windows Firewall - Public - Firewall state' is set to 'On (recommended)'" 152 | win_regedit: 153 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Publicprofile 154 | name: "EnableFirewall" 155 | data: "1" 156 | type: dword 157 | 158 | #This control is set to Disabled (0) to allow for continued remote management of the node following machine restart 159 | - name: "9.3.2,CCE-36057-8 | Ensure 'Windows Firewall - Public - Inbound connections' is set to 'Block (default)'" 160 | win_regedit: 161 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Publicprofile 162 | name: "DefaultInboundAction" 163 | data: "0" #"1" 164 | type: dword 165 | 166 | - name: "9.3.3,CCE-37434-8 | Ensure 'Windows Firewall - Public - Outbound connections' is set to 'Allow (default)'" 167 | win_regedit: 168 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Publicprofile 169 | name: "DefaultOutboundAction" 170 | data: "0" 171 | type: dword 172 | 173 | - name: "9.3.4,CCE-38043-6 | Ensure 'Windows Firewall - Public - Settings - Display a notification' is set to 'Yes'" 174 | win_regedit: 175 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Publicprofile 176 | name: "DisableNotifications" 177 | data: "0" 178 | type: dword 179 | 180 | - name: "9.3.5,CCE-37861-2 | Ensure 'Windows Firewall - Public - Settings - Apply local firewall rules' is set to 'No'" 181 | win_regedit: 182 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Publicprofile 183 | name: "AllowLocalPolicyMerge" 184 | data: "0" 185 | type: dword 186 | 187 | - name: "9.3.6,CCE-36268-1 | Ensure 'Windows Firewall - Public - Settings - Apply local connection security rules' is set to 'No'" 188 | win_regedit: 189 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Publicprofile 190 | name: "AllowLocalIPsecPolicyMerge" 191 | data: "0" 192 | type: dword 193 | 194 | - name: "9.3.7,CCE-37266-4 | Ensure 'Windows Firewall - Public - Logging - Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'" 195 | win_regedit: 196 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Publicprofile\Logging 197 | name: "LogFilePath" 198 | data: "%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log" 199 | type: string 200 | 201 | - name: "9.3.8,CCE-36395-2 | Ensure 'Windows Firewall - Public - Logging - Size limit (KB)' is set to '16,384 KB or greater'" 202 | win_regedit: 203 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Publicprofile\Logging 204 | name: "LogFileSize" 205 | data: "16384" 206 | type: dword 207 | 208 | - name: "9.3.9,CCE-37265-6 | Ensure 'Windows Firewall - Public - Logging - Log dropped packets' is set to 'Yes'" 209 | win_regedit: 210 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Publicprofile\Logging 211 | name: "LogDroppedPackets" 212 | data: "1" 213 | type: dword 214 | 215 | - name: "9.3.10,CCE-36394-5 | Ensure 'Windows Firewall - Public - Logging - Log successful connections' is set to 'Yes'" 216 | win_regedit: 217 | path: HKLM:\Software\Policies\Microsoft\Windowsfirewall\Publicprofile\Logging 218 | name: "LogSuccessfulConnections" 219 | data: "1" 220 | type: dword 221 | 222 | ######### 223 | ## EOF ## 224 | ######### 225 | -------------------------------------------------------------------------------- /tasks/section17.yml: -------------------------------------------------------------------------------- 1 | ########################## 2 | ########################## 3 | ## CIS LEVEL 1 SETTINGS ## 4 | ########################## 5 | ########################## 6 | 7 | ########################### 8 | ## AUDIT POLICY SETTINGS ## 9 | ########################### 10 | 11 | - name: "17.1.1,CCE-37741-6 | Ensure 'Audit Credential Validation' is set to 'Success and Failure'" 12 | win_audit_policy_system: 13 | subcategory: Credential Validation 14 | audit_type: success, failure 15 | 16 | - name: "17.2.1,CCE-38329-9 | Ensure 'Audit Application Group Management' is set to 'Success and Failure'" 17 | win_audit_policy_system: 18 | subcategory: Application Group Management 19 | audit_type: success, failure 20 | 21 | - name: "17.2.2,CCE-38004-8 | Ensure 'Audit Computer Account Management' is set to 'Success and Failure'" 22 | win_audit_policy_system: 23 | subcategory: Computer Account Management 24 | audit_type: success, failure 25 | 26 | - name: "17.2.4,CCE-37855-4 | Ensure 'Audit Other Account Management Events' is set to 'Success and Failure'" 27 | win_audit_policy_system: 28 | subcategory: Other Account Management Events 29 | audit_type: success, failure 30 | 31 | - name: "17.2.5,CCE-38034-5 | Ensure 'Audit Security Group Management' is set to 'Success and Failure'" 32 | win_audit_policy_system: 33 | subcategory: Security Group Management 34 | audit_type: success, failure 35 | 36 | - name: "17.2.6,CCE-37856-2 | Ensure 'Audit User Account Management' is set to 'Success and Failure'" 37 | win_audit_policy_system: 38 | subcategory: User Account Management 39 | audit_type: success, failure 40 | 41 | - name: "17.3.1,CCE-Null | Ensure 'Audit PNP Activity' is set to 'Success'" 42 | win_audit_policy_system: 43 | subcategory: Plug and Play Events 44 | audit_type: success 45 | 46 | - name: "17.3.2,CCE-36059-4 | Ensure 'Audit Process Creation' is set to 'Success'" 47 | win_audit_policy_system: 48 | subcategory: Process Creation 49 | audit_type: success 50 | 51 | - name: "17.5.1,CCE-37133-6 | Ensure 'Audit Account Lockout' is set to 'Success and Failure'" 52 | win_audit_policy_system: 53 | subcategory: Account Lockout 54 | audit_type: success, failure 55 | 56 | - name: "17.5.2,CCE-Null | Ensure 'Audit Group Membership' is set to 'Success'" 57 | win_audit_policy_system: 58 | subcategory: Group Membership 59 | audit_type: success 60 | 61 | - name: "17.5.3,CCE-38237-4 | Ensure 'Audit Logoff' is set to 'Success'" 62 | win_audit_policy_system: 63 | subcategory: Logoff 64 | audit_type: success 65 | 66 | - name: "17.5.4,CCE-38036-0 | Ensure 'Audit Logon' is set to 'Success and Failure'" 67 | win_audit_policy_system: 68 | subcategory: Logon 69 | audit_type: success, failure 70 | 71 | - name: "17.5.5,CCE-36322-6 | Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'" 72 | win_audit_policy_system: 73 | subcategory: Other Logon/Logoff Events 74 | audit_type: success, failure 75 | 76 | - name: "17.5.6,CCE-36266-5 | Ensure 'Audit Special Logon' is set to 'Success'" 77 | win_audit_policy_system: 78 | subcategory: Special Logon 79 | audit_type: success 80 | 81 | - name: "17.6.1,CCE-37617-8 | Ensure 'Audit Removable Storage' is set to 'Success and Failure'" 82 | win_audit_policy_system: 83 | subcategory: Removable Storage 84 | audit_type: success, failure 85 | 86 | - name: "17.7.1,CCE-38028-7 | Ensure 'Audit Audit Policy Change' is set to 'Success and Failure'" 87 | win_audit_policy_system: 88 | subcategory: Audit Policy Change 89 | audit_type: success, failure 90 | 91 | - name: "17.7.2,CCE-38327-3 | Ensure 'Audit Authentication Policy Change' is set to 'Success'" 92 | win_audit_policy_system: 93 | subcategory: Authentication Policy Change 94 | audit_type: success 95 | 96 | - name: "17.7.3,CCE-36320-0 | Ensure 'Audit Authorization Policy Change' is set to 'Success'" 97 | win_audit_policy_system: 98 | subcategory: Authorization Policy Change 99 | audit_type: success 100 | 101 | - name: "17.8.1,CCE-36267-3 | Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure'" 102 | win_audit_policy_system: 103 | subcategory: Sensitive Privilege Use 104 | audit_type: success, failure 105 | 106 | - name: "17.9.1,CCE-37853-9 | Ensure 'Audit IPsec Driver' is set to 'Success and Failure'" 107 | win_audit_policy_system: 108 | subcategory: IPsec Driver 109 | audit_type: success, failure 110 | 111 | - name: "17.9.2,CCE-38030-3 | Ensure 'Audit Other System Events' is set to 'Success and Failure'" 112 | win_audit_policy_system: 113 | subcategory: Other System Events 114 | audit_type: success, failure 115 | 116 | - name: "17.9.3,CCE-38114-5 | Ensure 'Audit Security State Change' is set to 'Success'" 117 | win_audit_policy_system: 118 | subcategory: Security State Change 119 | audit_type: success 120 | 121 | - name: "17.9.4,CCE-36144-4 | Ensure 'Audit Security System Extension' is set to 'Success and Failure'" 122 | win_audit_policy_system: 123 | subcategory: Security System Extension 124 | audit_type: success, failure 125 | 126 | - name: "17.9.5,CCE-37132-8 | Ensure 'Audit System Integrity' is set to 'Success and Failure'" 127 | win_audit_policy_system: 128 | subcategory: System Integrity 129 | audit_type: success, failure 130 | 131 | ######### 132 | ## EOF ## 133 | ######### 134 | -------------------------------------------------------------------------------- /tasks/section18.yml: -------------------------------------------------------------------------------- 1 | ########################## 2 | ########################## 3 | ## CIS LEVEL 1 SETTINGS ## 4 | ########################## 5 | ########################## 6 | 7 | - name: "18.1.1.1,CCE-38347-1 | Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'" 8 | win_regedit: 9 | path: HKLM:\Software\Policies\Microsoft\Windows\Personalization 10 | name: "NoLockScreenCamera" 11 | data: "1" 12 | type: dword 13 | 14 | - name: "18.1.1.2,CCE-38348-9 | Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'" 15 | win_regedit: 16 | path: HKLM:\Software\Policies\Microsoft\Windows\Personalization 17 | name: "NoLockScreenSlideshow" 18 | data: "1" 19 | type: dword 20 | 21 | - name: "18.1.2.1,CCE-Null | Ensure 'Allow Input Personalization' is set to 'Disabled'" 22 | win_regedit: 23 | path: HKLM:\Software\Policies\Microsoft\Inputpersonalization 24 | name: "AllowInputPersonalization" 25 | data: "0" 26 | type: dword 27 | 28 | - name: "18.3.1,CCE-37067-6 | Ensure 'MSS - (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" 29 | win_regedit: 30 | path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon 31 | name: "AutoAdminLogon" 32 | data: "0" 33 | type: string 34 | 35 | - name: "18.3.2,CCE-36871-2 | Ensure 'MSS - (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set" 36 | win_regedit: 37 | path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters 38 | name: "DisableIPSourceRouting" 39 | data: "2" 40 | type: dword 41 | 42 | - name: "18.3.3,CCE-36535-3 | Ensure 'MSS - (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set" 43 | win_regedit: 44 | path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters 45 | name: "DisableIPSourceRouting" 46 | data: "2" 47 | type: dword 48 | 49 | - name: "18.3.4,CCE-37988-3 | Ensure 'MSS - (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'" 50 | win_regedit: 51 | path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters 52 | name: "EnableICMPRedirect" 53 | data: "0" 54 | type: dword 55 | 56 | - name: "18.3.6,CCE-36879-5 | Ensure 'MSS - (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set" 57 | win_regedit: 58 | path: HKLM:\System\Currentcontrolset\Services\Netbt\Parameters 59 | name: "nonamereleaseondemand" 60 | data: "1" 61 | type: dword 62 | 63 | - name: "18.3.8,CCE-36351-5 | Ensure 'MSS - (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'" 64 | win_regedit: 65 | path: HKLM:\System\Currentcontrolset\Control\Session Manager 66 | name: "SafeDllSearchMode" 67 | data: "1" 68 | type: dword 69 | 70 | - name: "18.3.9,CCE-37993-3 | Ensure 'MSS - (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled - 5 or fewer seconds'" 71 | win_regedit: 72 | path: HKLM:\Software\Microsoft\Windows Nt\Currentversion\Winlogon 73 | name: "ScreenSaverGracePeriod" 74 | data: "5" 75 | type: string 76 | 77 | - name: "18.3.12,CCE-36880-3 | Ensure 'MSS - (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set" 78 | win_regedit: 79 | path: HKLM:\System\Currentcontrolset\Services\Eventlog\Security 80 | name: "WarningLevel" 81 | data: "90" 82 | type: dword 83 | 84 | - name: "18.4.4.1,CCE-Null | Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)')" 85 | win_regedit: 86 | path: HKLM:\System\CurrentControlSet\Services\NetBT\Parameters 87 | name: "NodeType" 88 | data: "2" 89 | type: dword 90 | 91 | - name: "18.4.4.2,CCE-Null | Ensure 'Turn off multicast name resolution' is set to 'Enabled'" 92 | win_regedit: 93 | path: HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient 94 | name: "EnableMulticast" 95 | data: "0" 96 | type: dword 97 | 98 | - name: "18.4.8.1,CCE-Null | Ensure 'Enable insecure guest logons' is set to 'Disabled'" 99 | win_regedit: 100 | path: HKLM:\Software\Policies\Microsoft\Windows\Lanmanworkstation 101 | name: "AllowInsecureGuestAuth" 102 | data: "0" 103 | type: dword 104 | 105 | - name: "18.4.11.2,CCE-38002-2 | Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'" 106 | win_regedit: 107 | path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections 108 | name: "NC_AllowNetBridge_NLA" 109 | data: "0" 110 | type: dword 111 | 112 | - name: "18.4.11.3,CCE-Null | Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'" 113 | win_regedit: 114 | path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections 115 | name: "NC_ShowSharedAccessUI" 116 | data: "0" 117 | type: dword 118 | 119 | - name: "18.4.11.4,CCE-38188-9 | Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'" 120 | win_regedit: 121 | path: HKLM:\Software\Policies\Microsoft\Windows\Network Connections 122 | name: "NC_StdDomainUserSetLocation" 123 | data: "1" 124 | type: dword 125 | 126 | - name: "18.4.14.1,CCE-Null | Hardened UNC Paths is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for NETLOGON shares'" 127 | win_regedit: 128 | path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths 129 | name: "\\\\*\\NETLOGON" 130 | data: "RequireMutualAuthentication=1, RequireIntegrity=1" 131 | type: string 132 | 133 | - name: "18.4.14.1,CCE-Null | Hardened UNC Paths is set to 'Enabled, with 'Require Mutual Authentication' and 'Require Integrity' set for SYSVOL shares'" 134 | win_regedit: 135 | path: HKLM:\Software\Policies\Microsoft\Windows\Networkprovider\Hardenedpaths 136 | name: "\\\\*\\SYSVOL" 137 | data: "RequireMutualAuthentication=1, RequireIntegrity=1" 138 | type: string 139 | 140 | - name: "18.4.21.1,CCE-38338-0 | Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled'" 141 | win_regedit: 142 | path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy 143 | name: "fMinimizeConnections" 144 | data: "1" 145 | type: dword 146 | 147 | - name: "18.6.1,CCE-37069-2 | Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'" 148 | win_regedit: 149 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 150 | name: "LocalAccountTokenFilterPolicy" 151 | data: "0" 152 | type: dword 153 | 154 | - name: "18.6.2,CCE-38444-6 | Ensure 'WDigest Authentication' is set to 'Disabled'" 155 | win_regedit: 156 | path: HKLM:\System\Currentcontrolset\Control\Securityproviders\Wdigest 157 | name: "UseLogonCredential" 158 | data: "0" 159 | type: dword 160 | 161 | - name: "18.8.3.1,CCE-36925-6 | Ensure 'Include command line in process creation events' is set to 'Disabled'" 162 | win_regedit: 163 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\Audit 164 | name: "ProcessCreationIncludeCmdLine_Enabled" 165 | data: "0" 166 | type: dword 167 | 168 | - name: "18.8.12.1,CCE-37912-3 | Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled - Good, unknown and bad but critical'" 169 | win_regedit: 170 | path: HKLM:\System\Currentcontrolset\Policies\Earlylaunch 171 | name: "DriverLoadPolicy" 172 | data: "3" 173 | type: dword 174 | 175 | - name: "18.8.19.2,CCE-36169-1 | Ensure 'Configure registry policy processing - Do not apply during periodic background processing' is set to 'Enabled - FALSE'" 176 | win_regedit: 177 | path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} 178 | name: "NoBackgroundPolicy" 179 | data: "0" 180 | type: dword 181 | 182 | - name: "18.8.19.3,CCE-36169-1 | Ensure 'Configure registry policy processing - Process even if the Group Policy objects have not changed' is set to 'Enabled - TRUE'" 183 | win_regedit: 184 | path: HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378Eac-683F-11D2-A89A-00C04Fbbcfa2} 185 | name: "NoGPOListChanges" 186 | data: "0" 187 | type: dword 188 | 189 | - name: "18.8.19.4,CCE-Null | Ensure 'Continue experiences on this device' is set to 'Disabled'" 190 | win_regedit: 191 | path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System 192 | name: "EnableCdp" 193 | data: "0" 194 | type: dword 195 | 196 | - name: "18.8.19.5,CCE-37712-7 | Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'" 197 | win_regedit: 198 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System\DisableBkGndGroupPolicy 199 | state: absent 200 | delete_key: yes 201 | 202 | - name: "18.8.25.1,CCE-Null | Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'" 203 | win_regedit: 204 | path: HKLM:\Software\Policies\Microsoft\Windows\System 205 | name: "BlockUserFromShowingAccountDetailsOnSignin" 206 | data: "1" 207 | type: dword 208 | 209 | - name: "18.8.25.2,CCE-38353-9 | Ensure 'Do not display network selection UI' is set to 'Enabled'" 210 | win_regedit: 211 | path: HKLM:\Software\Policies\Microsoft\Windows\System 212 | name: "DontDisplayNetworkSelectionUI" 213 | data: "1" 214 | type: dword 215 | 216 | - name: "18.8.25.3,CCE-37838-0 | Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'" 217 | win_regedit: 218 | path: HKLM:\Software\Policies\Microsoft\Windows\System 219 | name: "DontEnumerateConnectedUsers" 220 | data: "1" 221 | type: dword 222 | 223 | - name: "18.8.25.4,CCE-35894-5 | Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'" 224 | win_regedit: 225 | path: HKLM:\Software\Policies\Microsoft\Windows\System 226 | name: "EnumerateLocalUsers" 227 | data: "0" 228 | type: dword 229 | 230 | - name: "18.8.25.5,CCE-35893-7 | Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'" 231 | win_regedit: 232 | path: HKLM:\Software\Policies\Microsoft\Windows\System 233 | name: "DisableLockScreenAppNotifications" 234 | data: "1" 235 | type: dword 236 | 237 | - name: "18.8.25.6,CCE-37528-7 | Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'" 238 | win_regedit: 239 | path: HKLM:\Software\Policies\Microsoft\Windows\System 240 | name: "AllowDomainPINLogon" 241 | data: "0" 242 | type: dword 243 | 244 | - name: "18.8.26.1,CCE-Null | Ensure 'Untrusted Font Blocking' is set to 'Enabled - Block untrusted fonts and log events'" 245 | win_regedit: 246 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Mitigationoptions 247 | name: "MitigationOptions_FontBocking" 248 | data: "1000000000000" 249 | type: string 250 | 251 | - name: "18.8.31.1,CCE-36388-7 | Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'" 252 | win_regedit: 253 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 254 | name: "fAllowUnsolicited" 255 | data: "0" 256 | type: dword 257 | 258 | - name: "18.8.31.2,CCE-37281-3 | Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'" 259 | win_regedit: 260 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 261 | name: "fAllowToGetHelp" 262 | data: "0" 263 | type: dword 264 | 265 | - name: "18.8.32.1,CCE-37346-4 | Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'" 266 | win_regedit: 267 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc 268 | name: "EnableAuthEpResolution" 269 | data: "1" 270 | type: dword 271 | 272 | - name: "18.9.6.1,CCE-38354-7 | Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'" 273 | win_regedit: 274 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 275 | name: "MSAOptional" 276 | data: "1" 277 | type: dword 278 | 279 | - name: "18.9.8.1,CCE-37636-8 | Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'" 280 | win_regedit: 281 | path: HKLM:\Software\Policies\Microsoft\Windows\Explorer 282 | name: "NoAutoplayfornonVolume" 283 | data: "1" 284 | type: dword 285 | 286 | - name: "18.9.8.2,CCE-38217-6 | Ensure 'Set the default behavior for AutoRun' is set to 'Enabled - Do not execute any autorun commands'" 287 | win_regedit: 288 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer 289 | name: "NoAutorun" 290 | data: "1" 291 | type: dword 292 | 293 | - name: "18.9.8.3,CCE-36875-3 | Ensure 'Turn off Autoplay' is set to 'Enabled - All drives'" 294 | win_regedit: 295 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer 296 | name: "NoDriveTypeAutoRun" 297 | data: "255" 298 | type: dword 299 | 300 | - name: "18.9.10.1.1,CCE-Null | Ensure 'Use enhanced anti-spoofing when available' is set to 'Enabled'" 301 | win_regedit: 302 | path: HKLM:\Software\Policies\Microsoft\Biometrics\Facialfeatures 303 | name: "EnhancedAntiSpoofing" 304 | data: "1" 305 | type: dword 306 | 307 | - name: "18.9.13.1,CCE-Null | Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'" 308 | win_regedit: 309 | path: HKLM:\Software\Policies\Microsoft\Windows\Cloudcontent 310 | name: "DisableWindowsConsumerFeatures" 311 | data: "1" 312 | type: dword 313 | 314 | - name: "18.9.14.1,CCE-Null | Ensure 'Require pin for pairing' is set to 'Enabled'" 315 | win_regedit: 316 | path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect 317 | name: "RequirePinForPairing" 318 | data: "1" 319 | type: dword 320 | 321 | - name: "18.9.15.1,CCE-37534-5 | Ensure 'Do not display the password reveal button' is set to 'Enabled'" 322 | win_regedit: 323 | path: HKLM:\Software\Policies\Microsoft\Windows\Credui 324 | name: "DisablePasswordReveal" 325 | data: "1" 326 | type: dword 327 | 328 | - name: "18.9.15.2,CCE-36512-2 | Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'" 329 | win_regedit: 330 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Credui 331 | name: "EnumerateAdministrators" 332 | data: "0" 333 | type: dword 334 | 335 | - name: "18.9.16.1,CCE-Null | Ensure 'Allow Telemetry' is set to 'Enabled - 0 - Security [Enterprise Only]'" 336 | win_regedit: 337 | path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection 338 | name: "AllowTelemetry" 339 | data: "0" 340 | type: dword 341 | 342 | - name: "18.9.16.2,CCE-Null | Ensure 'Disable pre-release features or settings' is set to 'Disabled'" 343 | win_regedit: 344 | path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds 345 | name: "EnableConfigFlighting" 346 | data: "0" 347 | type: dword 348 | 349 | - name: "18.9.16.3,CCE-Null | Ensure 'Do not show feedback notifications' is set to 'Enabled'" 350 | win_regedit: 351 | path: HKLM:\Software\Policies\Microsoft\Windows\Datacollection 352 | name: "DoNotShowFeedbackNotifications" 353 | data: "1" 354 | type: dword 355 | 356 | - name: "18.9.16.4,CCE-Null | Ensure 'Toggle user control over Insider builds' is set to 'Disabled'" 357 | win_regedit: 358 | path: HKLM:\Software\Policies\Microsoft\Windows\Previewbuilds 359 | name: "AllowBuildPreview" 360 | data: "0" 361 | type: dword 362 | 363 | - name: "18.9.26.1.1,CCE-37775-4 | Ensure 'Application - Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" 364 | win_regedit: 365 | path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application 366 | name: "Retention" 367 | data: "0" 368 | type: string 369 | 370 | - name: "18.9.26.1.2,CCE-37948-7 | Ensure 'Application - Specify the maximum log file size (KB)' is set to 'Enabled - 32,768 or greater' [GSA-65,538 or greater]" 371 | win_regedit: 372 | path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Application 373 | name: "MaxSize" 374 | data: "65538" 375 | type: dword 376 | 377 | - name: "18.9.26.2.1,CCE-37145-0 | Ensure 'Security - Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" 378 | win_regedit: 379 | path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security 380 | name: "Retention" 381 | data: "0" 382 | type: string 383 | 384 | - name: "18.9.26.2.2,CCE-37695-4 | Ensure 'Security - Specify the maximum log file size (KB)' is set to 'Enabled - 196,608 or greater'" 385 | win_regedit: 386 | path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Security 387 | name: "MaxSize" 388 | data: "196608" 389 | type: dword 390 | 391 | - name: "18.9.26.3.1,CCE-38276-2 | Ensure 'Setup - Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" 392 | win_regedit: 393 | path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup 394 | name: "Retention" 395 | data: "0" 396 | type: string 397 | 398 | - name: "18.9.26.3.2,CCE-37526-1 | Ensure 'Setup - Specify the maximum log file size (KB)' is set to 'Enabled - 32,768 or greater'" 399 | win_regedit: 400 | path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\Setup 401 | name: "MaxSize" 402 | data: "32768" 403 | type: dword 404 | 405 | - name: "18.9.26.4.1,CCE-36160-0 | Ensure 'System - Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'" 406 | win_regedit: 407 | path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System 408 | name: "Retention" 409 | data: "0" 410 | type: string 411 | 412 | - name: "18.9.26.4.2,CCE-36092-5 | Ensure 'System - Specify the maximum log file size (KB)' is set to 'Enabled - 32,768 or greater' [GSA-65,538 or greater]" 413 | win_regedit: 414 | path: HKLM:\Software\Policies\Microsoft\Windows\Eventlog\System 415 | name: "MaxSize" 416 | data: "65538" 417 | type: dword 418 | 419 | - name: "18.9.30.2,CCE-35859-8 | Ensure 'Configure Windows SmartScreen' is set to 'Enabled'" 420 | win_regedit: 421 | path: HKLM:\Software\Policies\Microsoft\Windows\System 422 | name: "EnableSmartScreen" 423 | data: "1" 424 | type: dword 425 | 426 | - name: "18.9.30.3,CCE-37809-1 | Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'" 427 | win_regedit: 428 | path: HKLM:\Software\Policies\Microsoft\Windows\Explorer 429 | name: "NoDataExecutionPrevention" 430 | data: "0" 431 | type: dword 432 | 433 | - name: "18.9.30.4,CCE-36660-9 | Ensure 'Turn off heap termination on corruption' is set to 'Disabled'" 434 | win_regedit: 435 | path: HKLM:\Software\Policies\Microsoft\Windows\Explorer 436 | name: "NoHeapTerminationOnCorruption" 437 | data: "0" 438 | type: dword 439 | 440 | - name: "18.9.30.5,CCE-36809-2 | Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'" 441 | win_regedit: 442 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer 443 | name: "PreXPSP2ShellProtocolBehavior" 444 | data: "0" 445 | type: dword 446 | 447 | - name: "18.9.41.3,CCE-Null | Ensure 'Configure cookies' is set to 'Enabled - Block only 3rd-party cookies' or higher" 448 | win_regedit: 449 | path: HKLM:\Software\Policies\Microsoft\Microsoftedge\Main 450 | name: "Cookies" 451 | data: "1" 452 | type: dword 453 | 454 | - name: "18.9.41.4,CCE-Null | Ensure 'Configure Password Manager' is set to 'Disabled'" 455 | win_regedit: 456 | path: HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main 457 | name: "FormSuggest Passwords" 458 | data: "no" 459 | type: string 460 | 461 | - name: "18.9.41.6,CCE-Null | Ensure 'Configure search suggestions in Address bar' is set to 'Disabled'" 462 | win_regedit: 463 | path: HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\SearchScopes 464 | name: "ShowSearchSuggestionsGlobal" 465 | data: "0" 466 | type: dword 467 | 468 | - name: "18.9.41.7,CCE-Null | Ensure 'Configure SmartScreen Filter' is set to 'Enabled'" 469 | win_regedit: 470 | path: HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter 471 | name: "EnabledV9" 472 | data: "1" 473 | type: dword 474 | 475 | - name: "18.9.47.1,CCE-36939-7 | Ensure 'Prevent the usage of OneDrive (formerly SkyDrive) for file storage' is set to 'Enabled'" 476 | win_regedit: 477 | path: HKLM:\Software\Policies\Microsoft\Windows\Onedrive 478 | name: "DisableFileSyncNGSC" 479 | data: "1" 480 | type: dword 481 | 482 | - name: "18.9.52.2.2,CCE-36223-6 | Ensure 'Do not allow passwords to be saved' is set to 'Enabled'" 483 | win_regedit: 484 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 485 | name: "DisablePasswordSaving" 486 | data: "1" 487 | type: dword 488 | 489 | - name: "18.9.52.3.3.2,CCE-36509-8 | Ensure 'Do not allow drive redirection' is set to 'Enabled'" 490 | win_regedit: 491 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 492 | name: "fDisableCdm" 493 | data: "1" 494 | type: dword 495 | 496 | - name: "18.9.52.3.9.1,CCE-37929-7 | Ensure 'Always prompt for password upon connection' is set to 'Enabled'" 497 | win_regedit: 498 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 499 | name: "fPromptForPassword" 500 | data: "1" 501 | type: dword 502 | 503 | - name: "18.9.52.3.9.2,CCE-37567-5 | Ensure 'Require secure RPC communication' is set to 'Enabled'" 504 | win_regedit: 505 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 506 | name: "fEncryptRPCTraffic" 507 | data: "1" 508 | type: dword 509 | 510 | - name: "18.9.52.3.9.3,CCE-36627-8 | Ensure 'Set client connection encryption level' is set to 'Enabled - High Level'" 511 | win_regedit: 512 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 513 | name: "MinEncryptionLevel" 514 | data: "3" 515 | type: dword 516 | 517 | - name: "18.9.52.3.11.1,CCE-37946-1 | Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'" 518 | win_regedit: 519 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 520 | name: "DeleteTempDirsOnExit" 521 | data: "1" 522 | type: dword 523 | 524 | - name: "18.9.52.3.11.2,CCE-38180-6 | Ensure 'Do not use temporary folders per session' is set to 'Disabled'" 525 | win_regedit: 526 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 527 | name: "PerSessionTempDir" 528 | data: "1" 529 | type: dword 530 | 531 | - name: "18.9.53.1,CCE-37126-0 | Ensure 'Prevent downloading of enclosures' is set to 'Enabled'" 532 | win_regedit: 533 | path: HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds 534 | name: "DisableEnclosureDownload" 535 | data: "1" 536 | type: dword 537 | 538 | - name: "18.9.54.2,CCE-Null | Ensure 'Allow Cortana' is set to 'Disabled'" 539 | win_regedit: 540 | path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search 541 | name: "AllowCortana" 542 | data: "0" 543 | type: dword 544 | 545 | - name: "18.9.54.3,CCE-Null | Ensure 'Allow Cortana above lock screen' is set to 'Disabled'" 546 | win_regedit: 547 | path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search 548 | name: "AllowCortanaAboveLock" 549 | data: "0" 550 | type: dword 551 | 552 | - name: "18.9.54.4,CCE-38277-0 | Ensure 'Allow indexing of encrypted files' is set to 'Disabled'" 553 | win_regedit: 554 | path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search 555 | name: "AllowIndexingEncryptedStoresOrItems" 556 | data: "0" 557 | type: dword 558 | 559 | - name: "18.9.54.5,CCE-Null | Ensure 'Allow search and Cortana to use location' is set to 'Disabled'" 560 | win_regedit: 561 | path: HKLM:\Software\Policies\Microsoft\Windows\Windows Search 562 | name: "AllowSearchToUseLocation" 563 | data: "0" 564 | type: dword 565 | 566 | - name: "18.9.61.2,CCE-38360-4 | Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'" 567 | win_regedit: 568 | path: HKLM:\Software\Policies\Microsoft\Windowsstore 569 | name: "AutoDownload" 570 | data: "4" 571 | type: dword 572 | 573 | - name: "18.9.61.3,CCE-38362-0 | Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'" 574 | win_regedit: 575 | path: HKLM:\Software\Policies\Microsoft\Windowsstore 576 | name: "DisableOSUpgrade" 577 | data: "1" 578 | type: dword 579 | 580 | - name: "18.9.73.2,CCE-Null | Ensure 'Allow Windows Ink Workspace' is set to 'Enabled - On, but disallow access above lock' OR 'Disabled' but not 'Enabled - On'" 581 | win_regedit: 582 | path: HKLM:\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace 583 | name: "AllowWindowsInkWorkspace" 584 | data: "1" 585 | type: dword 586 | 587 | - name: "18.9.74.1,CCE-36400-0 | Ensure 'Allow user control over installs' is set to 'Disabled'" 588 | win_regedit: 589 | path: HKLM:\Software\Policies\Microsoft\Windows\Installer 590 | name: "EnableUserControl" 591 | data: "0" 592 | type: dword 593 | 594 | - name: "18.9.74.2,CCE-36919-9 | Ensure 'Always install with elevated privileges' is set to 'Disabled'" 595 | win_regedit: 596 | path: HKLM:\Software\Policies\Microsoft\Windows\Installer 597 | name: "AlwaysInstallElevated" 598 | data: "0" 599 | type: dword 600 | 601 | - name: "18.9.75.1,CCE-36977-7 | Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'" 602 | win_regedit: 603 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 604 | name: "DisableAutomaticRestartSignOn" 605 | data: "1" 606 | type: dword 607 | 608 | ######################### 609 | ## POWERSHELL SETTINGS ## 610 | ######################### 611 | 612 | - name: "CIS-Null,CCE-Null | Ensure 'Turn on PowerShell Module Logging' is set to 'Enabled, Modules=*'" 613 | win_regedit: 614 | path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\ModuleLogging 615 | name: "EnableModuleLogging" 616 | data: "1" 617 | type: dword 618 | 619 | - name: "18.9.84.1,CCE-Null | Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' [GSA-Enabled]" 620 | win_regedit: 621 | path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Scriptblocklogging 622 | name: "EnableScriptBlockLogging" 623 | data: "1" 624 | type: dword 625 | 626 | - name: "18.9.84.2,CCE-Null | Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' [GSA-Enabled]" 627 | win_regedit: 628 | path: HKLM:\Software\Policies\Microsoft\Windows\Powershell\Transcription 629 | name: "EnableTranscripting" 630 | data: "1" 631 | type: dword 632 | 633 | #################### 634 | ## WINRM SETTINGS ## 635 | #################### 636 | 637 | - name: "18.9.86.1.1,CCE-36310-1 | Ensure 'Allow Basic authentication' is set to 'Disabled'" 638 | win_regedit: 639 | path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client 640 | name: "AllowBasic" 641 | data: "0" 642 | type: dword 643 | 644 | - name: "18.9.86.1.2,CCE-37726-7 | Ensure 'Allow unencrypted traffic' is set to 'Disabled'" 645 | win_regedit: 646 | path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client 647 | name: "AllowUnencryptedTraffic" 648 | data: "0" 649 | type: dword 650 | 651 | - name: "18.9.86.1.3,CCE-38318-2 | Ensure 'Disallow Digest authentication' is set to 'Enabled'" 652 | win_regedit: 653 | path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Client 654 | name: "AllowDigest" 655 | data: "0" 656 | type: dword 657 | 658 | - name: "18.9.86.2.1,CCE-36254-1 | Ensure 'Allow Basic authentication' is set to 'Disabled'" 659 | win_regedit: 660 | path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service 661 | name: "AllowBasic" 662 | data: "0" 663 | type: dword 664 | 665 | #This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart 666 | - name: "18.9.86.2.2,CCE-37927-1 | Ensure 'Allow remote server management through WinRM' is set to 'Disabled'" 667 | win_regedit: 668 | path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service 669 | name: "AllowAutoConfig" 670 | data: "0" 671 | type: dword 672 | 673 | - name: "18.9.86.2.3,CCE-38223-4 | Ensure 'Allow unencrypted traffic' is set to 'Disabled'" 674 | win_regedit: 675 | path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service 676 | name: "AllowUnencryptedTraffic" 677 | data: "0" 678 | type: dword 679 | 680 | - name: "18.9.86.2.4,CCE-36000-8 | Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'" 681 | win_regedit: 682 | path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service 683 | name: "DisableRunAs" 684 | data: "1" 685 | type: dword 686 | 687 | #This control will have to be set to Enabled (1) to allow for continued remote management via Ansible following machine restart 688 | - name: "18.9.87.1,CCE-36499-2 | Ensure 'Allow Remote Shell Access' is set to 'Disabled'" 689 | win_regedit: 690 | path: HKLM:\Software\Policies\Microsoft\Windows\Winrm\Service\Winrs 691 | name: "AllowRemoteShellAccess" 692 | data: "0" 693 | type: dword 694 | 695 | ############################# 696 | ## WINDOWS UPDATE SETTINGS ## 697 | ############################# 698 | 699 | - name: "18.9.90.1.1,CCE-Null | Ensure 'Select when Feature Updates are received' is 'Enabled - Current Branch for Business, 180 days' - DeferFeatureUpdates" 700 | win_regedit: 701 | path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate 702 | name: "DeferFeatureUpdates" 703 | data: "1" 704 | type: dword 705 | 706 | - name: "18.9.90.1.1,CCE-Null | Ensure 'Select when Feature Updates are received' is 'Enabled - Current Branch for Business, 180 days' - DeferFeatureUpdatesPeriodInDays" 707 | win_regedit: 708 | path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate 709 | name: "DeferFeatureUpdatesPeriodInDays" 710 | data: "180" 711 | type: dword 712 | 713 | - name: "18.9.90.1.1,CCE-Null | Ensure 'Select when Feature Updates are received' is 'Enabled - Current Branch for Business, 180 days' - BranchReadinessLevel" 714 | win_regedit: 715 | path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate 716 | name: "BranchReadinessLevel" 717 | data: "32" 718 | type: dword 719 | 720 | - name: "18.9.90.1.2,CCE-Null | Ensure 'Select when Quality Updates are received' is set to 'Enabled - 0 days' - DeferQualityUpdates" 721 | win_regedit: 722 | path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate 723 | name: "DeferQualityUpdates" 724 | data: "1" 725 | type: dword 726 | 727 | - name: "18.9.90.1.2,CCE-Null | Ensure 'Select when Quality Updates are received' is set to 'Enabled - 0 days' - DeferQualityUpdatesPeriodInDays" 728 | win_regedit: 729 | path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate 730 | name: "DeferQualityUpdatesPeriodInDays" 731 | data: "0" 732 | type: dword 733 | 734 | - name: "18.9.90.2,CCE-36172-5 | Ensure 'Configure Automatic Updates' is set to 'Enabled'" 735 | win_regedit: 736 | path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au 737 | name: "NoAutoUpdate" 738 | data: "0" 739 | type: dword 740 | 741 | - name: "18.9.90.3,CCE-36172-5 | Ensure 'Configure Automatic Updates - Scheduled install day' is set to '0 - Every day'" 742 | win_regedit: 743 | path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au 744 | name: "ScheduledInstallDay" 745 | data: "0" 746 | type: dword 747 | 748 | - name: "18.9.90.4,CCE-37027-0 | Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'" 749 | win_regedit: 750 | path: HKLM:\Software\Policies\Microsoft\Windows\Windowsupdate\Au 751 | name: "NoAutoRebootWithLoggedOnUsers" 752 | data: "0" 753 | type: dword 754 | 755 | ########################## 756 | ########################## 757 | ## CIS LEVEL 2 SETTINGS ## 758 | ########################## 759 | ########################## 760 | 761 | - name: "18.3.5,CCE-36868-8 | Ensure 'MSS - (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled - 300,000 or 5 minutes'" 762 | win_regedit: 763 | path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters 764 | name: "KeepAliveTime" 765 | data: "300000" 766 | type: dword 767 | 768 | - name: "18.3.7,CCE-38065-9 | Ensure 'MSS - (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'" 769 | win_regedit: 770 | path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters 771 | name: "PerformRouterDiscovery" 772 | data: "0" 773 | type: dword 774 | 775 | - name: "18.3.10,CCE-37846-3 | Ensure 'MSS - (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled - 3'" 776 | win_regedit: 777 | path: HKLM:\System\Currentcontrolset\Services\Tcpip6\Parameters 778 | name: "tcpmaxdataretransmissions" 779 | data: "3" 780 | type: dword 781 | 782 | - name: "18.3.11,CCE-36051-1 | Ensure 'MSS - (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled - 3'" 783 | win_regedit: 784 | path: HKLM:\System\Currentcontrolset\Services\Tcpip\Parameters 785 | name: "tcpmaxdataretransmissions" 786 | data: "3" 787 | type: dword 788 | 789 | - name: "18.4.5.1,CCE-Null | Ensure 'Enable Font Providers' is set to 'Disabled'" 790 | win_regedit: 791 | path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\System 792 | name: "EnableFontProviders" 793 | data: "0" 794 | type: dword 795 | 796 | - name: "18.4.9.1,CCE-38170-7 | Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' - AllowLLTDIOOndomain" 797 | win_regedit: 798 | path: HKLM:\Software\Policies\Microsoft\Windows\Lltd 799 | name: "AllowLLTDIOOndomain" 800 | data: "0" 801 | type: dword 802 | 803 | - name: "18.4.9.1,CCE-38170-7 | Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' - AllowLLTDIOOnPublicNet" 804 | win_regedit: 805 | path: HKLM:\Software\Policies\Microsoft\Windows\Lltd 806 | name: "AllowLLTDIOOnPublicNet" 807 | data: "0" 808 | type: dword 809 | 810 | - name: "18.4.9.1,CCE-38170-7 | Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' - EnableLLTDIO" 811 | win_regedit: 812 | path: HKLM:\Software\Policies\Microsoft\Windows\Lltd 813 | name: "EnableLLTDIO" 814 | data: "0" 815 | type: dword 816 | 817 | - name: "18.4.9.1,CCE-38170-7 | Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' - ProhibitLLTDIOOnPrivateNet" 818 | win_regedit: 819 | path: HKLM:\Software\Policies\Microsoft\Windows\Lltd 820 | name: "ProhibitLLTDIOOnPrivateNet" 821 | data: "0" 822 | type: dword 823 | 824 | - name: "18.4.9.2,CCE-37959-4 | Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' - AllowRspndrOnDomain" 825 | win_regedit: 826 | path: HKLM:\Software\Policies\Microsoft\Windows\Lltd 827 | name: "AllowRspndrOnDomain" 828 | data: "0" 829 | type: dword 830 | 831 | - name: "18.4.9.2,CCE-37959-4 | Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' - AllowRspndrOnPublicNet" 832 | win_regedit: 833 | path: HKLM:\Software\Policies\Microsoft\Windows\Lltd 834 | name: "AllowRspndrOnPublicNet" 835 | data: "0" 836 | type: dword 837 | 838 | - name: "18.4.9.2,CCE-37959-4 | Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' - EnableRspndr" 839 | win_regedit: 840 | path: HKLM:\Software\Policies\Microsoft\Windows\Lltd 841 | name: "EnableRspndr" 842 | data: "0" 843 | type: dword 844 | 845 | - name: "18.4.9.2,CCE-37959-4 | Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' - ProhibitRspndrOnPrivateNet" 846 | win_regedit: 847 | path: HKLM:\Software\Policies\Microsoft\Windows\Lltd 848 | name: "ProhibitRspndrOnPrivateNet" 849 | data: "0" 850 | type: dword 851 | 852 | - name: "18.4.10.2,CCE-37699-6 | Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled'" 853 | win_regedit: 854 | path: HKLM:\Software\Policies\Microsoft\Peernet 855 | name: "Disabled" 856 | data: "1" 857 | type: dword 858 | 859 | - name: "18.4.20.1,CCE-37481-9 | Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - EnableRegistrars" 860 | win_regedit: 861 | path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars 862 | name: "EnableRegistrars" 863 | data: "0" 864 | type: dword 865 | 866 | - name: "18.4.20.1,CCE-37481-9 | Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableUPnPRegistrar" 867 | win_regedit: 868 | path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars 869 | name: "DisableUPnPRegistrar" 870 | data: "0" 871 | type: dword 872 | 873 | - name: "18.4.20.1,CCE-37481-9 | Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableInBand802DOT11Registrar" 874 | win_regedit: 875 | path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars 876 | name: "DisableInBand802DOT11Registrar" 877 | data: "0" 878 | type: dword 879 | 880 | - name: "18.4.20.1,CCE-37481-9 | Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableFlashConfigRegistrar" 881 | win_regedit: 882 | path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars 883 | name: "DisableFlashConfigRegistrar" 884 | data: "0" 885 | type: dword 886 | 887 | - name: "18.4.20.1,CCE-37481-9 | Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' - DisableWPDRegistrar" 888 | win_regedit: 889 | path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Registrars 890 | name: "DisableWPDRegistrar" 891 | data: "0" 892 | type: dword 893 | 894 | - name: "18.4.20.2,CCE-36109-7 | Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'" 895 | win_regedit: 896 | path: HKLM:\Software\Policies\Microsoft\Windows\Wcn\Ui 897 | name: "DisableWcnUi" 898 | data: "1" 899 | type: dword 900 | 901 | - name: "18.4.21.2,CCE-37627-7 | Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'" 902 | win_regedit: 903 | path: HKLM:\Software\Policies\Microsoft\Windows\Wcmsvc\Grouppolicy 904 | name: "fBlockNonDomain" 905 | data: "1" 906 | type: dword 907 | 908 | - name: "18.8.20.1.1,CCE-37904-0 | Ensure 'Turn off access to the Store' is set to 'Enabled'" 909 | win_regedit: 910 | path: HKLM:\Software\Policies\Microsoft\Windows\Explorer 911 | name: "NoUseStoreOpenWith" 912 | data: "1" 913 | type: dword 914 | 915 | - name: "18.8.20.1.2,CCE-36625-2 | Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'" 916 | win_regedit: 917 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers 918 | name: "DisableWebPnPDownload" 919 | data: "1" 920 | type: dword 921 | 922 | - name: "18.8.20.1.3,CCE-37911-5 | Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'" 923 | win_regedit: 924 | path: HKLM:\Software\Policies\Microsoft\Windows\Tabletpc 925 | name: "PreventHandwritingDataSharing" 926 | data: "1" 927 | type: dword 928 | 929 | - name: "18.8.20.1.4,CCE-36203-8 | Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'" 930 | win_regedit: 931 | path: HKLM:\Software\Policies\Microsoft\Windows\Handwritingerrorreports 932 | name: "PreventHandwritingErrorReports" 933 | data: "1" 934 | type: dword 935 | 936 | - name: "18.8.20.1.5,CCE-37163-3 | Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'" 937 | win_regedit: 938 | path: HKLM:\Software\Policies\Microsoft\Windows\Internet Connection Wizard 939 | name: "ExitOnMSICW" 940 | data: "1" 941 | type: dword 942 | 943 | - name: "18.8.20.1.6,CCE-36096-6 | Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'" 944 | win_regedit: 945 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer 946 | name: "NoWebServices" 947 | data: "1" 948 | type: dword 949 | 950 | - name: "18.8.20.1.7,CCE-36920-7 | Ensure 'Turn off printing over HTTP' is set to 'Enabled'" 951 | win_regedit: 952 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Printers 953 | name: "DisableHTTPPrinting" 954 | data: "1" 955 | type: dword 956 | 957 | - name: "18.8.20.1.8,CCE-36352-3 | Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'" 958 | win_regedit: 959 | path: HKLM:\Software\Policies\Microsoft\Windows\Registration Wizard Control 960 | name: "NoRegistration" 961 | data: "1" 962 | type: dword 963 | 964 | - name: "18.8.20.1.9,CCE-36884-5 | Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'" 965 | win_regedit: 966 | path: HKLM:\Software\Policies\Microsoft\Searchcompanion 967 | name: "DisableContentFileUpdates" 968 | data: "1" 969 | type: dword 970 | 971 | - name: "18.8.20.1.10,CCE-38275-4 | Ensure 'Turn off the 'Order Prints' picture task' is set to 'Enabled'" 972 | win_regedit: 973 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer 974 | name: "NoOnlinePrintsWizard" 975 | data: "1" 976 | type: dword 977 | 978 | - name: "18.8.20.1.11,CCE-37090-8 | Ensure 'Turn off the 'Publish to Web' task for files and folders' is set to 'Enabled'" 979 | win_regedit: 980 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\Explorer 981 | name: "NoPublishingWizard" 982 | data: "1" 983 | type: dword 984 | 985 | - name: "18.8.20.1.12,CCE-36628-6 | Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'" 986 | win_regedit: 987 | path: HKLM:\Software\Policies\Microsoft\Messenger\Client 988 | name: "CEIP" 989 | data: "2" 990 | type: dword 991 | 992 | - name: "18.8.20.1.13,CCE-36174-1 | Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'" 993 | win_regedit: 994 | path: HKLM:\Software\Policies\Microsoft\Sqmclient\Windows 995 | name: "CEIPEnable" 996 | data: "0" 997 | type: dword 998 | 999 | - name: "18.8.20.1.14,CCE-35964-6 | Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'" 1000 | win_regedit: 1001 | path: HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting 1002 | name: "Disabled" 1003 | data: "1" 1004 | type: dword 1005 | 1006 | - name: "18.8.23.1,CCE-Null | Ensure 'Support device authentication using certificate' is set to 'Enabled - Automatic' - Enabled" 1007 | win_regedit: 1008 | path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters 1009 | name: "DevicePKInitEnabled" 1010 | data: "1" 1011 | type: dword 1012 | 1013 | - name: "18.8.23.1,CCE-Null | Ensure 'Support device authentication using certificate' is set to 'Enabled - Automatic' - Behavior" 1014 | win_regedit: 1015 | path: HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters 1016 | name: "DevicePKInitBehavior" 1017 | data: "0" 1018 | type: dword 1019 | 1020 | - name: "18.8.24.1,CCE-36343-2 | Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'" 1021 | win_regedit: 1022 | path: HKLM:\Software\Policies\Microsoft\Control Panel\International 1023 | name: "BlockUserInputMethodsForSignIn" 1024 | data: "1" 1025 | type: dword 1026 | 1027 | - name: "18.8.29.5.3,CCE-36881-1 | Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'" 1028 | win_regedit: 1029 | path: HKLM:\Software\Policies\Microsoft\Power\Powersettings\0E796Bdb-100D-47D6-A2D5-F7D2Daa51F51 1030 | name: "DCSettingIndex" 1031 | data: "1" 1032 | type: dword 1033 | 1034 | - name: "18.8.29.5.4,CCE-37066-8 | Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'" 1035 | win_regedit: 1036 | path: HKLM:\Software\Policies\Microsoft\Power\Powersettings\0E796Bdb-100D-47D6-A2D5-F7D2Daa51F51 1037 | name: "ACSettingIndex" 1038 | data: "1" 1039 | type: dword 1040 | 1041 | - name: "18.8.32.2,CCE-36559-3 | Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled - Authenticated'" 1042 | win_regedit: 1043 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Rpc 1044 | name: "RestrictRemoteClients" 1045 | data: "1" 1046 | type: dword 1047 | 1048 | - name: "18.8.39.5.1,CCE-38161-6 | Ensure 'Microsoft Support Diagnostic Tool - Turn on MSDT interactive communication with support provider' is set to 'Disabled'" 1049 | win_regedit: 1050 | path: HKLM:\Software\Policies\Microsoft\Windows\Scripteddiagnosticsprovider\Policy 1051 | name: "DisableQueryRemoteServer" 1052 | data: "0" 1053 | type: dword 1054 | 1055 | - name: "18.8.39.11.1,CCE-36648-4 | Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'" 1056 | win_regedit: 1057 | path: HKLM:\Software\Policies\Microsoft\Windows\Wdi\{9C5A40Da-B965-4Fc3-8781-88Dd50A6299D} 1058 | name: "ScenarioExecutionEnabled" 1059 | data: "0" 1060 | type: dword 1061 | 1062 | - name: "18.8.41.1,CCE-36931-4 | Ensure 'Turn off the advertising ID' is set to 'Enabled'" 1063 | win_regedit: 1064 | path: HKLM:\Software\Policies\Microsoft\Windows\Advertisinginfo 1065 | name: "DisabledByGroupPolicy" 1066 | data: "1" 1067 | type: dword 1068 | 1069 | - name: "18.8.44.1.1,CCE-37843-0 | Ensure 'Enable Windows NTP Client' is set to 'Enabled'" 1070 | win_regedit: 1071 | path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpclient 1072 | name: "Enabled" 1073 | data: "1" 1074 | type: dword 1075 | 1076 | - name: "18.8.44.1.2,CCE-37319-1 | Ensure 'Enable Windows NTP Server' is set to 'Disabled'" 1077 | win_regedit: 1078 | path: HKLM:\Software\Policies\Microsoft\W32Time\Timeproviders\Ntpserver 1079 | name: "Enabled" 1080 | data: "0" 1081 | type: dword 1082 | 1083 | - name: "18.9.4.1,CCE-Null | Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'" 1084 | win_regedit: 1085 | path: HKLM:\Software\Policies\Microsoft\Windows\Currentversion\Appmodel\Statemanager 1086 | name: "AllowSharedLocalAppData" 1087 | data: "0" 1088 | type: dword 1089 | 1090 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessAccountInfo" 1091 | win_regedit: 1092 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1093 | name: "LetAppsAccessAccountInfo" 1094 | data: "2" 1095 | type: dword 1096 | 1097 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessCalendar" 1098 | win_regedit: 1099 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1100 | name: "LetAppsAccessCalendar" 1101 | data: "2" 1102 | type: dword 1103 | 1104 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessCallHistory" 1105 | win_regedit: 1106 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1107 | name: "LetAppsAccessCallHistory" 1108 | data: "2" 1109 | type: dword 1110 | 1111 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessCamera" 1112 | win_regedit: 1113 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1114 | name: "LetAppsAccessCamera" 1115 | data: "2" 1116 | type: dword 1117 | 1118 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessContacts" 1119 | win_regedit: 1120 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1121 | name: "LetAppsAccessContacts" 1122 | data: "2" 1123 | type: dword 1124 | 1125 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessEmail" 1126 | win_regedit: 1127 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1128 | name: "LetAppsAccessEmail" 1129 | data: "2" 1130 | type: dword 1131 | 1132 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessLocation" 1133 | win_regedit: 1134 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1135 | name: "LetAppsAccessLocation" 1136 | data: "2" 1137 | type: dword 1138 | 1139 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessMessaging" 1140 | win_regedit: 1141 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1142 | name: "LetAppsAccessMessaging" 1143 | data: "2" 1144 | type: dword 1145 | 1146 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessMicrophone" 1147 | win_regedit: 1148 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1149 | name: "LetAppsAccessMicrophone" 1150 | data: "2" 1151 | type: dword 1152 | 1153 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessMotion" 1154 | win_regedit: 1155 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1156 | name: "LetAppsAccessMotion" 1157 | data: "2" 1158 | type: dword 1159 | 1160 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessRadios" 1161 | win_regedit: 1162 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1163 | name: "LetAppsAccessRadios" 1164 | data: "2" 1165 | type: dword 1166 | 1167 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessTrustedDevices" 1168 | win_regedit: 1169 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1170 | name: "LetAppsAccessTrustedDevices" 1171 | data: "2" 1172 | type: dword 1173 | 1174 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsSyncWithDevices" 1175 | win_regedit: 1176 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1177 | name: "LetAppsSyncWithDevices" 1178 | data: "2" 1179 | type: dword 1180 | 1181 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessPhone" 1182 | win_regedit: 1183 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1184 | name: "LetAppsAccessPhone" 1185 | data: "2" 1186 | type: dword 1187 | 1188 | - name: "18.9.5.1,CCE-Null | Ensure 'Let Windows apps *' is set to 'Enabled - Force Deny' - LetAppsAccessNotifications" 1189 | win_regedit: 1190 | path: HKLM:\Software\Policies\Microsoft\Windows\AppPrivacy 1191 | name: "LetAppsAccessNotifications" 1192 | data: "2" 1193 | type: dword 1194 | 1195 | - name: "18.9.6.2,CCE-Null | Ensure 'Block launching Windows Store apps with Windows Runtime API access from hosted content.' is set to 'Enabled'" 1196 | win_regedit: 1197 | path: HKLM:\Software\Microsoft\Windows\Currentversion\Policies\System 1198 | name: "BlockHostedAppAccessWinRT" 1199 | data: "1" 1200 | type: dword 1201 | 1202 | - name: "18.9.37.2,CCE-36886-0 | Ensure 'Turn off location' is set to 'Enabled'" 1203 | win_regedit: 1204 | path: HKLM:\Software\Policies\Microsoft\Windows\Locationandsensors 1205 | name: "DisableLocation" 1206 | data: "1" 1207 | type: dword 1208 | 1209 | - name: "18.9.41.1,CCE-Null | Ensure 'Allow Extensions' is set to 'Disabled'" 1210 | win_regedit: 1211 | path: HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Extensions 1212 | name: "ExtensionsEnabled" 1213 | data: "0" 1214 | type: dword 1215 | 1216 | - name: "18.9.41.5,CCE-Null | Ensure 'Configure Pop-up Blocker' is set to 'Enabled'" 1217 | win_regedit: 1218 | path: HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main 1219 | name: "AllowPopups" 1220 | data: "yes" 1221 | type: string 1222 | 1223 | - name: "18.9.41.8,CCE-Null | Ensure 'Prevent access to the about-flags page in Microsoft Edge' is set to 'Enabled'" 1224 | win_regedit: 1225 | path: HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main 1226 | name: "PreventAccessToAboutFlagsInMicrosoftEdge" 1227 | data: "1" 1228 | type: dword 1229 | 1230 | - name: "18.9.41.9,CCE-Null | Ensure 'Prevent bypassing SmartScreen prompts for files' is set to 'Enabled'" 1231 | win_regedit: 1232 | path: HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter 1233 | name: "PreventOverrideAppRepUnknown" 1234 | data: "1" 1235 | type: dword 1236 | 1237 | - name: "18.9.41.10,CCE-Null | Ensure 'Prevent bypassing SmartScreen prompts for sites' is set to 'Enabled'" 1238 | win_regedit: 1239 | path: HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter 1240 | name: "PreventOverride" 1241 | data: "1" 1242 | type: dword 1243 | 1244 | - name: "18.9.41.11,CCE-Null | Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled'" 1245 | win_regedit: 1246 | path: HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main 1247 | name: "HideLocalHostIP" 1248 | data: "1" 1249 | type: dword 1250 | 1251 | - name: "18.9.52.3.2.1,CCE-37708-5 | Ensure 'Restrict Remote Desktop Services users to a single Remote Desktop Services session' is set to 'Enabled'" 1252 | win_regedit: 1253 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 1254 | name: "fSingleSessionPerUser" 1255 | data: "1" 1256 | type: dword 1257 | 1258 | - name: "18.9.52.3.3.1,CCE-37696-2 | Ensure 'Do not allow COM port redirection' is set to 'Enabled'" 1259 | win_regedit: 1260 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 1261 | name: "fDisableCcm" 1262 | data: "1" 1263 | type: dword 1264 | 1265 | - name: "18.9.52.3.3.3,CCE-37778-8 | Ensure 'Do not allow LPT port redirection' is set to 'Enabled'" 1266 | win_regedit: 1267 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 1268 | name: "fDisableLPT" 1269 | data: "1" 1270 | type: dword 1271 | 1272 | - name: "18.9.52.3.3.4,CCE-37477-7 | Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'" 1273 | win_regedit: 1274 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 1275 | name: "fDisablePNPRedir" 1276 | data: "1" 1277 | type: dword 1278 | 1279 | - name: "18.9.52.3.10.1,CCE-37562-6 | Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled - 15 minutes or less' [GSA-1 hour or less]" 1280 | win_regedit: 1281 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 1282 | name: "MaxIdleTime" 1283 | data: "3600000" 1284 | type: dword 1285 | 1286 | - name: "18.9.52.3.10.2,CCE-37949-5 | Ensure 'Set time limit for disconnected sessions' is set to 'Enabled - 1 minute' [GSA-8 hours or less]" 1287 | win_regedit: 1288 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Terminal Services 1289 | name: "MaxDisconnectionTime" 1290 | data: "28800000" 1291 | type: dword 1292 | 1293 | - name: "18.9.59.1,CCE-Null | Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'" 1294 | win_regedit: 1295 | path: HKLM:\Software\Policies\Microsoft\Windows Nt\Currentversion\Software Protection Platform 1296 | name: "NoGenTicket" 1297 | data: "1" 1298 | type: dword 1299 | 1300 | - name: "18.9.61.1,CCE-Null | Ensure 'Disable all apps from Windows Store' is set to 'Enabled'" 1301 | win_regedit: 1302 | path: HKLM:\Software\Policies\Microsoft\Windowsstore 1303 | name: "DisableStoreApps" 1304 | data: "0" 1305 | type: dword 1306 | 1307 | - name: "18.9.61.4,CCE-38363-8 | Ensure 'Turn off the Store application' is set to 'Enabled'" 1308 | win_regedit: 1309 | path: HKLM:\Software\Policies\Microsoft\Windowsstore 1310 | name: "RemoveWindowsStore" 1311 | data: "1" 1312 | type: dword 1313 | 1314 | - name: "18.9.69.8.1,CCE-36950-4 | Ensure 'Configure Watson events' is set to 'Disabled'" 1315 | win_regedit: 1316 | path: HKLM:\Software\Policies\Microsoft\Windows Defender\Reporting 1317 | name: "DisableGenericRePorts" 1318 | data: "1" 1319 | type: dword 1320 | 1321 | - name: "18.9.73.1,CCE-Null | Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'" 1322 | win_regedit: 1323 | path: HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace 1324 | name: "AllowSuggestedAppsInWindowsInkWorkspace" 1325 | data: "0" 1326 | type: dword 1327 | 1328 | - name: "18.9.74.3,CCE-37524-6 | Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'" 1329 | win_regedit: 1330 | path: HKLM:\Software\Policies\Microsoft\Windows\Installer 1331 | name: "SafeForScripting" 1332 | data: "0" 1333 | type: dword 1334 | 1335 | ######### 1336 | ## EOF ## 1337 | ######### 1338 | -------------------------------------------------------------------------------- /tasks/section19.yml: -------------------------------------------------------------------------------- 1 | ########################## 2 | ########################## 3 | ## CIS LEVEL 1 SETTINGS ## 4 | ########################## 5 | ########################## 6 | 7 | ########################## 8 | ## USER CONFIG SETTINGS ## 9 | ########################## 10 | 11 | - name: "19.1.3.1,CCE-37970-1 | Ensure 'Enable screen saver' is set to 'Enabled'" 12 | win_regedit: 13 | path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop 14 | name: "ScreenSaveActive" 15 | data: "1" 16 | type: string 17 | 18 | - name: "19.1.3.1,CCE-37970-1 | Ensure 'Enable screen saver' is set to 'Enabled'" 19 | win_regedit: 20 | path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop 21 | name: "ScreenSaveActive" 22 | data: "1" 23 | type: string 24 | 25 | - name: "19.1.3.2,CCE-37907-3 | Ensure 'Force specific screen saver - Screen saver executable name' is set to 'Enabled - scrnsave.scr'" 26 | win_regedit: 27 | path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop 28 | name: "SCRNSAVE.EXE" 29 | data: "scrnsave.scr" 30 | type: string 31 | 32 | - name: "19.1.3.2,CCE-37907-3 | Ensure 'Force specific screen saver - Screen saver executable name' is set to 'Enabled - scrnsave.scr'" 33 | win_regedit: 34 | path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop 35 | name: "SCRNSAVE.EXE" 36 | data: "scrnsave.scr" 37 | type: string 38 | 39 | - name: "19.1.3.3,CCE-37658-2 | Ensure 'Password protect the screen saver' is set to 'Enabled'" 40 | win_regedit: 41 | path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop 42 | name: "ScreenSaverIsSecure" 43 | data: "1" 44 | type: string 45 | 46 | - name: "19.1.3.3,CCE-37658-2 | Ensure 'Password protect the screen saver' is set to 'Enabled'" 47 | win_regedit: 48 | path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop 49 | name: "ScreenSaverIsSecure" 50 | data: "1" 51 | type: string 52 | 53 | - name: "19.1.3.4,CCE-37908-1 | Ensure 'Screen saver timeout' is set to 'Enabled - 900 seconds or fewer, but not 0'" 54 | win_regedit: 55 | path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Control Panel\Desktop 56 | name: "ScreenSaveTimeOut" 57 | data: "900" 58 | type: string 59 | 60 | - name: "19.1.3.4,CCE-37908-1 | Ensure 'Screen saver timeout' is set to 'Enabled - 900 seconds or fewer, but not 0'" 61 | win_regedit: 62 | path: HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop 63 | name: "ScreenSaveTimeOut" 64 | data: "900" 65 | type: string 66 | 67 | - name: "19.5.1.1,CCE-36332-5 | Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" 68 | win_regedit: 69 | path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications 70 | name: "NoToastApplicationNotificationOnLockScreen" 71 | data: "1" 72 | type: dword 73 | 74 | - name: "19.5.1.1,CCE-36332-5 | Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'" 75 | win_regedit: 76 | path: HKCU:\Software\Policies\Microsoft\Windows\Currentversion\Pushnotifications 77 | name: "NoToastApplicationNotificationOnLockScreen" 78 | data: "1" 79 | type: dword 80 | 81 | - name: "19.7.4.1,CCE-37424-9 | Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" 82 | win_regedit: 83 | path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments 84 | name: "SaveZoneInformation" 85 | data: "2" 86 | type: dword 87 | 88 | - name: "19.7.4.1,CCE-37424-9 | Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'" 89 | win_regedit: 90 | path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments 91 | name: "SaveZoneInformation" 92 | data: "2" 93 | type: dword 94 | 95 | - name: "19.7.4.2,CCE-36622-9 | Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" 96 | win_regedit: 97 | path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Attachments 98 | name: "ScanWithAntiVirus" 99 | data: "3" 100 | type: dword 101 | 102 | - name: "19.7.4.2,CCE-36622-9 | Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'" 103 | win_regedit: 104 | path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Attachments 105 | name: "ScanWithAntiVirus" 106 | data: "3" 107 | type: dword 108 | 109 | - name: "19.7.7.2,CCE-Null | Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" 110 | win_regedit: 111 | path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent 112 | name: "DisableThirdPartySuggestions" 113 | data: "1" 114 | type: dword 115 | 116 | - name: "19.7.7.2,CCE-Null | Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'" 117 | win_regedit: 118 | path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent 119 | name: "DisableThirdPartySuggestions" 120 | data: "1" 121 | type: dword 122 | 123 | - name: "19.7.26.1,CCE-38070-9 | Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" 124 | win_regedit: 125 | path: HKU:\.DEFAULT\Software\Microsoft\Windows\Currentversion\Policies\Explorer 126 | name: "NoInplaceSharing" 127 | data: "1" 128 | type: dword 129 | 130 | - name: "19.7.26.1,CCE-38070-9 | Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'" 131 | win_regedit: 132 | path: HKCU:\Software\Microsoft\Windows\Currentversion\Policies\Explorer 133 | name: "NoInplaceSharing" 134 | data: "1" 135 | type: dword 136 | 137 | - name: "19.7.39.1,CCE-37490-0 | Ensure 'Always install with elevated privileges' is set to 'Disabled'" 138 | win_regedit: 139 | path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\Installer 140 | name: "AlwaysInstallElevated" 141 | data: "0" 142 | type: dword 143 | 144 | - name: "19.7.39.1,CCE-37490-0 | Ensure 'Always install with elevated privileges' is set to 'Disabled'" 145 | win_regedit: 146 | path: HKCU:\Software\Policies\Microsoft\Windows\Installer 147 | name: "AlwaysInstallElevated" 148 | data: "0" 149 | type: dword 150 | 151 | - name: "19.6.5.1.1,CCE-37542-8 | Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" 152 | win_regedit: 153 | path: HKU:\.DEFAULT\Software\Policies\Microsoft\Assistance\Client\1.0 154 | name: "NoImplicitFeedback" 155 | data: "1" 156 | type: dword 157 | 158 | - name: "19.6.5.1.1,CCE-37542-8 | Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'" 159 | win_regedit: 160 | path: HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0 161 | name: "NoImplicitFeedback" 162 | data: "1" 163 | type: dword 164 | 165 | - name: "19.7.7.1,CCE-Null | Ensure 'Configure Windows spotlight on Lock Screen' is set to Disabled'" 166 | win_regedit: 167 | path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windows\CloudContent 168 | name: "ConfigureWindowsSpotlight" 169 | data: "2" 170 | type: dword 171 | 172 | - name: "19.7.7.1,CCE-Null | Ensure 'Configure Windows spotlight on Lock Screen' is set to Disabled'" 173 | win_regedit: 174 | path: HKCU:\Software\Policies\Microsoft\Windows\CloudContent 175 | name: "ConfigureWindowsSpotlight" 176 | data: "2" 177 | type: dword 178 | 179 | - name: "19.7.43.2.1,CCE-37445-4 | Ensure 'Prevent Codec Download' is set to 'Enabled'" 180 | win_regedit: 181 | path: HKU:\.DEFAULT\Software\Policies\Microsoft\Windowsmediaplayer 182 | name: "PreventCodecDownload" 183 | data: "1" 184 | type: dword 185 | 186 | - name: "19.7.43.2.1,CCE-37445-4 | Ensure 'Prevent Codec Download' is set to 'Enabled'" 187 | win_regedit: 188 | path: HKCU:\Software\Policies\Microsoft\Windowsmediaplayer 189 | name: "PreventCodecDownload" 190 | data: "1" 191 | type: dword 192 | 193 | ######### 194 | ## EOF ## 195 | ######### 196 | --------------------------------------------------------------------------------